Inkampani ye-AOL ukukhululwa kwesistimu yokuthwebula, ukugcina kanye nokukhomba amaphakethe enethiwekhi , ehlinzeka ngamathuluzi okuhlola ngokubukeka ukuhamba kwethrafikhi nokusesha ulwazi oluhlobene nomsebenzi wenethiwekhi. Ikhodi ibhalwe ngolimi C (interface ku-Node.js/JavaScript) futhi ilayisensi ngaphansi kwe-Apache 2.0. Isekela umsebenzi ku-Linux naku-FreeBSD. Ilungile ilungiselelwe izinguqulo ezahlukene ze-CentOS ne-Ubuntu.
Le phrojekthi yasungulwa ngo-2012 ngenhloso yokudala indawo evulekile yokucubungula iphakethe lenethiwekhi yenethiwekhi engafinyelela kumthamo wethrafikhi we-AOL. Ukuqaliswa kohlelo olusha ku-AOL kwenze kwaba nokwenzeka ukuzuza ukulawula okuphelele engqalasizinda ngenxa yokuthunyelwa kumaseva ayo futhi kunciphise kakhulu izindleko - kusetshenziswa i-Moloch ukubamba ngokuphelele ithrafikhi kuwo wonke amanethiwekhi e-AOL kubiza inani elifanayo nelalapho usebenzisa. Ngaphambilini, yayisetshenziselwa ukuthwebula ithrafikhi kunethiwekhi eyodwa kuphela. Isistimu ingakala ukuze icubungule ithrafikhi ngesivinini samashumi amagigabhithi ngomzuzwana. Ivolumu yedatha egciniwe inqunyelwe kuphela usayizi weqoqo lediski elitholakalayo.
Imethadatha yesikhathi ikhonjiswe kuqoqo elisekelwe enjinini .
I-Moloch ihlanganisa amathuluzi okuthwebula nokukhomba ithrafikhi ngefomethi yomdabu ye-PCAP, kanye nokufinyelela okusheshayo kudatha ekhonjiwe. Ukuhlaziya ulwazi oluqoqiwe, kunikezwa isixhumi esibonakalayo sewebhu esikuvumela ukuthi uzulazule, useshe futhi ukhiphe amasampula. Kuhlinzekiwe futhi , okukuvumela ukuthi udlulisele idatha mayelana namaphakethe athathiwe ngefomethi ye-PCAP namaseshini ancozululiwe ngefomethi ye-JSON uye kuzinhlelo zokusebenza zezinkampani zangaphandle. Ukusetshenziswa kwefomethi ye-PCAP kwenza kube lula kakhulu ukuhlanganisa nabahlaziyi bethrafikhi abakhona njenge-Wireshark.
I-Moloch iqukethe izingxenye ezintathu eziyisisekelo:
- Uhlelo lokuthwebula ithrafikhi luwuhlelo lwe-C olunemicu eminingi lokuqapha ithrafikhi, ukubhala okulahlwayo ngefomethi ye-PCAP kudiski, ukucozulula amaphakethe athunjiwe nokuthumela imethadatha mayelana namaseshini (i-SPI, ukuhlolwa kwephakethe okusemthethweni) kanye nezivumelwano kuqoqo le-Elasticsearch. Kungenzeka ukugcina amafayela e-PCAP efomini elibethelwe.
- Isixhumi esibonakalayo sewebhu esisekelwe kuplathifomu ye-Node.js, esebenza kuseva yokuthwebula ithrafikhi ngayinye futhi icubungule izicelo ezihlobene nokufinyelela idatha enenkomba nokudlulisa amafayela e-PCAP nge .
- Ukugcinwa kwemethadatha okusekelwe ku-Elasticsearch.
Isixhumi esibonakalayo sewebhu sinikeza izindlela zokubuka ezimbalwa - kusukela kuzibalo ezijwayelekile, amamephu okuxhumana namagrafu abukwayo anedatha yezinguquko kumsebenzi wenethiwekhi kuya kumathuluzi okutadisha amaseshini angawodwana, ukuhlaziya umsebenzi kumongo wezinqubo ezisetshenziswayo kanye nokwehlukanisa idatha kusuka ezindaweni zokulahla i-PCAP.
Π :
- Kwenziwe inguquko ekusebenziseni ifomethi engathayipha ukuze kufakwe inkomba ku-Elasticsearch.
- Izibonelo ezingeziwe zezihlungi zokuthwebula ithrafikhi e-Lua.
- Usekelo lwenguqulo engu-46 yephrothokholi ye-QUIC selusetshenzisiwe.
- Ikhodi yokudlulisa izivumelwano isisetshenzwe kabusha, okwenza kube nokwenzeka ukubhala ama-parser e-Ethernet kanye nephrothokholi yezinga le-IP.
- Abahlaziyi abasha baphakanyiselwe amaphrothokholi e-arp, bgp, igmp, isis, lldp, ospf kanye ne-pim, kanye nezihlungi zezivumelwano ezingaziwa ze-unkEthernet kanye ne-unkIpProtocol.
- Kwengezwe inketho ukuze ukhethe ngokukhetha ukukhubaza abahlaziyi (disableParsers).
- Ikhono lokubonisa noma iyiphi inkambu ephelele emashadini, asethwe ekhasini lezilungiselelo, lengeziwe kuhlelo lwewebhu.
- Amagrafu nezihloko manje zingamiswa futhi zinganyakazi lapho uskrola ikhasi.
- Amabha amaningi okuzulazula afihliwe noma agoqwe ngokuzenzakalelayo.
Source: opennet.ru