New Adaptive IPS

The MetaFlows research team has put together a new feature for customers that are interested in using our IPS system, but desire a more automated approach to determining which events to block.

One of the major benefits of the MetaFlows system is our ability to anonymously correlate event data across all customer domains, giving us a very powerful tool for finding the worst threats, eliminating false positives, and elevating the priority of certain events that are discovered. We are now able to use this global knowledge base to effectively rank the priority of the IDS signatures that are currently deployed for all of our sensors and provide an option to automatically block any events that match a particular priority level.

This priority list is dynamic; it updates continuously to keep up with the changing landscape of threats that are discovered. This allows our system to adapt quickly, adding or changing the priority for new rule releases (our IDS rules update on a 24 hour cycle), rule changes, re-emerging malware, and dropping rules off quickly that are potential false positives.

Not all of the rules in the set are part of this list, only the ones that we have real evidence for having a reputation of being true positive hits will be added. We are able to isolate these rules by matching up events across domains which have already been seen as trigger events in our behavioral correlation system. In effect, the rules on the priority list have been correlated twice, first at the session level within customer domains where the individual sensor flags them as high risk alerts, and then again at the global level to produce a list that can be used for IPS with the highest confidence.

The priority list is further broken down into five categories. The first category, highest priority, contains only the worst of the worst threats, and will offer protection against the major bot and malware infections that we are seeing globally in near real time.


As the categories increase in rank, the threats they stop decrease in severity so that by category 5 most of the rules are related to adware or riskware infections. The user has the freedom to decide which priority level they would like to use for automating the IPS, and they can change this level at any time. It is also important to note that the user can still create their own IPS rules, which these categories supplement, or if they wish to enable or disable any of the priority rules they are free to do so. Our system, as always, aims to be as flexible and adaptable to the user’s needs as possible.

You can enable the IPS rules by choosing your Threat Level from the sensor configuration, saving the rules and restarting the sensor.

If you have the box Block Communications in Passive Mode checked, the rules will actually start protecting your network right away and self-update daily.

If you do not have Block Communications in Passive Mode enabled, you can still enable the IPS rules and see what they would have blocked by looking for the blocking reports called mssBlock. You can enter mssBlock in the search bar to see the last day’s block reports for example.

Here is an example of the current

2018098,"ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon",1
2013352,"ET TROJAN Executable Download Purporting to be JavaScript likely 2nd stage Infection",1
2405032,"ET DROP Known Bot C&C Traffic TCP group 17 - BLOCKING SOURCE",1
2803267,"ETPRO TROJAN Win32.Pasta.IK Checkin",1
2808594,"ETPRO MALWARE PUA.Plush Checkin",1
2013181,"ET CURRENT_EVENTS Ponmocup Redirection from infected Website to Trojan-Downloader",1
2806783,"ETPRO TROJAN Win32.Xtrat.A CnC & Exe Source",1
2806847,"ETPRO TROJAN WIN32/KOVTER.B Checkin",1
2808522,"ETPRO MALWARE Win32/Wysotot.G Checkin",1
2807086,"ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Obad.a Checkin 2",1
2018331,"ET TROJAN W32/SpeedingUpMyPC.Rootkit Install CnC Beacon",1
2807621,"ETPRO TROJAN Zegost.Gen CnC OUTBOUND",1
2017838,"ET TROJAN HTTP Connection To Known Sinkhole Domain",1
2807317,"ETPRO MALWARE Goobzo Checkin",1
2405038,"ET DROP Known Bot C&C Traffic TCP group 20 - BLOCKING SOURCE",1
2806258,"ETPRO TROJAN Backdoor/Winnti.l CnC traffic",1
2806210,"ETPRO MOBILE_MALWARE AndroidOS/Gappusin.A Checkin",1
2017287,"ET TROJAN ATTACKER IRCBot - ipconfig - PRIVMSG Command ",1
2808058,"ETPRO MALWARE Win32/DownWare.L Checkin",1
2017934,"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic OUTBOUND 11",1
2808475,"ETPRO TROJAN Win32/Reveton.gen!C Checkin",1
2018324,"ET MALWARE SoundCloud Downloader Install Beacon",1
2805902,"ETPRO MOBILE_MALWARE Android/Coogos.A!tr Checkin",1
2008365,"ET TROJAN Playtech Downloader Online Gaming Checkin",1
2808586,"ETPRO MALWARE PUP Win32/WuJi.A Checkin",1
2806019,"ETPRO TROJAN Win32/Zeprox.B / Trojan-Ransom.Win32.PornoAsset.btgg Checkin",1
2009212,"ET TROJAN Zbot/Zeus Dropper Infection - /check",1
2808021,"ETPRO MALWARE Win32/AnyProtect.B Checkin",1
2018753,"ET MALWARE W32/SearchSuite Install CnC Beacon",1
2807328,"ETPRO MALWARE InstallBrain checkin",1
2018899,"ET MALWARE Win32/BrowseFox.H Checkin 2",1
2016223,"ET TROJAN Andromeda Checkin",1
2018415,"ET TROJAN W32/Tepfer.InfoStealer CnC Beacon",1
2019145,"ET MALWARE W32/Stan Malvertising.Dropper CnC Beacon",1
2806802,"ETPRO TROJAN Rodecap CnC response 3",1
2806924,"ETPRO TROJAN Muldrop Checkin",1
2806661,"ETPRO CHAT IRC USER Off-port Likely bot with 0 0 colon checkin",1
2808071,"ETPRO MALWARE Win32/AnyProtect.B Checkin 2",1
2807958,"ETPRO MALWARE InstallBrain Checkin",1
2804616,"ETPRO TROJAN PWS.Win32/Prast!rts Checkin",1
2016328,"ET TROJAN ZeuS Post to C&C footer.php",1
2806728,"ETPRO MALWARE Riskware/DomaIQ.C!tr Checkin 2",1
2808484,"ETPRO MALWARE PUP Win32/OptimizerElite Checkin",1
2019156,"ET MALWARE W32/Kyle Malvertising.Dropper CnC Beacon",1
2018742,"ET MALWARE OptimizerPro Checkin",1
2018867,"ET TROJAN Win32.Sality.3 checkin",1
2805574,"ETPRO TROJAN Win32/TrojanDownloader.Agent.RGT Checkin",1
2018332,"ET TROJAN W32/SpeedingUpMyPC.Rootkit CnC Beacon",1
2013703,"ET CURRENT_EVENTS Suspicious Self Signed SSL Certificate to %27My Company Ltd%27 could be SSL C&C",1
2011588,"ET TROJAN Zeus Bot Request to CnC",1
2018617,"ET MALWARE Downloader.NSIS.OutBrowse.b Checkin",1
2014215,"ET MOBILE_MALWARE Android/Plankton.P Commands Request to CnC Server",1
2016803,"ET TROJAN Known Sinkhole Response Header",1
2808463,"ETPRO TROJAN Win32/Viknok.D Checkin 1",1
2018610,"ET TROJAN Likely CryptoWall .onion Proxy domain in SNI",2
2804625,"ETPRO TROJAN Trojan/Win32.Vaklik.gen Checkin",2
2807970,"ETPRO TROJAN Win32/Neurevt.A Checkin 3",2
2017715,"ET CURRENT_EVENTS Possible Angler EK SilverLight Exploit",2
2808226,"ETPRO TROJAN Trojan/Win32.Zbot Covert Channel port 53",2
2017782,"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendSMS",2
2806934,"ETPRO TROJAN Worm.Win32/Mimail.E@mm CnC ICMP",2
2808434,"ETPRO MALWARE Win32/SoftPulse.H Checkin",2
2807400,"ETPRO MALWARE AutoIt EXE or DLL Windows file download",2
2015708,"ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript",2
2018302,"ET CURRENT_EVENTS PHISH Generic - Landing Page - HTTrack comment and form",2
2807216,"ETPRO TROJAN Orbit downloader checkin 3",2
2804419,"ETPRO MALWARE Riskware.Win32.SoftonicDownloader.AMN!A2 Install",2
2013170,"ET POLICY HTTP Request to a * domain",2
2808501,"ETPRO MALWARE PUP Win32/Amonetize.AV Checkin",2
2017779,"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access makeCall",2
2017780,"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access postToSocial",2
2014002,"ET TROJAN Fake Variation of Mozilla 4.0 - Likely Trojan",2
2014571,"ET CURRENT_EVENTS HTTP Request to a a known malware domain",2
2808185,"ETPRO MALWARE Win32/BrowseFox.H Checkin",2
2016379,"ET CURRENT_EVENTS DRIVEBY Generic - JAR Containing Windows Executable",2
2805352,"ETPRO TROJAN POST to a mp3 file",2
2808621,"ETPRO MALWARE PUP/Win32.IBryte Checkin via HTTP",2
2018117,"ET TROJAN Possible Sinkhole banner",2
2018198,"ET TROJAN Win32/Kryptik.BSYO Checkin 2",2
2808634,"ETPRO TROJAN MSIL/Injector.P Checkin",2
2013332,"ET TROJAN FakeAV Landing Page",2
2016354,"ET CURRENT_EVENTS WSO WebShell Activity POST structure 2",2
2017895,"ET TROJAN Kuluoz/Asprox Activity",2
2807488,"ETPRO MALWARE Win32.Kraddare.FZ Update",2
2018581,"ET TROJAN Single char EXE direct download likely trojan multiple families",2
2016897,"ET TROJAN Possible Win32/Gapz MSIE 9 on Windows NT 5",2
2807561,"ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53",2
2018661,"ET TROJAN Win32/Zemot Config Download",2
2012198,"ET TROJAN Possible Worm W32.Svich or Other Infection Request for setting.ini",2
2807194,"ETPRO TROJAN PWS-Zbot-FANF Checkin",2
2807972,"ETPRO TROJAN Win32/FlyStudio Activity",2
2018006,"ET CURRENT_EVENTS Possible Browlock Hostname Format US",2
2015906,"ET CURRENT_EVENTS WSO - WebShell Activity - POST structure",2
2018697,"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected KINS C2",2
2014846,"ET CURRENT_EVENTS WordPress timthumb look-alike domain list RFI",2
2012753,"ET MALWARE Possible FakeAV Binary Download",2
2017781,"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendMail",2
2018232,"ET CURRENT_EVENTS Possible ZyXELs ZynOS Configuration Download Attempt Contains Passwords",2
2018934,"ET CURRENT_EVENTS DRIVEBY Archie.EK IE CVE-2013-2551 Payload Struct",2
2018784,"ET TROJAN Win32/Neurevt Check-in 4",2
2807403,"ETPRO MALWARE Win32.InstallMonetizer Download",2
2018452,"ET TROJAN CryptoWall Check-in",2
2014917,"ET CURRENT_EVENTS RedKit - Landing Page Received - applet and flowbit",2
2013036,"ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby",2
2018998,"ET CURRENT_EVENTS Archie EK Landing Aug 24 2014",2
2013962,"ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client",2
2017994,"ET CURRENT_EVENTS VBSAutorun_VBS_Jenxcus Check-in UA",2
2018052,"ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin",2
2017259,"ET TROJAN Generic - POST To .php w/Extended ASCII Characters",2
2808289,"ETPRO TROJAN Win32/Necurs Common POST Header Structure",2
2016427,"ET CURRENT_EVENTS CoolEK Possible Java Payload Download",2
2015698,"ET CURRENT_EVENTS SPL Landing Page Requested",2
2804972,"ETPRO TROJAN Herpbot.B ICMP",2
2017899,"ET CURRENT_EVENTS Possible PDF Dictionary Entry with Hex/Ascii replacement",2
2015780,"ET CURRENT_EVENTS Zbot UA",2
2016839,"ET CURRENT_EVENTS FlimKit Java Downloading Jar",2
2017516,"ET TROJAN Worm.VBS.ayr Checkin 1",2
2804449,"ETPRO MALWARE Win32/DownloadAdmin.A.Gen Install",2
2018589,"ET CURRENT_EVENTS Possible ASPROX Download URI Struct June 19 2014",2
2010905,"ET MALWARE Fake Mozilla UA Outbound Mozilla/0.xx",2
2018403,"ET TROJAN GENERIC Zbot Based Loader",2
2012392,"ET TROJAN Suspicious Download Setup_ exe",2
2013535,"ET INFO HTTP Request to a *.tc domain",2
2018752,"ET TROJAN Generic .bin download from Dotted Quad",2
2019072,"ET CURRENT_EVENTS RIG EK Landing URI Struct",2
2018383,"ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port Outbound from Client",2
2807061,"ETPRO TROJAN Win32/Rbot SSL checkin 1",2
2019078,"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Aug 27 2014",2
2015905,"ET CURRENT_EVENTS WSO - WebShell Activity - WSO Title",2
2018005,"ET TROJAN Possible Upatre Downloader SSL certificate fake org",2
2807955,"ETPRO TROJAN Win32/Injector.Autoit.ZZ",2
2015743,"ET INFO Revoked Adobe Code Signing Certificate Seen",2
2013827,"ET TROJAN AntiVirus exe Download Likely FakeAV Install",2
2805748,"ETPRO TROJAN TROJ_GEN.F47V1018 Checkin",2
2808578,"ETPRO TROJAN Win32/PSW.Papras.CK Checkin",2
2013311,"ET POLICY HTTP Request to a * domain",2
2017777,"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access takeCameraPicture",2
2808727,"ETPRO MALWARE Win32.Dapato Checkin",2
2014543,"ET CURRENT_EVENTS TDS Sutra - request in.cgi",2
2013497,"ET TROJAN MS Terminal Server User A Login, possible Morto inbound",3
2012816,"ET TROJAN EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing",3
2012312,"ET TROJAN Generic Trojan with /? and Indy Library User-Agent",3
2009909,"ET TROJAN Possible Windows executable sent when remote host claims to send HTML/CSS Content",3
2018788,"ET TROJAN Possible CryptoWall encrypted download",3
2018364,"ET CURRENT_EVENTS SUSPICIOUS OVH Shared Host SSL Certificate Observed In Use by Some Trojans",3
2012322,"ET TROJAN Possible TDSS User-Agent CMD",3
2009512,"ET TROJAN Suspicious User-Agent Session - Possible Trojan-Clicker",3
2009880,"ET MALWARE Casalemedia Spyware Reporting URL Visited 3",4
2018010,"ET TROJAN Suspicious UA ^IE[ds]",4
2010228,"ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected",4
2007567,"ET TROJAN Zlob User Agent - updating unknown",4
23246,"SPYWARE-PUT Wajam Monitizer url download attempt - post infection",4
2018459,"ET WEB_SERVER SUSPICIOUS Possible WebShell Login Form Outbound",4
2803567,"ETPRO POLICY Suspicious User-Agent LuaSocket",4
2013224,"ET POLICY Suspicious User-Agent Containing .exe",4
2006409,"ET POLICY HTTP POST on unusual Port Possibly Hostile",4
2017670,"ET CURRENT_EVENTS SUSPICIOUS Word DOCX with Many ActiveX Objects and Media",4
2018505,"ET CURRENT_EVENTS compromise hostile JavaScript gate",4
2016580,"ET CURRENT_EVENTS SUSPICIOUS Java Request to DynDNS Pro Dynamic DNS Domain",4
2007994,"ET MALWARE Suspicious User-Agent 1 space",4
2806411,"ETPRO MALWARE Suspicious User-Agent PI",4
2017771,"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classes used in awt exploits",4
2017319,"ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and 3 Letter Country Code",4
2002196,"ET MALWARE Casalemedia Spyware Reporting URL Visited 2",4
2016074,"ET TROJAN Backdoor.Win32.Skill.gk User-Agent",4
2003492,"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake Mozilla/4.0",4
2804911,"ETPRO WEB_CLIENT Microsoft Excel corrupted/hostile file invalid MergeCells.rgref.ref8.colLast value",4
2003470,"ET MALWARE Suspicious User-Agent Updater",4
2017912,"ET MALWARE W32/InstallRex.Adware Report CnC Beacon",4
2016933,"ET CURRENT_EVENTS SUSPICIOUS Java Request to Top 100 Dynamic DNS Domain May 28 2013",4
2003620,"ET MALWARE Spyware Reporting User Activity",4
2016582,"ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS Domain",4
2016699,"ET CURRENT_EVENTS SUSPICIOUS lsass.exe in URI",4
2009486,"ET TROJAN APT1 WEBC2-UGX Related Pingbed/Downbot User-Agent Windows+NT+5.x",4
2008276,"ET TROJAN Suspicious User-Agent contains loader",4
2005320,"ET TROJAN Suspicious User-Agent MyAgent",4
2002167,"ET POLICY Software Install Reporting via HTTP - Wise User Agent Wise Sometimes Malware Related",4
2017773,"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2465/2463",4
2018172,"ET CURRENT_EVENTS SUSPICIOUS Java Lang Runtime in Response",4
2012249,"ET USER_AGENTS Suspicious Win32 User Agent",4
2008986,"ET POLICY Internal Host Retrieving External IP via - Possible Infection",4
2008420,"ET TROJAN HTTP GET Request on port 53 - Very Likely Hostile",4
2802841,"ETPRO USER_AGENTS Suspicious User-Agent Setup Agent - Likely Malware",4
2803491,"ETPRO TROJAN Suspicious HTTP STOP Return - Trojan.Win32.FakeAV.cfty or Related Controller",4
2013256,"ET TROJAN Majestic12 User-Agent Request Outbound",4
2016754,"ET POLICY Internal Host Retrieving External IP via - Possible Infection",4
2014534,"ET TROJAN OSX/Flashback.K/I User-Agent",4
2011227,"ET POLICY User-Agent NSIS_Inetc Mozilla - Sometimes used by hostile installers",4
2018301,"ET MALWARE Win32/Toolbar.CrossRider.A Checkin",4
2002400,"ET USER_AGENTS Suspicious User Agent Microsoft Internet Explorer",4
2003337,"ET MALWARE Suspicious User Agent Autoupdate",4
2003583,"ET MALWARE Suspicious User-Agent update",4
2008975,"ET TROJAN Suspicious Malformed Double Accept Header",4
2003219,"ET MALWARE Alexa Spyware Reporting",4
2017760,"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class file Accessing Security Manager",4
2008184,"ET TROJAN Suspicious User-Agent Installer",4
2008350,"ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile",4
2011800,"ET POLICY Abnormal User-Agent No space after colon - Likely Hostile",4
2806301,"ETPRO MALWARE Win32/AirAdInstaller.A User-Agent AirInstaller",4
2008255,"ET TROJAN Suspicious User-Agent IE",4
2001891,"ET USER_AGENTS Suspicious User Agent agent",4
2017767,"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing management MBeanServer",4
2017365,"ET TROJAN SUSPICIOUS UA iexplore",4
2804910,"ETPRO WEB_CLIENT Microsoft Excel corrupted/hostile file invalid SXLI BIFF record",4
2013031,"ET POLICY Python-urllib/ Suspicious User Agent",4
2805354,"ETPRO POLICY SUSPICIOUS POST to a zip file",4
2011124,"ET MALWARE Suspicious FTP 220 Banner on Local Port spaced",4
2017772,"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2471/2472/2473",4
2008985,"ET POLICY Internal Host Retrieving External IP via Automation Page - Possible Infection",4
2010881,"ET WEB_CLIENT PDF With Unescape Method Defined Possible Hostile Obfuscation Attempt",4
2003055,"ET MALWARE Suspicious FTP 220 Banner on Local Port -",4
2808499,"ETPRO TROJAN Win32/Zemot User-Agent",4
2805815,"ETPRO POLICY Internal Host Retrieving External IP via - Possible Infection",4
2011504,"ET WEB_CLIENT String Replace in PDF File, Likely Hostile",4
2803418,"ETPRO TROJAN Suspicious user agentMERONG",4
2018026,"ET MALWARE W32/BettrExperience.Adware Update Checkin",5
2016780,"ET MALWARE Adware.Win32/SProtector.A Client Checkin",5
2018323,"ET MALWARE W32/Linkular.Adware Successful Install Beacon 2",5
2806435,"ETPRO MALWARE Adware.Eorez Checkin",5
2808597,"ETPRO MALWARE Win32/Adware.MultiPlug.J Checkin",5
2808369,"ETPRO MALWARE Adware.InstallCore.B Checkin",5
2807050,"ETPRO MALWARE Win32/Adware.Lollipop Checkin 2",5
2808681,"ETPRO MALWARE Win32/InstallRex.Adware Checkin",5
2808696,"ETPRO MALWARE W32/iBryte.Adware Installer Download",5
2808069,"ETPRO MALWARE Adware.iBryte.Z Checkin",5
2808091,"ETPRO MALWARE Win32/AdWare.SmartApps Checkin",5
2018368,"ET MALWARE W32/PullUpdate.Adware CnC Beacon",5
2014122,"ET MALWARE W32/OpenCandy Adware Checkin",5
2018174,"ET MALWARE RelevantKnowledge Adware CnC Beacon",5
2807371,"ETPRO MALWARE AdWare.MSIL.Sancmed.p Checkin",5
2808159,"ETPRO MALWARE AdWare.Win32.WhiteSmoke Checkin",5
2807236,"ETPRO MALWARE Win32/AdWare.AddLyrics.T Checkin",5
2805193,"ETPRO MALWARE Adware Installer Requesting an exe BetterInstaller",5
2014605,"ET MALWARE W32/GameVance Adware Server Reponse To Client Checkin",5
2807336,"ETPRO MOBILE_MALWARE Android/Adware.Kuguo.C Checkin",5
2806053,"ETPRO MALWARE ADWARE/InstallCore.Gen Checkin",5
2013983,"ET MALWARE Adware-Win32/EoRezo Reporting",5
2808637,"ETPRO MOBILE_MALWARE Adware.Android.AppLovin.A Checkin",5
2018148,"ET MALWARE W32/InstallMonetizer.Adware Beacon 1",5
2018565,"ET MALWARE W32/RocketfuelNextUp.Adware CnC Beacon",5
2808620,"ETPRO MALWARE PUP Adware/Crossrider Checkin",5
2808262,"ETPRO MALWARE PUP Win32/GetNow.B Checkin",5
2018149,"ET MALWARE W32/InstallMonetizer.Adware Beacon 2",5
2017911,"ET MALWARE W32/InstallRex.Adware Initial CnC Beacon",5
2807267,"ETPRO MALWARE Adware.Conduit/Variant Checkin",5
2017136,"ET MALWARE Adware.Gamevance.AV Checkin",5
2805862,"ETPRO MOBILE_MALWARE Android/Adware.Uapush.A Checkin",5