Block IP

By popular demand we added a block IP function. You can click on the icon from either the real time or historical interface. After you enter an IP address, it will be immediately blocked (if you have enabled the isolate function by clicking on the isolate checkbox in the sensor configuration). This action creates a block classification automatically. You can later delete it or modify it by edit the block classification.

The blocking occurs by injecting spoofed TCP RST and other packets to disrupt communications for the blocked IP.

VMware ESX support

We are now an official VMware alliance partner. Our virtual machine sensors can now run on VMware ESX, Server, Workstation, or Player.

This new new virtual machine should give you much more flexible deployment options and the ability to achieve processing performance equivalent to the native Linux CentOS sensor. The MSS can now fully support VMWare virtual environments.

Improved Sensor Provisioning

We improved our sensor provisioning mechanism. After you configure a new sensor, the generation is much quicker. Once the sensor is run for the first time, you will assign a particular sensor configuration to it. This also allows you to instantly migrate sensors from one hardware box to another without having to copy software around. If you want to assign a new sensor to a particular machine, you set the UUID to 0 and restart; during the restart, you can pick your new sensor configuration among the configurations you have created. Please remember to only have one active configuration running at time otherwise many things will not work.

Please send us email at for any questions.

Sensor Rule Updates

The sensors now reload the rules every 12 hours to suck in any rules automatically. The real nice thing is that we restart one Snort process at a time and pfring dynamically shifts the load to the other remaining processes. This way, even while reloading, there is no packet loss. This is especially important if you are configured inline. If you have only one Snort process because you have an older 1-2 core CPU or not enough memory, this feature obviously wont help you and you will get some small packet loss every 12 hours.

Soft IPS is Here!

The MetaFlows Design Team has developed an active response system that lets subscribers disrupt TCP (and sometimes UDP) sessions with a sensor deployed as a passive device. It works great for enforcing network usage policies associated with particular snort rules (like Bittorrent, drop-box, etc.) or simply to block particular hosts that should not be on the network. The active response mechanism works by injecting spoofed TCP reset packets into the network (and other things). Every time something is blocked, log message associated with that action will appear in the MetaFlows interface. In order for the passive response system to actually actively block, subscribers will need to modify the sensor configuration and enable the “Isolate” checkbox. Leaving the checkbox off will only simulate the actions and log what it wold have blocked.

Whether inline or as a active response, the default block rules are not turned on. It is up to the customer to decide what should be blocked.

For answers to any questions about the Isolate Plugin or Soft IPS, please contact the MetaFlows Design Team at

What is Soft IPS?

soft ips

Intrusion prevention systems (IPS), for the most part, involve very expensive network appliances that sit outside the network to prevent attacks from getting in. We call that “hard IPS”. A typical IPS could cost at least $10,000 or more plus maintenance fees.

Soft IPS is software that uses off-the-shelf hardware to monitor network traffic at high-performance speeds in passive or inline mode, block unwanted traffic through packet filtering, TCP session disruption and customizable inline drop policies.

The MetaFlows Security System (MSS) is the very first soft IPS and costs a fraction of what typical a IPS might cost because it doesn’t need an expensive piece of hardware to run.

MetaFlows has modified a piece of open-source software, called PF_RING, so that it can turn a standard off-the-shelf desktop computer into a high-performance intrusion prevention system. If you’d like to learn exactly how our modified version of PF_RING does that, you can read our technical release here.

Soft IPS lets small and medium-sized businesses get the protection they need by lowering the cost of a high-performance IPS. For large enterprises and government agencies, this means that they can drastically reduce their information security and IT costs.

If you’re interested in integrating our modified PF_RING into your own Snort IPS system, you can download our code and install instructions here: MetaFlows Modified PF_RING.


The MetaFlows Global Enterprise network security system (MSS GE) includes all the features of the MSS SaaS solution but it is designed to communicate exclusively within a private network or as a private cloud on a public network. The MSS GE controller is deployed either as an on-premise high performance Appliance (starting at 1200 Events/Second) or as a private Amazon EC2 instance. Find Out More >>

MetaFlows Global Enterprise System - Network Security, Malware detection, Intrusion Prevention and IT compliance verification

Web Security Console
MSS GE Controller
Daily Intelligence Feeds
  • Real Time SIEM, Flow & Log management
  • Multi-user Online Collaboration
  • One-click Remediation
  • Highly Customizable
  • Deploy as an Appliance or as an Amazon EC2 Instance
  • Predictive Event Correlation quickly finds Malware
  • Centralized Sensor Provisioning
  • Behavioral Malware Detection
  • Zero-day/APT Intelligence
  • Vulnerability Scanning
  • Geo-location Intelligence

Security events from the MSS GE sensors are securely transmitted to the MSS GE Controller where they are ranked using a unique algorithm mathematically similar to Google’s page ranking. Rather than limiting security event ranking to static policies, the MSS GE derives priorities based on dynamic measurements. The MetaFlows Active Threat Management system and the SRI Malware Threat Center continuously mine the Internet for bad IP address and event reputation data (much like the reputation and number of links to a web page). The MSS GE controller continuously accumulates this security event reputation data and mathematically transforms it every day to improve ranking prediction. The end-result is that the MSS GE lets you quickly find Malware that otherwise would go unnoticed.

Main Features

Advanced Malware Detection

The MSS provides high-speed Malware detection/prevention using BotHunter, daily signature updates and Geo-location intelligence.

Intrusion Prevention

Efficient and cost-effective network protection. Easily shut down exploits, Bots, C&C communications, Phishing attempts or sites with bad reputation.

Flow Analysis & Monitoring

The MSS adds flow analysis to catch covert data exfiltration and/or anomalous communication patterns. You need to know where your data is going.

SIEM & Log management

Merge real-time security information with 3rd-party network-based and host-based monitoring systems.

Security Software as a Service

Rich analysis and advanced reporting tools from a secure web browser. Access actionable alerts anytime from anywhere.

Cloud Security

Seamlessly monitor cloud-based assets. The MSS efficiently secures your cloud without the dangers of traffic replication.

Ntop Support for CentOS Sensors

Ntop is now part of the MetaFlows Security System (CentOS only for now). Ntop is an indispensable tool that provides historical and near real time flow statistics of your traffic. To use it, simply enable Ntop in you current sensor configuration page and do a hard restart of your sensor (this will download and install Ntop); that’s it! This is the beauty of Cloud-based computing!.

You can invoke Ntop either from (1) the Historical menu or (2) from the Real Time right-click menu. Each time you analyze a host with Ntop you can query back into the MetaFlows historical interface or you can try to extract files transmitted or received by that host (more on this in the next post).

Sensor Resources: In most cases your existing sensor should handle it fine (it uses 0.5 GB of memory and approximately an additional 25% of your current CPU usage). If you have concerns about performance, please do not hesitate to contact us at


Email Alerts

The classifications can be used to create custom event notifications. Simply create a classification through the browser and choose the email action. This will trigger email messages detailing the particular flows that matched your specification. I would say that creating an email alert for all events with ranking >0 is a good place to start. This feature now runs from the server side even if your browser is not active.


Content Extraction

Have you ever wondered what content is being transmitted in and out of your network by suspicious hosts? Now you can use Content Extraction to extract files from your network traffic to preview them or download them to you desktop for further analysis.

Obviously you need to have packet logging enabled and Ntop enabled (it uses Ntop back-end for managing the file extraction application). Sometimes it gets slow because it needs to go though tons of data so please be patient.

This is still experimental; if you have suggestions on how to improve it, let us know at