We found a bug that caused BotHunter to generate lots of DNS alerts. Some of you may like to know where all your DNS servers are; but this was getting out of hand. Now BotHunter will only alert if the client is performing lots of queries to an external DNS in a short amount of time..Just restart your sensor to get the bug fix.
Sometime we come across an historical query with lots of information that cannot be summarized in a single escalation report. With this new feature (the report button on the bottom of the historical report page) you can take a snapshot of the current page which is archived under Historical Queries. This is especially useful if you collaborate with someone else and you want to share the information (for example show it to your boss..) or you simply want to archive what you see.
Simply make the OSSEC daemon send syslog messages to your sensor IP address and ‘voila’; now you can view aggregate/correlate your OSSEC alerts with snort alerts, flows and other syslog entries. The nsm will also store your OSSEC alerts (just like any other syslog message) in the DB to mine at your leisure. As always send any questions or bugs to firstname.lastname@example.org.
Click on reports and inspect automatically generated daily and weekly reports or create your own custom reports.
Periodic reports are generated every day or every week. One time reports are specified between specific dates.
Once the report it is saved, it will be executed in the background. Reports are interactive and let you explore the
report data through the historical interface. Enjoy!
By popular demand, the real time interface now only shows Snort alerts by default; this makes it much less demanding on your browser. Clicking on the “View Flows” on the bottom-left will toggle the interface to show all the flows (like it used to). Also, the context menus have been rearranged to be easier to use.
The MetaFlows interface was updated last night with the following changes:
- Visual Grouping
Detailed records of an Historical query, when sorted by time, are visually time-grouped with a red or black border.
- Escalation Reports
Escalation reports now include all detail record information instead of just listing the client/server ports/IP addresses.
- Sensor Software Updates
- Parallel Snort Processes
Sensors now run parallel Snort processes to make event processing more efficient.
- Snort VRT Rules
You can now use your existing Snort VRT Rules subscription. To add your existing Snort VRT Rules subscription to one of your sensors check the checkbox next to “SourceFire VRT Rules?” and fill in the Oinkcode, OS, and subscription type fields (they appear only after you check the “SourceFire VRT Rules?” checkbox).
- Emerging Threats Pro Rules
All sensor subscriptions now include an Emerging Threats Pro Rules subscription.
Sensors now return enhanced host information.
- Parallel Snort Processes
- Bots on the Dashboard
The MetaFlows interface dashboard now lists all IP addresses that have a ranking greater than 0 and were part of events during the last 24 hours. Clicking on the IP address will take you to the historical interface and show all events from that IP address.
- Pausing the Real Time Interface
Click on the Pause icon at the bottom of the Real Time Interface to halt the display (so you can inspect records). If you pause the display, data will still be collected and kept, but new flows will not be added to the display. Once you un-pause, all flows that came in while the interface was paused will be displayed.
- Query for Historical records by ranking
A ranking option was added to the historical interface query options. If you turn on the “Ranking” option at the bottom of the Historical Interface before you click the “Reload” button to query for data matching the historical query options, only records with a ranking greater than 0 will be returned. This reduces the amount of records by several orders of magnitude.
- Forums and Groups
Both Forums and Groups are new features to help you troubleshoot problems, analyze data gathered by your sensors, and receive assistance from the user community at large.
Tickets can be created from escalation reports and submitted to groups in which you are a member.
Cloud Computing Concept Meets Supercharged Open-Source Network Security Tools at SC10
REDLANDS, CA, November 12, 2010 — MetaFlows, Inc., a startup focused on leveraging emerging cloud/virtualization technologies for the next generation of network security solutions, will debut an innovative network security monitoring system as part of the SC10 networking infrastructure called ?SCinet?. By monitoring SCinet?s diverse and high throughput network, MetaFlows aims to demonstrate that its new network security monitoring (?NSM?) system, the world?s first fully SaaS-based system, is ?ready for the big leagues.? If successful, it would also signal the realization of a new cost-cutting paradigm shift the network security industry -and its patrons- have been waiting for.
Founded upon battle-hardened, open-source resources (Emerging Threats signatures, Cyber-TA?s BotHunter dialog-based correlator, Sourcefire?s Snort VRT, etc.), MetaFlows? NSM reconciles and ranks IDS, flow, and active (local AND global) intelligence through a revolutionary predictive global correlation system based on Google?s page ranking algorithm, better revealing true positives while significantly cutting down on false-positive clutter. MetaFlows? NSM then delivers and unifies these results, along with log management, through the world?s first fully SaaS-based, real-time security console with easy-to-use forensic tools for deep event analysis. To cap it all off, MetaFlows? Open-Sensor Technology? helps NSM subscribers save thousands more dollars per year by granting them the ability to use almost any off-the-shelf sensor hardware they prefer or, via Linux/FreeBSD or virtual machines, use their preexisting hardware.
?At SC10, we expect to show the world that these technologies are now fully matured and able to handle the most demanding of environments,? said Livio Ricciulli, Founder and Chief Scientist of MetaFlows. ?The HPC community should find our fully SaaS-based security console and predictive global correlation technologies especially interesting, because they afford HPC admins and their MSSPs the levels of secure mobility and efficiency they?ve always needed but have never seen before.?
MetaFlows? NSM will be active throughout SC10, and MetaFlows Chief Scientist, Livio Ricciulli, will be available to answer any questions you might have about it, November 14th through the 19th.
If you are interested in a live demonstration of MetaFlows NSM while at SC10, Livio Ricciulli would be happy to personally demo the system and get your feedback. Simply RSVP with MetaFlows? press contact, Jude Calvillo (email@example.com), to arrange a meeting.
About MetaFlows, Inc.
MetaFlows, Inc. is a California-based corporation currently working to bring the world?s first fully SaaS-based IDS management solution to market, a solution so revolutionary in infrastructure and intelligence that it will unavoidably slash the costs and complexity of network security monitoring while actually improving upon event analysis and remediation response time(s). MetaFlows is partially funded by the National Science Foundation and SRI International and is led by a team of experienced entrepreneurs with a track record of success in network security ventures. For more information on MetaFlows, please visit: www.MetaFlows.com
SC10, sponsored by the IEEE Computer Society and the ACM (Association for Computing Machinery) offers a complete technical education program and exhibition to showcase the many ways high performance computing, networking, storage and analysis lead to advances in scientific discovery, research, education and commerce. This premier international conference includes a globally attended technical program, workshops, tutorials, a world class exhibit area, demonstrations and opportunities for hands-on learning. For more information on SC10, please visit: https://sc10.supercomputing.org/
MetaFlows Media Relations
Fax: (877) 539-7778
MetaFlows has done its first official release!
Sign up for an account and try it out!
MetaFlows founder Livio Ricciulli talked with Silicon Prairie News about the ways in which MetaFlows is helping to shape and innovate intranetwork and internetwork cybersecurity.
Watch the video here or watch it over at the Silicon Prairie News website.
MetaFlows will help secure SCINet for Supercomputing 2009. This is an extremely challenging task because of (1) the huge amount of bandwidth to be monitored and (2) the coexistence of legitimate p2p and new experimental uses of the Internet applications and sophisticated users from all over the globe.