Splunk App

We have developed a Splunk network security app available at https://splunkbase.splunk.com/app/3603

or https://nsm.metaflows.com/SplunkforMetaFlows.tgz.

It receives events generated by the MetaFlows sensors and breaks them down by the following types:

  • Multisession Analysis
  • High Priority Events
  • IDS Events
  • Network Logs (3rd party logs sent to the sensors)
  • File Transmission Analysis
  • User Discovery
  • Service Discovery
  • Host Discovery
  • Mac Discovery
  • Suspicious URL Transmission Analysis
  • IPS Notifications
  • User Rankings
  • Modsecurity

From the app you can either drill down on Splunk itself or jump to the MetaFlows console to gather more forensic information like packet payloads.

You can install the app by using the Splunk application management tools. In order to send event to Splunk you need to add a configuration line in your /nsm/etc/mss.sh startup script of your sensors.  The SSL-encrypted syslog messages are sent to the MetaFlows Splunk App through TCP port 3015 (please make sure you sensor can communicate on this port).

It is a early beat version, please let us know how you like it.

Please see more details at https://docs.metaflows.com/Log_Management#Splunk_App

Happy Hunting!

The MetaFlows Team.

WannaCry Ransomware Advisory

It has been all over the news this weekend, a surge in Ransomware under the name ‘wannacry’ that has the potential to cripple large portions of networks due to the way that it spreads.

This is a pretty stealthy piece of malware at the network level, little to no CnC has been confirmed, but at an individual level it doesn’t behave much differently from any other Ransomware that we have seen in the past.

What distinguishes WannaCry is that it has a secondary infection vector that prior Ransomware variants lacked. Like any other, the primary infection vector appears to occur via email attachment (zipped javascript). However, once a machine is compromised it begins to behave more like a worm, able to exploit SMB (windows file sharing) on any systems that it can reach in order to spread its self.

This worm like behavior makes it particularly dangerous. While usually* smb (port 445) is not accessible from the outside world, it is often completely unrestricted within a local network, allowing one infected machine to spread the Ransomware across an entire site.

* This is your reminder to do double check firewall rules and run some external scans to make absolutely certain your windows file shares are not reachable from the outside world.


The following signatures are currently indicators to look out for:

2024218: ET EXPLOIT Possible ETERNALBLUE MS17 Echo Response
2024291: ET TROJAN Possible WannaCry DNS Lookup (trojan.rules)
2024292: ET INFO Bitcoin QR Code Generated via Btcfrog.com (info.rules)

MetaFlows has added 2024291 to our priority alerts category, and may also add 2023218 to add an extra level of alerting for these events.


Many of the windows related scan rules have been updated, and may be treated with greater suspicion, but are not alone indicators of this malware:

2001569 – ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection (scan.rules)
2001579 – ET SCAN Behavioral Unusual Port 139 traffic Potential Scan or Infection (scan.rules)
2001580 – ET SCAN Behavioral Unusual Port 137 traffic Potential Scan or Infection (scan.rules)
2001581 – ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection (scan.rules)
2001582 – ET SCAN Behavioral Unusual Port 1434 traffic Potential Scan or Infection (scan.rules)
2001583 – ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection (scan.rules)

There are likely to be more updates and more information soon as researchers have time to study the samples collected so far.
Our primary signature provider, Emerging Threats, maintains a mailing list where these issues are discussed as they unfold.

Watch your MACs

We added a feature to alert you whenever a new MAC address is seen by the system. The system learns about MAC addresses either through analyzing the DHCP protocol or finding new MAC addresses in the normal network traffic (if you are mirroring/spanning the endpoints’ MAC addresses).

It generates messages of the form:

MACwatch <IP_ADDRESS> <MAC_ADDRESS> <Flow information>

Every time the system sees a new MAC address.

IP_ADDRESS is the address using the newly discovered MAC
MAC_ADDRESS is the new MAC
<Flow Information> is the flow information we used to discover the new MAC (typically a DHCP lease, but it could also be a UDP or TCP packet if you will span the MAC addresses from the switch).

See a screen shot from our lab firewall sensor.


After the update, you will start getting messages of MAC addresses never seen before. After a while, only new MAC addresses never seen before will start showing up and you can setup a classification matching MACwatch to email yourself, block communication, or both.

The MAC addresses are available for search in the assets page under a new column called MAC. The same IP address can have multiple MACs simultaneously; and MACs can move around from IP to IP due to DHCP leasing.  But, no matter what, a previously unseen MAC will generate a MACwatch message. Some devices (like printers) can go to sleep for days; so you might see some legitimate MACwatch messages for a while.

As always, let us know if you have any questions at support@metaflows.com.

Happy hunting!


The MetaFlows Team

Got MAC?

We recently added the MAC addresses to the event messages. The system gets the MAC addresses in two orthogonal ways:

  • We sniff the MAC headers from the passive tap. If the MSS sees more than 5 IP addresses with the same MAC, it stops recording because it means you are mirroring the connection between the switch and the next routing hop (probably the firewall) where the MAC addresses are not available.
  • We sniff  DHCP lease messages  when the IP is assigned dynamically. In order to do this, you probably need to instruct the switch to specifically mirror DHCP traffic in order for the sensor to process it.  The sensor expects DHCP UDP traffic using the pcap expression udp and (port 68 or port 67).

Please contact us at support@metaflows.com if you need help in setting up DHCP traffic monitoring.




Websockets Are Here

Adobe Flash is one of the original sins. It is everywhere and yet it is a huge security risk. Websockets is an HTML5 standard that, for us, provided an alternative to Adobe Flash.

For now we support both. The browser will try to use Adobe Flash first, and if it is not present or it is disabled, it will try using Websockets (which are hard-coded in your Browser). I you want to keep using Adobe Flash, you do not have to do anything; things should keep working as before.

If your sensors are configured as clients, and you do not want to use Flash anymore, just disable it and the Browser will do the rest. You will be using MetaFlows SSL certificate.

If your sensors are configured as servers, and you do not want to use Flash anymore, well, it’s a bit of work to use Websockets because current Browser implementations do not allow self-signed SSL certificates (this is probably a good thing). To use Websockets on sensors configured as servers:

  1. Add your sensors’ static IPs to the DNS (like: <sensorname1>@mydomain.com)
  2. Generate a valid SSL certificates  that matches the DNS name in step 1 (cannot be self-signed). If you do not want to generate a separate certificate for each sensor, you can also buy a *.mysensordomain.com certificate to share by all your sensors.
  3. Bundle the certificates with the command:

# cat my_certificate.crt my_certificate.key bundle_certificate.crt > sensorcert

  1. Copy sensorcert to /usr/local/etc/ntop/sensor-server.pem on your sensors’ hard disk.
  2. Go to nsm.metaflows.com and replace the static IP address of your sensors as a server with the names you setup in step 1
  3. Make sure your browser can reach the sensors on ports 3009 and 3010
  4. Restart your sensors as a server with the command:

#/nsm/etc/mss.sh restart

Adding Websockets support was a fairly extensive change in our system; so there could still be some issues. As always feel free to contact us if you have any questions or you see any problems.

Thank you for exploring the unknown with us!

The MetaFlows Team.

Constant Companions: Giving Passwords and Passphrases Thier Due

“Through 20 years of effort, we’ve successfully rained everyone to use passwords that are hard for humans to remember, but are easy for computers to guess.”  Randall Monroe, XKCD

For users, passwords and passphrases are a way of life.  How else can an individual not only identify themselves to access necessary services but also prove that they are who they say they are without biometrics?  However, the way in which many businesses choose to think about passwords and passphrases is not only wrong, but harmful.  Many financial institutions, as well as work places, require that passwords max out at a short, fixed number of characters (anything between six and twelve), include an uppercase and lowercase letter, as well as at least one digit.  This is, unfortunately, not an ideal solution.  In essence, any organization requiring that users make passwords under such conditions is setting their users up for failure on a multitude of levels.  Not only are these passwords easier to crack than other options but they typically cannot be memorized, requiring the user(s) in question to write them down or store them elsewhere.

Data released in a recent study by Carnegie Mellon University’s CyLab indicates that traditional methods for password and passphrase creation are woefully inadequate and that a great many users have a mistaken idea of the methods in which adversaries employ in the attempt to crack them.

This study reveals that, “Participants, on average, also believed any password with numbers and symbols was a strong password, which is not always true. For example, p@ssw0rd was thought to be more secure than pAsswOrd, but the researchers’ attacker model predicted that it would take 4,000 times more guesses to crack pAsswOrd than p@ssw0rd. In modern day password-cracking tools, replacing letters with numbers or symbols is predictable.”

The question then becomes, what can the user do to avoid this situation?  The engineers at MetaFlows have a very unique way of creating passwords/passphrases that are much more secure.  There is a basic equation for password strength, failing that the password appears in a known dictionary, is:


Complexity being the number of possible characters the password contains

So a password using only lower case letters has a complexity of 26

A password using lower, upper, and numbers has a complexity of 62

A complex password with a length of eight:

62^8 = 218,340,105,584,896 possibilities

A simple password with a length of twelve:

26^12 = 95,428,956,661,682,176

The longer, but simpler, password in this example has a total search space 437 times greater than a standard “complex” password.  This is not to say that complexity is bad, complexity helps, but length is the dominant factor in determining strength against brute force. It should be able to be memorized, so going ahead and adding a number or a weird character is fine. However, if adding that element makes it too hard to remember then consider tacking on another word instead that is easier to remember to increase the strength exponentially.

What is the difference between a password and a passphrase?

The example password meets all standard complexity requirements: lower case, upper case, number, and special character.  One of our engineers decided to see how long it would take for them to crack this password.  The end result is as follows:


Search Space 6.70×10^15

Single Machine traditional estimated crack time: 18.62 hours

Cracked during several hours while playing WoW and a good night’s sleep.

The experiment was repeated with a passphrase, which is a group of words strung together that act as a password.  The passphrase below meets none of the standard complexity requirements as it is all lower case and contains no digits.  Unlike Pa$sw0rd, it is easy to remember.


Search Space 4.33×10^39

Single Machine traditional estimated crack time: 13.76 million trillion centuries

Still not cracked long after the death of our solar system.

In most cases, adding a few words that are related to the site or process in question is helpful to remembering them but we also know that people are surprisingly good at remembering almost any silly combinations of words as a passphrase. The more unrelated the words chosen are, the less likely they will ever end up in a dictionary. Picking one nonsensical word increases the potential strength against dictionaries to a level that is realistically beyond guessable. For example, “mypasswordisnotpassword” may be obvious enough to get added to a dictionary, but “mylongitudinalpasswordisnotamonkey” is arcane.

Another method, advocated by Micha Lee at The Intercept_ is Diceware.  The method for creating a Diceware password is simple and straightforward but the end results may lead to a far more secure passphrase.  The Diceware method is effective because it will provide randomness that the human brain cannot.  The value of using a method that involves randomization is ideal when one considers entropy.  “The amount of uncertainty in a passphrase (or in an encryption key, or in any other type of information) is measured in bits of entropy. You can measure how secure your random passphrase is by how many bits of entropy it contains. Each word from the Diceware list is worth about 12.92 bits of entropy (because 212.92 is about 7,776). So if you choose seven words you’ll end up with a passphrase with about 90.5 bits of entropy (because 12.92 times seven is about 90.5).”

Once a user creates a password, one must have a clear idea of where to store it.  While there are numerous password saving applications available on the web and scraps of paper abound, nothing is more secure than pure memorization.  When considering password creation, always stick to something easy to memorize as well as difficult to crack.  To put it plainly, storing passwords anywhere other than the human mind creates an exploitable vulnerability.  This of course, includes writing them down on a sheet of paper and attempting to hide it. The popularity of password storage books and password applications is no indication as to the level of security they provide, which is limited at best.

No matter how random and entropic a password may be, it is vital that if using the same password for more than one service, that passwords used for social media accounts should in no way resemble those used for online banking and other vital activities.  It cannot be stressed enough that reusing passwords, sharing passwords, recording passwords, and repeatedly recycling through a set of passwords is far from advisable.


Product Update: Reconsider Event Classifications

Recently, the engineers at MetaFlows have improved the Event Classification Menu within the MetaFlows software, allowing each user to further customize events through actions and event views.  This introduces four key features to the Event Classification Menu that users will find helpful in employing the MetaFlows IDS.

Classifications Window.png

The first improvement allows users to see a comprehensive list of their classifications.  Now, users can access a new classification interface that breaks the classifications down by action.  There are seven action types:  Highlight, Block, E-mail, Ignore, Delete, Rank, and Disabled.  The Highlight function matches the records in the Real-Time, Historical, and Reports with the selected color.  The Block action triggers the Soft IPS for matching records, causing connections matching the classification to be blocked.  The E-mail function produces a PDF report of matching records that will be sent every ten minutes, or as frequently as possible.  The Ignore action ignores events that match the classification.  The Delete function removes matching records from the browser in order to free up memory.  The Rank action increases the priority/rank of the records that match the classification.  The Disable function allows a user to disable a classification without deleting it.


The Search functionality of the classification interface now allows users to search against a classifications’ name, category, IP address, IDS alerts, service alerts, and log message values.  All a user has to do is type a value into the Search field to find classifications to match that query.  The search will match against values in the classification name, category, addresses, and events field.


Once upon a time, deleting a classification was an irreversible action.  Now, that can be undone.  If the user deletes a classification only to realize later that they need it, they can restore the classification from the Trashed Classifications list.

Transferring classifications is now much easier.  By employing the Upload Classifications feature, a user can transfer classifications in bulk between two different domains.  The option is listed as the Upload Classifications button and selecting this opens the uploader.  Classifications must be in JSON format and contain all the required information for the classification.

More information regarding the recent improvements in the Event Classification menu can be viewed on the MetaFlows User Manual.  If using any of the four new features causes any confusion, or if there are any questions, do not hesitate to contact the MetaFlows team for assistance.

Taking a Crack at Locky

Since mid-February, security researchers have been encountering Locky, the latest ransomware tool in the adversary’s arsenal. The engineers at MetaFlows observe Locky primarily in email attachments that are processed using the MetaFlows sandbox. On networks being monitored by MetaFlows sensors, the engineers are able to take samples of inbound .zip email attachments and send them to a Cuckoo Sandbox to be processed. The sandbox runs the sample in a virtual machine and is able to detect malicious behavior. Often malware tries to evade detection, but since Locky is trying to get noticed by the user anyway, it is not subtle. Locky typically triggers over a dozen indicators of compromise and IDS signatures on the sandbox and therefore, is almost impossible to miss.

MetaFlows has seen consistent spam campaigns over the last month that deliver zipped JavaScript files that Windows is designed to execute by default with its native wscript.exe. The files, when executed by the user, appear to do nothing at first. This is a bad sign. Within moments a secondary payload is fetched, encryption has begun, and command and control beaconing has been performed in the background. Once it is done, the user will be greeted with the typical ransomware demands webpage, image, and wallpaper.


The spam campaigns use short, simple subject lines, or they include only “Re:” or “Fw:”. They are often appeals to business or tax related concerns, and the body is usually curt with a reasonable request to review the attachment and respond. These emails frequently include a legitimate appearing signature and use appropriate spelling and grammar. It is easy to see that people who are not constantly on guard about these issues could easily be tricked into opening the file. In the example below, the target could be concerned that they or their business missed a legitimate payment, or knowing that they have no business with “China Information Technology, Inc.,” they may open it to investigate why they have been billed.

Screen Shot 2016-05-19 at 3.36.44 PM.png

The engineers at MetaFlows also collect statistics on the email subjects used to lure victims into opening the attachments, these are part of the Weekly Statistics page. The subjects vary from scare tactics, to just curiosity, to near gibberish, but they are rarely outlandish or over-the-top as spam quite often is. Not all of these are Locky, but the vast majority those that have made an appearance this week are.

Enterprises can make themselves less of a target by employing a two-layer approach.  Investing in an IDS such as MetaFlows that will detect the inbound file, and recognize the infection behavior of a compromised system is the first layer.  Given the current view on the spam campaigns distributing ransomware, the best solution is user education. Staff members should be approached, reminded regularly of this problem, and ideally possess some healthy paranoia about opening email attachments unless they absolutely know the sender. Also, even though .doc and other common files can be vectors for infection as well. Most users have no reason to ever open a .js with a strange icon.

The next layer consists of getting user files out of the path of Locky and other ransomware. While the campaigns we are seeing are spam based, ransomware has been previously documented coming from drive-by sites and browser exploits, so even a user savvy to email attachments could still get hit. Users should make secondary backups of important files part of the daily work-flow. Options for this can be summed up with three “C”s.

  • Copy files to a remote device. This is probably the best option, as long that remote device is not permanently connected to the user’s machine. Network shares that are mounted when Locky is executed will also be encrypted. Copying files to an ftp server manually (or as a scripted job for the advanced users out there) is probably the best bet.
  • Create a local backup directory. During experiments researching Locky, in which our engineers continuously re-infected virtual-machines (for science), MetaFlows engineers did find that it ignores the C:\Windows directory. Do not bank on this working forever, but for now it seems like users can make a local backup directory under C:\Windows\JustInCase.  If Locky strikes, it will ignore files that are stored there. This is probably the riskiest option since the malware may change its behavior at any time, but it is a clever one to use in the short-term. Of course, it also requires administrator privileges.
  • Consider using USB storage. This a fantastic solution, except that people forget to unplug them once they are done backing up files. Users can plug in an external drive or usb stick, backup all necessary files, then unplug it again and Locky cannot touch it. However, if it is left it plugged in, these backups will all get encrypted just like a mounted network share.

In conclusion, Locky, like all ransomware, is a peril for all users.  However, like all problems, there are solutions.  Employing the MetaFlows IDS, maintaining backups, and investing in education are three of the most important tools one can use to prevent adversaries from succeeding.

Feature Highlight: Snort Rule Editor

Recently, the Snort Rule Editor as a part of the Rules Management Interface has been updated.  This redesign allows for increased flexibility and provides the user with more of a handle on the IPS rules settings.

How It Works

Entering the Rules Management Interface is easy and can be accessed from two possible locations.  From the View Sensors page, the user can select the Edit Rules link to enter the Rules Management Interface. The user can also navigate to the Rules Management Interface from the Main Menu link.

Upon selecting the Rules Management Interface, the user will be prompted to select a sensor from the dropdown and then choosing the Load Rules button.  From there, the user will be able to manage the rule sets on a sensor-by-sensor basis.


After selecting a sensor, the user will have the option to modify properties of the rule sets, and issue commands to the sensors with the tools on the Menu Bar. In order for the changes made in the rules interface to take effect, commit the changes using the Save button.  (Please note that the Save/Cancel options only appear if the rules have been modified.) After selecting the Save option, a window will appear indicating that the changes are being verified. This process ensures that there are no issues with any changes that were made to the rule sets and that the sensor will correctly load the rules. Once the Save process is finished, the user will be prompted to reload the sensor.

To update the rule files, select the Get Updates button on the Snort Rules Controls. Most of the sensor controls buttons will be disabled/greyed out, and the Get Updates button will have a spinner icon until the update process finishes.  Next, the page will refresh to indicate if the updates were applied successfully. After the Get Updates process completes, select to Save the changes and Reload the sensor configuration for the changes to take effect.


The Rule File List portion of the interface displays a complete listing of all the rule sets in the sensor configuration.  The local.rules file contains the pass rules (if any) that have been generated using the Tune IDS feature and any rules that were uploaded by the user.


In the Rule List, each rule can be enabled or disabled by selecting the checkbox under the Active column next to each rule. If the checkbox under the Drop column next to a rule is checked, the sensor will drop flows that trigger the rule. Although we only recommend it for advanced users, each specific rule can also be edited by clicking on the rule itself. This will open the Rule Editor window, displaying the original rule, the editor, and some statistics that have been collected for that rule. Advanced Snort users can use the Rule Editor to make changes to the content of individual rules. When modifications are made, the Diff section will show changes to a rule since the most recent Save of the rule sets.


Pass Rules inform the IDS system that packet matching these rules should not generate alerts. These are helpful for eliminating false positives without having to disable the offending rule altogether. The Pass Rules have system-generated SIDs so that they do not conflict with the original rules that to which they refer. The user can utilize the tuning interface to add pass rules to the local.rules file. Please remember to Save any changes to the rule sets through the Rules Management Interface.


For users that want to run a reduced rule set for performance reasons, there is an Automatic Tuning option under the Bulk Edit menu. This option will disable rules that are unlikely to trigger based on our observations across all customer networks.  After clicking on the Automatic Tuning option, the changes will be merged with any prior changes that have made, meaning that rules that have specifically enabled will stay enabled. If the user wants to revert to a default minimal set, they should consider first using the Rules Defaults option.  Once the Automatic Tuning has processed the rules, it will then automatically fetch the latest updates and disable all of the appropriate rules.  To complete this process, the user will need to select Save so that the changes are committed.

Full color images and even more detailed instructions regarding The Rules Management Interface can found in the MetaFlows Wiki.

Uncovering True Positives

MetaFlows is now using our sandbox results as an intelligence feed for ranking events.  This method of using the sandbox as an intelligence source for ranking signatures allows us to catch infections or high-risk behavior, even if we only see one piece of the traditional malware life cycle.  The picture below illustrates a sandbox report that shows where the signature was first observed in association with malware.


How It Works

Individual IDS signatures can now be ranked as a priority threat if they have been triggering inside the MetaFlows sandbox in association with malware. These signatures are only considered for special ranking if they are statistically rare among events across all MetaFlows monitored networks.  Given their nature, these events are likely to missed by an analyst among the many other events that may be normally low ranked. The image below displays a ranked event on the user’s dashboard showing an alert identified with the new threat category.


You can see what kinds of events are triggering in the MetaFlows sandbox by visiting our statistics page.