We have added two rule files (country_code.rules and e8country_code.rules) that contain all the country codes. Clicking on a country will treat all IP addresses from that country to have a bad reputation. This can get kind of noisy in certain environments. Keep in mind that this was developed for an entity that does not like their computers
to talk to foreign countries. In most open networks with IM, P2P, and/or International reach these rules might not be very useful and should not be turned on.
Clicking on rules in the country_code.rules will cause direct Snort hits any time a TCP or UDP flow to that country is established. Clicking on you own country would cause EVERY flow to generate a Snort alert (please do not do this).
Clicking on rules in e8country_code rules (recommended) will cause a positive rank hit if a home machine talks to the selected countries AND there are other relevant, suspicious events coming from the same home machine.
You cannot modify the country rules (for now).
By popular demand we added a block IP function. You can click on the icon from either the real time or historical interface. After you enter an IP address, it will be immediately blocked (if you have enabled the isolate function by clicking on the isolate checkbox in the sensor configuration). This action creates a block classification automatically. You can later delete it or modify it by edit the block classification.
The blocking occurs by injecting spoofed TCP RST and other packets to disrupt communications for the blocked IP.
We are now an official VMware alliance partner. Our virtual machine sensors can now run on VMware ESX, Server, Workstation, or Player.
This new new virtual machine should give you much more flexible deployment options and the ability to achieve processing performance equivalent to the native Linux CentOS sensor. The MSS can now fully support VMWare virtual environments.
We improved our sensor provisioning mechanism. After you configure a new sensor, the generation is much quicker. Once the sensor is run for the first time, you will assign a particular sensor configuration to it. This also allows you to instantly migrate sensors from one hardware box to another without having to copy software around. If you want to assign a new sensor to a particular machine, you set the UUID to 0 and restart; during the restart, you can pick your new sensor configuration among the configurations you have created. Please remember to only have one active configuration running at time otherwise many things will not work.
Please send us email at firstname.lastname@example.org for any questions.
The sensors now reload the rules every 12 hours to suck in any rules automatically. The real nice thing is that we restart one Snort process at a time and pfring dynamically shifts the load to the other remaining processes. This way, even while reloading, there is no packet loss. This is especially important if you are configured inline. If you have only one Snort process because you have an older 1-2 core CPU or not enough memory, this feature obviously wont help you and you will get some small packet loss every 12 hours.
The MetaFlows Design Team has developed an active response system that lets subscribers disrupt TCP (and sometimes UDP) sessions with a sensor deployed as a passive device. It works great for enforcing network usage policies associated with particular snort rules (like Bittorrent, drop-box, etc.) or simply to block particular hosts that should not be on the network. The active response mechanism works by injecting spoofed TCP reset packets into the network (and other things). Every time something is blocked, log message associated with that action will appear in the MetaFlows interface. In order for the passive response system to actually actively block, subscribers will need to modify the sensor configuration and enable the “Isolate” checkbox. Leaving the checkbox off will only simulate the actions and log what it wold have blocked.
Whether inline or as a active response, the default block rules are not turned on. It is up to the customer to decide what should be blocked.
For answers to any questions about the Isolate Plugin or Soft IPS, please contact the MetaFlows Design Team at email@example.com.
The MetaFlows Global Enterprise network security system (MSS GE) includes all the features of the MSS SaaS solution but it is designed to communicate exclusively within a private network or as a private cloud on a public network. The MSS GE controller is deployed either as an on-premise high performance Appliance (starting at 1200 Events/Second) or as a private Amazon EC2 instance. Find Out More >>
Web Security Console
MSS GE Controller
Daily Intelligence Feeds
- Real Time SIEM, Flow & Log management
- Multi-user Online Collaboration
- One-click Remediation
- Highly Customizable
- Deploy as an Appliance or as an Amazon EC2 Instance
- Predictive Event Correlation quickly finds Malware
- Centralized Sensor Provisioning
- Behavioral Malware Detection
- Zero-day/APT Intelligence
- Vulnerability Scanning
- Geo-location Intelligence
Security events from the MSS GE sensors are securely transmitted to the MSS GE Controller where they are ranked using a unique algorithm mathematically similar to Google’s page ranking. Rather than limiting security event ranking to static policies, the MSS GE derives priorities based on dynamic measurements. The MetaFlows Active Threat Management system and the SRI Malware Threat Center continuously mine the Internet for bad IP address and event reputation data (much like the reputation and number of links to a web page). The MSS GE controller continuously accumulates this security event reputation data and mathematically transforms it every day to improve ranking prediction. The end-result is that the MSS GE lets you quickly find Malware that otherwise would go unnoticed.
The MSS provides high-speed Malware detection/prevention using BotHunter, daily signature updates and Geo-location intelligence.
Efficient and cost-effective network protection. Easily shut down exploits, Bots, C&C communications, Phishing attempts or sites with bad reputation.
The MSS adds flow analysis to catch covert data exfiltration and/or anomalous communication patterns. You need to know where your data is going.
Merge real-time security information with 3rd-party network-based and host-based monitoring systems.
Rich analysis and advanced reporting tools from a secure web browser. Access actionable alerts anytime from anywhere.
Seamlessly monitor cloud-based assets. The MSS efficiently secures your cloud without the dangers of traffic replication.
Ntop is now part of the MetaFlows Security System (CentOS only for now). Ntop is an indispensable tool that provides historical and near real time flow statistics of your traffic. To use it, simply enable Ntop in you current sensor configuration page and do a hard restart of your sensor (this will download and install Ntop); that’s it! This is the beauty of Cloud-based computing!.
You can invoke Ntop either from (1) the Historical menu or (2) from the Real Time right-click menu. Each time you analyze a host with Ntop you can query back into the MetaFlows historical interface or you can try to extract files transmitted or received by that host (more on this in the next post).
Sensor Resources: In most cases your existing sensor should handle it fine (it uses 0.5 GB of memory and approximately an additional 25% of your current CPU usage). If you have concerns about performance, please do not hesitate to contact us at firstname.lastname@example.org.
The classifications can be used to create custom event notifications. Simply create a classification through the browser and choose the email action. This will trigger email messages detailing the particular flows that matched your specification. I would say that creating an email alert for all events with ranking >0 is a good place to start. This feature now runs from the server side even if your browser is not active.
Have you ever wondered what content is being transmitted in and out of your network by suspicious hosts? Now you can use Content Extraction to extract files from your network traffic to preview them or download them to you desktop for further analysis.
Obviously you need to have packet logging enabled and Ntop enabled (it uses Ntop back-end for managing the file extraction application). Sometimes it gets slow because it needs to go though tons of data so please be patient.
This is still experimental; if you have suggestions on how to improve it, let us know at email@example.com