We found a bug that caused BotHunter to generate lots of DNS alerts. Some of you may like to know where all your DNS servers are; but this was getting out of hand. Now BotHunter will only alert if the client is performing lots of queries to an external DNS in a short amount of time..Just restart your sensor to get the bug fix.
Sometime we come across an historical query with lots of information that cannot be summarized in a single escalation report. With this new feature (the report button on the bottom of the historical report page) you can take a snapshot of the current page which is archived under Historical Queries. This is especially useful if you collaborate with someone else and you want to share the information (for example show it to your boss..) or you simply want to archive what you see.
Simply make the OSSEC daemon send syslog messages to your sensor IP address and ‘voila’; now you can view aggregate/correlate your OSSEC alerts with snort alerts, flows and other syslog entries. The nsm will also store your OSSEC alerts (just like any other syslog message) in the DB to mine at your leisure. As always send any questions or bugs to firstname.lastname@example.org.
Click on reports and inspect automatically generated daily and weekly reports or create your own custom reports.
Periodic reports are generated every day or every week. One time reports are specified between specific dates.
Once the report it is saved, it will be executed in the background. Reports are interactive and let you explore the
report data through the historical interface. Enjoy!
By popular demand, the real time interface now only shows Snort alerts by default; this makes it much less demanding on your browser. Clicking on the “View Flows” on the bottom-left will toggle the interface to show all the flows (like it used to). Also, the context menus have been rearranged to be easier to use.
The MetaFlows interface was updated last night with the following changes:
- Visual Grouping
Detailed records of an Historical query, when sorted by time, are visually time-grouped with a red or black border.
- Escalation Reports
Escalation reports now include all detail record information instead of just listing the client/server ports/IP addresses.
- Sensor Software Updates
- Parallel Snort Processes
Sensors now run parallel Snort processes to make event processing more efficient.
- Snort VRT Rules
You can now use your existing Snort VRT Rules subscription. To add your existing Snort VRT Rules subscription to one of your sensors check the checkbox next to “SourceFire VRT Rules?” and fill in the Oinkcode, OS, and subscription type fields (they appear only after you check the “SourceFire VRT Rules?” checkbox).
- Emerging Threats Pro Rules
All sensor subscriptions now include an Emerging Threats Pro Rules subscription.
Sensors now return enhanced host information.
- Parallel Snort Processes
- Bots on the Dashboard
The MetaFlows interface dashboard now lists all IP addresses that have a ranking greater than 0 and were part of events during the last 24 hours. Clicking on the IP address will take you to the historical interface and show all events from that IP address.
- Pausing the Real Time Interface
Click on the Pause icon at the bottom of the Real Time Interface to halt the display (so you can inspect records). If you pause the display, data will still be collected and kept, but new flows will not be added to the display. Once you un-pause, all flows that came in while the interface was paused will be displayed.
- Query for Historical records by ranking
A ranking option was added to the historical interface query options. If you turn on the “Ranking” option at the bottom of the Historical Interface before you click the “Reload” button to query for data matching the historical query options, only records with a ranking greater than 0 will be returned. This reduces the amount of records by several orders of magnitude.
- Forums and Groups
Both Forums and Groups are new features to help you troubleshoot problems, analyze data gathered by your sensors, and receive assistance from the user community at large.
Tickets can be created from escalation reports and submitted to groups in which you are a member.
MetaFlows has done its first official release!
Sign up for an account and try it out!