Generate Reports from the Historical Interface

Sometime we come across an historical query with lots of information that cannot be summarized in a single escalation report. With this new feature (the report button on the bottom of the historical report page) you can take a snapshot of the current page which is archived under Historical Queries. This is especially useful if you collaborate with someone else and you want to share the information (for example show it to your boss..) or you simply want to archive what you see.

Beta Support for OSSEC Logging

Simply make the OSSEC daemon send syslog messages to your sensor IP address and ‘voila’; now you can view aggregate/correlate your OSSEC alerts with snort alerts, flows and other syslog entries. The nsm will also store your OSSEC alerts (just like any other syslog message) in the DB to mine at your leisure. As always send any questions or bugs to

Reports Added to Metaflows Interface

Click on reports and inspect automatically generated daily and weekly reports or create your own custom reports.
Periodic reports are generated every day or every week. One time reports are specified between specific dates.
Once the report it is saved, it will be executed in the background. Reports are interactive and let you explore the
report data through the historical interface. Enjoy!

New Features!

The MetaFlows interface was updated last night with the following changes:

    • Visual Grouping
      Detailed records of an Historical query, when sorted by time, are visually time-grouped with a red or black border.
    • Escalation Reports
      Escalation reports now include all detail record information instead of just listing the client/server ports/IP addresses.
    • Sensor Software Updates
      • Parallel Snort Processes
        Sensors now run parallel Snort processes to make event processing more efficient.
      • Snort VRT Rules
        You can now use your existing Snort VRT Rules subscription. To add your existing Snort VRT Rules subscription to one of your sensors check the checkbox next to “SourceFire VRT Rules?” and fill in the Oinkcode, OS, and subscription type fields (they appear only after you check the “SourceFire VRT Rules?” checkbox).
      • Emerging Threats Pro Rules
        All sensor subscriptions now include an Emerging Threats Pro Rules subscription.
      • WHOIS
        Sensors now return enhanced host information.
    • Bots on the Dashboard
      The MetaFlows interface dashboard now lists all IP addresses that have a ranking greater than 0 and were part of events during the last 24 hours. Clicking on the IP address will take you to the historical interface and show all events from that IP address.
    • Pausing the Real Time Interface
      Click on the Pause icon at the bottom of the Real Time Interface to halt the display (so you can inspect records). If you pause the display, data will still be collected and kept, but new flows will not be added to the display. Once you un-pause, all flows that came in while the interface was paused will be displayed.
    • Query for Historical records by ranking
      A ranking option was added to the historical interface query options. If you turn on the “Ranking” option at the bottom of the Historical Interface before you click the “Reload” button to query for data matching the historical query options, only records with a ranking greater than 0 will be returned. This reduces the amount of records by several orders of magnitude.
    • Forums and Groups
      Both Forums and Groups are new features to help you troubleshoot problems, analyze data gathered by your sensors, and receive assistance from the user community at large.
    • Ticketing
      Tickets can be created from escalation reports and submitted to groups in which you are a member.