Predictive Global Correlation Feed

After months of data gathering, we turned on a new global correlation feature that complements the existing local multi-session correlation. The aim is to further tighten the net and catch more bad stuff while also decreasing false positives.

We now show the ranking as total/global when we display an alert. When the global ranking is missing, it is because that event is only ranked locally and the global portion is unknown. When the total and global rank are the same (like 187/187 in the example below), it means that an event was ranked exclusively using global relevance and it would have been missed by the local analysis.

You can see the global ranks by going to the IDS rule management interface. IDS rules listed there will have the current global rank assigned to them for that day (if any).


This additional information complements the local multi-session correlation analysis by trying to look at things from a global intra-domain prospective:

If a domain similar to yours has experienced a significant amounts of high-priority network security incidents involving a particular IDS signature, that signature will receive a positive global rank in your domain.

The key here is the word “similar”. The events each customer generates are used to compute a similarity matrix that tells us how similar each network is to the others. Using this information, rather than recommending all high-priority signatures to all domains (we call this simple prediction), we only recommend what is most likely relevant to your domain (we call it predictive correlation).


Let us know how this works for you and if you have any questions.


The Skinny on CVE-2015-7547

While the DNS exploit CVE-2015-7547 was discovered a week ago, the code containing the flaw has been in use since May, 2008. CVE-2015-7547 works by allowing arbitrary code to execute on any system reliant on glibc by way of a malformed query response. As discovered by Redhat Linux and Google, there are flaws in GNU C Library. The GNU C Library connects to DNS to resolve names. This problematic code effects all versions of glbc since 2.9 and allows for remote code execution.

We have seven signatures, the first of which was released the day after the exploit was discovered. We were able to push the beta version of the rule to our research partners immediately, and to all sensors during the normal daily signature update.

2022531 || ET EXPLOIT Possible 2015-7547 Malformed Server response || cve,2015-7547

2022542 || ET EXPLOIT Possible 2015-7547 PoC Server Response || cve,2015-7547

2022543 || ET EXPLOIT Possible CVE-2015-7547 Long Response to A lookup || cve,2015-7547

2022544 || ET EXPLOIT Possible CVE-2015-7547 Long Response to AAAA lookup || cve,2015-7547

2022545 || ET EXPLOIT Possible CVE-2015-7547 Malformed Server Response A/AAAA || cve,2015-7547

2022546 || ET EXPLOIT Possible CVE-2015-7547 A/AAAA Record Lookup Possible Forced FallBack(fb set) || cve,2015-7547

2022547 || ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query || cve,2015-7547

Signature 2022547 is currently triggering on multiple customer sites, but at least for now it is in low volume. However, according to Dan Kaminsky, this is a threat that could swiftly escalate as more and more adversaries improve their attack strategies to increase the damage made possible by CVE-2015-7547. Patching this particular bug is paramount, as well as continually monitoring your system for the exploit.


Measured Antivirus Effectiveness

I wanted to share with you some insight from the data that originated from our customers’ networks last week. This time, we wanted to provide some information on how different antivirus vendors perform on the .exe, .dll, .pdf, and .zip files seen around the world.

This table shows the relative hit ratio of all the antivirus vendors hosted by Virus Total on 697 confirmed bad files. You will notice that 43% of the time none of the antivirus products detected anything. The top performer is McAfee-GW-Edition with a 37% detection rate.

Looking at the types of samples detected, one can also consider which Antivirus Vendors were able catch the worst malicious code. We assigned an Average Priority of 1 to spyware or unwanted software and an Average Priority of 100 to known Trojans or unclassified malware. Then, we multiplyed the Average Priority by the Detection Rate, giving rise to the Severity column. This column shows which Antivirus Vendors found the most dangerous code. This week Arcabit wins with a Detection Rate of 29%, an Average Priority of 30.17, and a Severity of 8.96.

Antivirus Vendor True Positives Average Priority Detection Rate Severity
None 300 0.430416 (mss)
Arcabit 207 30.17 0.296987 8.96
F-Secure 192 28.84 0.275466 7.95
ESET-NOD32 205 24.18 0.294118 7.11
AVG 129 37.07 0.185079 6.86
Avast 200 23.77 0.286944 6.82
Qihoo-360 207 22.52 0.296987 6.69
GData 223 20.09 0.319943 6.43
McAfee-GW-Edition 264 16.75 0.378766 6.34
CAT-QuickHeal 162 27.28 0.232425 6.34
VIPRE 172 23.45 0.246772 5.79
Cyren 201 19.72 0.288379 5.69
Panda 85 46.42 0.121951 5.66
F-Prot 160 24.51 0.229555 5.63
ClamAV 62 63.27 0.088953 5.63
Fortinet 105 29.29 0.150646 4.41
McAfee 117 25.54 0.167862 4.29
Avira 210 12.79 0.301291 3.85
Bkav 83 30.82 0.119082 3.67
MicroWorld-eScan 162 15.06 0.232425 3.50
BitDefender 161 15.14 0.230990 3.50
Emsisoft 160 15.23 0.229555 3.50
CMC 24 100.00 0.034433 3.44
Kaspersky 86 27.48 0.123386 3.39
TrendMicro 63 37.14 0.090387 3.36
Ad-Aware 140 16.56 0.200861 3.33
Ikarus 209 10.95 0.299857 3.28
AVware 95 23.93 0.136298 3.26
Comodo 69 26.83 0.098996 2.66
Sophos 77 20.29 0.110473 2.24
Rising 195 7.09 0.279770 1.98
Tencent 50 24.76 0.071736 1.78
ALYac 108 9.25 0.154950 1.43
Microsoft 25 36.64 0.035868 1.31
K7AntiVirus 109 5.54 0.156385 0.87
DrWeb 134 3.96 0.192253 0.76
Malwarebytes 222 1.89 0.318508 0.60
K7GW 120 3.48 0.172166 0.60
Antiy-AVL 74 5.01 0.106169 0.53
Symantec 161 1.61 0.230990 0.37
VBA32 53 4.74 0.076040 0.36
nProtect 16 13.38 0.022956 0.31
NANO-Antivirus 76 2.30 0.109039 0.25
SUPERAntiSpyware 38 3.61 0.054519 0.20
Jiangmin 38 3.61 0.054519 0.20
Zillya 131 1.00 0.187948 0.19
ByteHero 4 25.75 0.005739 0.15
Baidu-International 83 1.00 0.119082 0.12
AhnLab-V3 80 1.00 0.114778 0.11
Agnitum 57 1.00 0.081779 0.08
ViRobot 12 1.00 0.017217 0.02
AegisLab 9 1.00 0.012912 0.01
TotalDefense 2 1.00 0.002869 0.00
Zoner 1 1.00 0.001435 0.00
Alibaba 1 1.00 0.001435 0.00

Our sandbox was able to detect the remaining samples (the missing 43%).


The bubble graph above illusrates the Severity (Detection Rate * Average Priority) verses the Prevalence (Detection Rate * Total Priority). The detection rate is encoded in color and the size of the bubble is proportional to how many customers saw the malware.

If you are curious about more statistics like this, you can visit (best viewed on a desktop) for a ton of additional information. If you want a quick fix, watch some of our videos at

The Raw Data

We wanted to share with you some insight from the 50M+ security events that originated from our customers’ networks last week. We reported different security event invariants that were confirmed to be true positives and how they fit within a global, multi-domain context. The data and several interesting graphs can be obtained at (best viewed on a desktop).

12.14.15 Image 1

For example, the top OpenAppIDs that were the best predictors of a compromise last week are shown below. Interestingly, we also detected that the google_update OpenAppID predicts with fifty percent (50%) accuracy malware activity designed to evade application firewalls. Remember, these are actual measurements across 50M+ records. As a result, they should be relevant to any network.



Below is a visualization of the IDS rules with greater than 95% accuracy last week. Please visit our stats page at for more detailed information.

12.14.15 Image 2

MetaFlows offers a compelling product that will provide an unprecedented level of protection to any network. If you decide to run a trial, in addition to automated incident reports with extremely low false positive rates, you will also get a personalized multi-domain report for the events found on your network.

Command Line Interface Is Here!

As a new feature to the MetaFlows MSS, we have added the ability to query the MSS for both historical flow data (with payload coming from the sensor) and historical event data (coming from our data base). The flow data text output can be formatted to look like what Argus provides (-f -X) or what Bro provides (-c), depending on the options that are selected. We have also added JSON output (-J) for those of you that use Splunk, and want to do some integration work. The MetaFlows Wiki has been deeply revamped and the CLI documentation is at: Shot 2015-09-14 at 4.33.05 PM

The CLI client is written in Perl and can be copied to any system after initialization – so you may execute the CLI queries from any host. Also, if you dare, you can modify the Perl code to change the output formats or to add your own command line switches.

To wet your appetite, the following query will return all the latest malicious content from your sensors: -u api1:xxxx -B

This query, for example, shows all of the clients on your network attacking Chinese Web Servers: -E -u api1:xxxx -w 360000 -Q modsec_out | grep CRITICAL | grep :CN

We encourage you to invest some time in looking at this CLI interface. As always, do not hesitate to drop us a line at


The MetaFlows Team

Adobe’s Continuing Affair with Angler and Cryptowall

The latest Adobe Flash Player update has once again proven problematic. We have discovered yet another revision of a pre-existing Angler Exploit Kit disseminating Cryptowall. A customer’s host was compromised following Angler Exploit redirects, dated June 1, 2015, June 16, 2015, and June 30th, 2015, showing that as new adaptations of the kit are added, the older ones are still in use. The latest, June 30th, is more recent than the most up to date patch for Adobe Flash Player 17, version “Customers that are enrolled in “Allow Adobe to Install Updates (recommended)” but have not updated to Flash Player version 18 will receive a new and secure version of Flash Player 17 over the next 24 hours. ”

MetaFlows customers are encouraged to enable automatic blocking for Level 1 Events, which currently include the Angler Exploit rules (, or creating specific block rules to match Angler EK events.

The figure shows an example of the events that are triggered during an Angler Exploit attempt and infection with Cryptowall.


Adobe, Angler, and CryptoWall

3997730524_e6cb3e6954_oAdobe Flash is an extremely severe vulnerability when it comes to Crypto-locker/CryptoWall, It seems that every time Adobe comes up with a new patch, the Crypto hackers are quick to discover how to break it. The latest CryptoWall bonanza was the security vulnerability discovered in an Adobe update that was released on May 18th. This is not a singular occurrence, but is rather a part of a larger trend of exploiting security holes in Adobe software.

Just this week, Adobe’s last round of updates for Flash Player have proven problematic. These are new vulnerabilities are being used by the Angler exploit kit, a kit that has been around for some time, a kit that has now found fresh ground. These exploits are used to distribute Cryptowall, as well as other forms of malware. The intent is to encrypt (steal or take data hostage), take over (root kit or remote access tools), or recruit (make it a part of a botnet).

MetaFlows catches these types of fresh exploits better than any other security tool (according to many of our customer).
Several analysts using our system praise us. While they are running several other security products, MetaFlows was the only one to identify this threats. We were able to identify the behavior patterns that were triggered when this exploit was seen on a live network:










As you can see, the IDS events identify the individual behaviors, and our correlation engine recognizes the use of Angler toolkit to infect the target with the intended payload. In this case, it is Cryptowall, a ransomware program that has cost over an estimated $18 million from U.S. users alone. In some other cases odd behavior left undetected can cost the reputation of a brand and cause irreparable loss in intellectual property.

Criminals are swift to take advantage of any emerging opportunity that can penetrate the perimeter (it has become BIG money). You need to start monitoring the behavior of your internal hosts not only the perimeter. Our behavioral analysis and correlation engine are able to identify these threats, even when they occur across multiple sessions and employing zero-day techniques that make it through your perimeter defenses.

Our security professionals have identified the issue and are working to keep our subscriber’s networks and systems safe while Adobe has updated their Security Bulletin site with the appropriate information. Users are advised to download the newest Adobe Flash update immediately. As evidenced by our findings, criminals are swift to take advantage of any opportunity and so employing new advanced detection technologies like the one offered by MetaFlows is key to preventing expensive and sometimes irreparable IT disasters.

Which IDS System is Right for You?

There are so many IDS Systems out there, but how do you pick the right one? Here are some tips to help you get started!

How Do You Pick the Right IDS System?

If you’re a company CEO then you’re probably scared of malware, and if you aren’t, then you should be. The last thing you want is a virus leaking all of your company’s charts, data, and business plans everywhere on the internet or worse, stealing from your company. So in order to protect your company’s computers from viruses and malware you’ll need an IDS system. An IDS system is an Intrusion Detection System, which is a device or software that monitors your network for malicious activity or policy violations – or in other words, a virtual watchdog. So out of all the choices out there which IDS system do you choose? Here are some tips to help you decide:

  • First, perform a risk assessment of your company or organization. This will help you determine potential risks and gain an understanding of the IT environment. Understanding what risks you are vulnerable to will help with choosing which IDS system to use.
  • Have a thorough understanding of your technical environment. This will ensure that you know what your organization needs in terms of protection.
  • Do a cost-benefit analysis. Know what is worth your budget and what is not. Once you know which risks threaten your company, you will be able to better determine what your company can afford.
  • Now choose an IDS system that will protect your company from risks and that will also fit your budget.

MetaFlows is a great option for those who want to be protected from hidden malware. MetaFlows analyzes the behavior and content of your internet traffic to find and stop malware from infecting your network. Sometimes malware security systems are not enough and lack flow analysis, but observing network communication patterns is important for better security. MetaFlows embeds security event information within IDS, Log, and Service events for real-time event information. This allows you to gain better visibility into your network. The comprehensive protection and security MetaFlows offers is something that no company can afford to pass up.

Make sure your company is protected from malware. Act today and find your IDS system and malware security system. MetaFlows offers a free of charge, fourteen-day trial in which you can actively use the system on your network. It comes complete with security updates, a web interface, as well as tech support to assist you in getting it up and running on your network.

Cyber Attacks Global Incident Report Statitstics

We are now generating weekly Global Incident Reports that provide statistics of the invariants present in our global detection infrastructure. The detection infrastructure receives approximately 8 million events per day from a variety of Institutions ranging from small commercial enterprises to very large multinational corporations.

The statistics below are from three main detection components.

The invariants from the events reported by these detection components are extracted and their relative contribution is compared. The contribution of the invariants is measured in three different dimensions:

  • The true positive rate (tpr) of an invariant is measured by dividing the number of confirmed true positive hits by the number of occurrences of the same invariant (whether they are a true positives or not). The true positive rate implicitly also measures false positive rate (1-tpr). For clarity the tpr is called <strong>detection rate</strong> in the Network Anti-virus tables.
  • Severity ranges from 0 to 100 and measures the likelihood that an invariant in a cyber attack compromises the integrity or confidentiality of a system. The severity is scaled down by the tpr and is calculated by multiplying the average priority (0-100) of the invariant times its tpr (which is always less than 1). A low severity score (0-10) typically implies that the cyber attack may reduce security but the loss of security is minimal (for example detecting an ADWare plug-in in your browser). Higher severity scores imply that the cyber threat becomes increasingly important.
  • Prevalence measures how widespread a given cyber attack is across multiple networks. Prevalence is also weighted against the tpr of a given invariant. Prevalence does not have an upper limit because it depends on how many cyber attacks we find in a given time period.

Selection_020Here is an example bubble graph which visually represents the statistics of the top IDS rules which triggered a true positive.

Mousing over the bubbles reveal the actual invariant and its associated statistics.

How to access the statistics

  • The anonymized global report across all of our networks is at From this report there are some hyper-links that query you own database (if you are MetaFlows customer) to see if any of the invariants a re present in you event data.
  • If you are a MetaFlows customer, you can also access a specific report for your own domain which has both (1) links to the invariants found on your own domain and (2) links to the incident reports used to derive the invariants.

Note that both types of reports compare the invariants to the global counts; so, they both should help you understand how widespread and how serious the associated cyber- threats are.

OpenAppID Support



Cisco released OpenAppID, their answer to Palo Alto Networks’ AppID feature, which allows administrators to know exactly what applications are running in the network.
It has been released as a plugin of the Snort distribution. We have recently upgraded our sensor software to support this feature. OpenAppID results appear as an additional field in the IDS alerts to give better context for the alerts. We also gather this information to associate it with the internal host IP addresses, whether or not they generate an IDS event.

For example, when a user uses Facebook, it will trigger one or more of these:

Facebook Apps
Facebook Chat
Facebook Comment
Facebook Read Email
Facebook Send Email
Facebook Status Update
Facebook search
Facebook event
Facebook post
Facebook video chat
Facebook message
Facebook video

If your software has been upgraded, the file /nsm/bin/snort/src/.version should contain If it does not, you can upgrade by executing this command: /nsm/etc/ restart (Note: MetaFlows UTM appliances do not support OpenAppID yet).

To turn on this feature, check the OpenAppID checkbox in your sensor configuration page and reload or restart the sensor.

Once this feature is turned on, you can look at the daily reports and see the top AppID summary or look at the AppIDs in your IDS events. You can now create user-defined policies that match specific AppIDs!

This new feature requires 40% more memory and in some cases, even though we install it, the system automatically turns it off if you do not have enough memory. You need at least 2 GB RAM per core. For example, if your subscription is for 16 cores and your sensor has 24 GB RAM, the system would disable OpenAppID automatically.

If you do not process a lot of data and have a low memory system, you can force the loading of OpenAppID by adding the line export forceappid=1 at the top of the /nsm/etc/ script. Note that because it uses about 40% more memory, your sensor might slow down if you do not have enough RAM. Please monitor your drop rate closely if you force the OpenAppID functionality.

We highly recommend using this feature. If you have any questions, please do not hesitate to contact our engineers at for more information.