Since our first public release, MetaFlows users have been able to use the MetaFlows Real Time and Historical interfaces to download and view raw packet data from their MetaFlows sensors. Today, we are excited to release a major upgrade to the Packet Data page.
- Packets are now parsed, separated, and colored red or blue depending on which host sent the data. No more digging through raw
tcpdumpoutput to find where one packet ends and another begins! Packets are now visibly separated. Server packets use red text. Client packets have blue text.
- Packet Data now includes the content of any IDS rules triggered by the flow. Ever opened the Packet Data for a flow and forgotten which alert you were investigating? We now include the full content of all IDS rules that triggered, along with the packet data for the flow.
- Packet Data Matcher! This was the most exciting feature to add! The new Packet Data page can highlight the specific content in a packet that caused an IDS alert to trigger! Matching packet data is highlighted in red or blue (depending on whether the packet was sent by the server or client) and includes numbered markers for each condition in the triggered rule. You can even hover your mouse over these markers to see the specific
pcrecondition that matched, along with the condition’s modifiers! For example, the screenshot below shows the packet data for an event matching
1.2003492: ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0):
The Packet Data Matcher works best for text flows, such as HTTP requests and responses. For encrypted or binary flows, we still attempt to match against non-printable characters by using other conditions and context, but some matches might be inaccurate.
This feature is available to all MetaFlows customers starting today. We look forward to your feedback. Happy hunting!