MetaFlows has developed 10 Gbps functionality using off-the-shelf hardware.
Previously, MetaFlows measured the performance of PF_RING with Snort inline at 1 Gbps on an I7 950. The results were quiet impressive.
In MetaFlows latest testing, the Development Team reports on their experiment running Snort on a dual processor board with a total of 24 hyperthreads (using the Intel X5670). Besides measuring Snort processing throughput varying the number of rules, they also (1) changed the compiler used to compile Snort (GCC vs. ICC) and (2) compared PF_RING in NAPI mode (running 24 Snort processes in parallel) and PF_RING Direct NIC Access technology (DNA) (running 16 Snort processes in parallel).
Read the full report.
By popular demand we added a block IP function. You can click on the icon from either the real time or historical interface. After you enter an IP address, it will be immediately blocked (if you have enabled the isolate function by clicking on the isolate checkbox in the sensor configuration). This action creates a block classification automatically. You can later delete it or modify it by edit the block classification.
The blocking occurs by injecting spoofed TCP RST and other packets to disrupt communications for the blocked IP.
We are now an official VMware alliance partner. Our virtual machine sensors can now run on VMware ESX, Server, Workstation, or Player.
This new new virtual machine should give you much more flexible deployment options and the ability to achieve processing performance equivalent to the native Linux CentOS sensor. The MSS can now fully support VMWare virtual environments.
We improved our sensor provisioning mechanism. After you configure a new sensor, the generation is much quicker. Once the sensor is run for the first time, you will assign a particular sensor configuration to it. This also allows you to instantly migrate sensors from one hardware box to another without having to copy software around. If you want to assign a new sensor to a particular machine, you set the UUID to 0 and restart; during the restart, you can pick your new sensor configuration among the configurations you have created. Please remember to only have one active configuration running at time otherwise many things will not work.
Please send us email at email@example.com for any questions.
The sensors now reload the rules every 12 hours to suck in any rules automatically. The real nice thing is that we restart one Snort process at a time and pfring dynamically shifts the load to the other remaining processes. This way, even while reloading, there is no packet loss. This is especially important if you are configured inline. If you have only one Snort process because you have an older 1-2 core CPU or not enough memory, this feature obviously wont help you and you will get some small packet loss every 12 hours.
The MetaFlows Design Team has developed an active response system that lets subscribers disrupt TCP (and sometimes UDP) sessions with a sensor deployed as a passive device. It works great for enforcing network usage policies associated with particular snort rules (like Bittorrent, drop-box, etc.) or simply to block particular hosts that should not be on the network. The active response mechanism works by injecting spoofed TCP reset packets into the network (and other things). Every time something is blocked, log message associated with that action will appear in the MetaFlows interface. In order for the passive response system to actually actively block, subscribers will need to modify the sensor configuration and enable the “Isolate” checkbox. Leaving the checkbox off will only simulate the actions and log what it wold have blocked.
Whether inline or as a active response, the default block rules are not turned on. It is up to the customer to decide what should be blocked.
For answers to any questions about the Isolate Plugin or Soft IPS, please contact the MetaFlows Design Team at firstname.lastname@example.org.
Intrusion prevention systems (IPS), for the most part, involve very expensive network appliances that sit outside the network to prevent attacks from getting in. We call that “hard IPS”. A typical IPS could cost at least $10,000 or more plus maintenance fees.
Soft IPS is software that uses off-the-shelf hardware to monitor network traffic at high-performance speeds in passive or inline mode, block unwanted traffic through packet filtering, TCP session disruption and customizable inline drop policies.
The MetaFlows Security System (MSS) is the very first soft IPS and costs a fraction of what typical a IPS might cost because it doesn’t need an expensive piece of hardware to run.
MetaFlows has modified a piece of open-source software, called PF_RING, so that it can turn a standard off-the-shelf desktop computer into a high-performance intrusion prevention system. If you’d like to learn exactly how our modified version of PF_RING does that, you can read our technical release here.
Soft IPS lets small and medium-sized businesses get the protection they need by lowering the cost of a high-performance IPS. For large enterprises and government agencies, this means that they can drastically reduce their information security and IT costs.
If you’re interested in integrating our modified PF_RING into your own Snort IPS system, you can download our code and install instructions here: MetaFlows Modified PF_RING.
The MetaFlows Global Enterprise network security system (MSS GE) includes all the features of the MSS SaaS solution but it is designed to communicate exclusively within a private network or as a private cloud on a public network. The MSS GE controller is deployed either as an on-premise high performance Appliance (starting at 1200 Events/Second) or as a private Amazon EC2 instance. Find Out More >>
Web Security Console
MSS GE Controller
Daily Intelligence Feeds
- Real Time SIEM, Flow & Log management
- Multi-user Online Collaboration
- One-click Remediation
- Highly Customizable
- Deploy as an Appliance or as an Amazon EC2 Instance
- Predictive Event Correlation quickly finds Malware
- Centralized Sensor Provisioning
- Behavioral Malware Detection
- Zero-day/APT Intelligence
- Vulnerability Scanning
- Geo-location Intelligence
Security events from the MSS GE sensors are securely transmitted to the MSS GE Controller where they are ranked using a unique algorithm mathematically similar to Google’s page ranking. Rather than limiting security event ranking to static policies, the MSS GE derives priorities based on dynamic measurements. The MetaFlows Active Threat Management system and the SRI Malware Threat Center continuously mine the Internet for bad IP address and event reputation data (much like the reputation and number of links to a web page). The MSS GE controller continuously accumulates this security event reputation data and mathematically transforms it every day to improve ranking prediction. The end-result is that the MSS GE lets you quickly find Malware that otherwise would go unnoticed.
The MSS provides high-speed Malware detection/prevention using BotHunter, daily signature updates and Geo-location intelligence.
Efficient and cost-effective network protection. Easily shut down exploits, Bots, C&C communications, Phishing attempts or sites with bad reputation.
The MSS adds flow analysis to catch covert data exfiltration and/or anomalous communication patterns. You need to know where your data is going.
Merge real-time security information with 3rd-party network-based and host-based monitoring systems.
Rich analysis and advanced reporting tools from a secure web browser. Access actionable alerts anytime from anywhere.
Seamlessly monitor cloud-based assets. The MSS efficiently secures your cloud without the dangers of traffic replication.
Ntop is now part of the MetaFlows Security System (CentOS only for now). Ntop is an indispensable tool that provides historical and near real time flow statistics of your traffic. To use it, simply enable Ntop in you current sensor configuration page and do a hard restart of your sensor (this will download and install Ntop); that’s it! This is the beauty of Cloud-based computing!.
You can invoke Ntop either from (1) the Historical menu or (2) from the Real Time right-click menu. Each time you analyze a host with Ntop you can query back into the MetaFlows historical interface or you can try to extract files transmitted or received by that host (more on this in the next post).
Sensor Resources: In most cases your existing sensor should handle it fine (it uses 0.5 GB of memory and approximately an additional 25% of your current CPU usage). If you have concerns about performance, please do not hesitate to contact us at email@example.com.
The classifications can be used to create custom event notifications. Simply create a classification through the browser and choose the email action. This will trigger email messages detailing the particular flows that matched your specification. I would say that creating an email alert for all events with ranking >0 is a good place to start. This feature now runs from the server side even if your browser is not active.