This has been awaited for some time. The MetaFlows Security System now detects proxied connections. The original IP is swapped with the proxy IP so that it can be correctly identified in the events. This has a dramatic effect on correlation since most proxied hosts only proxy http and use their real IP for DNS and other communications. Using the real IP for correlation and analysis will correctly correlate IDS http events and file downloads with IDS events and service discoveries triggered by different protocols.
When a proxied host is detected, a message of the forms xff=<realip><-<proxyip> is appended to the event and the proxy IP is replaced. So, you will see the real IP not the proxy.
When you analyze the packets data, the system automatically switches back to the proxy IP to look for the packets containing the proxy IP rather than the real IP (since the packets are stored before the IP is replaced).
Here is a real example of two events related to 18.104.22.168 (the real IP) downloading suspicious content through the proxy 22.214.171.124:
Notice that when we detect a proxy a P is associated with the proxied host.
This feature will be available as soon as your sensor is restarted or self-updates. Let us know if you have questions.
Your dedicated MetaFlows Team.