Real Time File Transmission Analysis

We can now reassemble interesting files being transmitted on your network (both inbound and outbound) on ports 25,80,110 and port 143. These are the ports through which most Malware is propagated with Browser-Based Attacks, Phishing, or Email Spam.

Real Time File transmission Logging

By default, all dangerous file transmissions (exe, dll, MS Office, pdf, zip, etc.) are logged and correlated whether or not they are malicious. This allows you to see what content your users are downloading or uploading (these informational messages can be disabled if this is too much information for you). See the screenshot below where several file transfers are logged.

File Transmission Logging
Real Time File Scanning

Importantly, the files that contain malicious code as reported by Virus Total are ranked 100 and flagged as high-priority events for your analysis. Usually, any of these events need to be taken very seriously and appropriate remediation should be taken quickly. See the screenshot below where Snort events and File-inbound events are correlated to show you an ongoing infection.

Malicious file transfers have a ranking of 100 and a report URL lets you see why they are infected. The events are correlated with the IDS events to let you see how everything fits together.

In order to access this great new feature:
  1. Go to your Sensor Configuration page
  2. Enable the File Monitoring plugin by clicking on the check box labeled “File Monitoring” toward the bottom of the page
  3. Enter an optional Virus Total Key (if you do not have one, we highly recommend registering with Virus Total and obtaining a free key at
  4. Save the sensor configuration
  5. Execute /nsm/etc/ restart on your sensor
The plugin works in parallel, so if you have multiple cores, it will load-balance the file reassembly on multiple processors. So far, the beta testing has exceeded all our expectations and we hope that this feature will be useful to you. As always, please feel free to send us email at for any questions or if you see any issues.


Happy Hunting!
The MetaFlows Team.