As a new feature to the MetaFlows MSS, we have added the ability to query the MSS for both historical flow data (with payload coming from the sensor) and historical event data (coming from our data base). The flow data text output can be formatted to look like what Argus provides (-f -X) or what Bro provides (-c), depending on the options that are selected. We have also added JSON output (-J) for those of you that use Splunk, and want to do some integration work. The MetaFlows Wiki has been deeply revamped and the CLI documentation is at:
The CLI client is written in Perl and can be copied to any system after initialization – so you may execute the CLI queries from any host. Also, if you dare, you can modify the Perl code to change the output formats or to add your own command line switches.
To wet your appetite, the following query will return all the latest malicious content from your sensors:
getflows.pl -u api1:xxxx -B
This query, for example, shows all of the clients on your network attacking Chinese Web Servers:
getflows.pl -E -u api1:xxxx -w 360000 -Q modsec_out | grep CRITICAL | grep :CN
We encourage you to invest some time in looking at this CLI interface. As always, do not hesitate to drop us a line at firstname.lastname@example.org.
The MetaFlows Team