Forensic Tools

From The MetaFlows Security System Documentation
Jump to: navigation, search

By right clicking a row in the Real Time or Historical summary reports, users can access the Forensic Tools in Figures 1 and 2 below. Summary View ("All") has a different set of menu options than Detailed View.

Forensic Tools

This menu is context sensitive and only displays the options available for a particular record (row). For example, if a particular record has multiple server addresses, the Resolve Server Address option is not available.

Figure 1: Summary Forensic Tools List
Figure 1: Summary Forensic Tools List

View Flow Details

This shows all of the individual records that constitute the aggregate summary record.
Click on the button shown above to go back to the summary view.

Packet Data

This retrieves packet data corresponding to the event. It will also show the IDS rules involved (if any) and will try to show why the rule(s) matched.

Whois Server/Client Address

Using this queries the "Whois" databases to see the organization that registered a particular IP address (if available).

Show Files in Flow(s)

Selecting this launches the Historical Flow and Payload Data Interface to show any recent flows and try to carve any files associated with this record. ‘’’Note’’’ that you must have a green light on the top right corner for this option to be available as the packet payloads are retrieved from the sensor. Refer to Historical Flow and Payload Data for details on this page.

Resolve Server/Client Address

This resolves the server/client address DNS for the record selected.

Escalate Records

This creates an escalation report for the flows selected. The report includes all events and payload data. The report can be emailed in text or .pdf format to create an incident reports summary.


This launches a Classify window pre-populating all the fields of the classification with the value of this record. See Event Classification for further details.

Filter by Server/Client

This changes the interface to only show events which include the specified IP address

Tune IDS

Using this allows for the creation of pass rules so that the sensor will ignore certain events in the future. The pass rule can be restricted to the specific addresses involved in the event or to all addresses (thus implicitly disabling the rule).

Rule Info

This launches the Rule Info interface for the Snort event selected.

Server/Client Address Historical Report

This option opens a new instance of the Historical Report page with a query to find all events matching the server address or client address for this particular record.

Block Server/Client

This inserts a block classification for the specified IP Address.

Map These/All Addresses

This launches the geo-ip map for either the addresses in the current flow or all addresses in the interface.

Scan Server/Client/Port

This initiates a vulnerability scan against the specified IP addresses and ports.

Annotate Rule/Server/Client

This adds the users comments to a database that is shared among all MetaFlows users.

Previous Chapter Next Chapter