Main Page

From The MetaFlows Security System Documentation
Jump to: navigation, search


Overview

  1. The MetaFlows Security System Overview
    1. Architecture
      1. Sensors
      2. Controller
    2. Appliances
    3. Sensor Software
      1. Multiple Session Analysis
      2. Soft IPS
      3. SIEM Import and Export
      4. File Transmission Logging and Network Antivirus
      5. Historical Flow and Payload Data Storage
        1. Full Packet Payload Database
        2. Tracker Database
        3. IDS Event Packets
        4. Session Packet Storage
  2. System Requirements
    1. Browser
    2. Sensor Hardware and Software

Configuration

  1. Registering with MetaFlows
  2. Quick Start
  3. Sensor Provisioning and Configuration
    1. Adding a Sensor
    2. Adding a Sensor (Short Form)
    3. Adding a Sensor (Advanced)
      1. Log Management
      2. Event Destinations
        1. Additional Details about the Local DB Mode
      3. Use Multiple Cores If Available
      4. Use Inline Mode
      5. Sensor Variables
      6. Sensor Application Details
      7. Flow Analysis and Passive Service Discovery
      8. Network Analysis and File Carving
      9. Malware Analysis (BotHunter)
      10. Passive OS Fingerprinting
      11. Store Packets On Sensor
      12. Block Communications in Passive Mode (Soft IPS)
      13. File Monitoring
      14. Passive ModSecurity
        1. ModSecurity Alerts
        2. Client or Server Mode
        3. ModSecurity Rule Editor
      15. Automatic Blocking for Priority Rules
      16. Manage Local Rule Source
  4. Sensor Software Install
    1. Downloading Sensor Image
    2. Linux Sensor Installation Procedures
    3. VMWare Sensor Installation Procedures
      1. Configure Share Folders
      2. Virtual Machine Sensor Management
      3. Resources to Dedicate to a Virtual MSS sensor
      4. Configure VMware ESXi to Monitor External Mirrored Traffic
      5. Configure VMware ESXi to Monitor a Vswitch
      6. Monitoring both External Mirrored Traffic and Internal Vswitch Traffic
    4. Interface Bonding
    5. Firewall Setup
      1. Listening Ports
      2. Sensor as a Client
      3. Sensor as a Server
      4. Sensor Outbound Communications (Server Mode and Client Mode)
      5. Additional Considerations
    6. Real-Time Email Alerts
  5. Deep Packet Inspection of Cloud-based assets
    1. Overview
    2. Setup Process
      1. Configure the Sensor as a Collector
      2. Configure Network Access Policies
      3. Install and start sensor software
      4. Add Linux or Windows Agents
        1. Native Linux Agent
        2. Advanced Linux Agent
        3. Windows Agents
    3. Amazon Web Services (AWS) Specific Setup
      1. Using the MetaFlows AMI on Amazon AWS
      2. Adding a Larger Disk for Log Storage
      3. MetaFlows Security Gateway on Amazon EC2 (experts only)
        1. Architecture
        2. Setup Instructions
  6. Log Management
    1. Sending Logs to Sensors
      1. Configuring Log Management for Unix/Linux
      2. Configuring Log Management for Windows
    2. Exporting from the Sensor
      1. Syslog Format
      2. CEF Format
  7. Browser Setup

User Interface

  1. Main Menu
  2. Search Events or Flows
  3. Dashboard
    1. Dashboard Overview
    2. High Priority Events
  4. Account Management
    1. Account Audit Log
    2. Subscriptions
      1. Software Subscriptions and Appliance Subscriptions
      2. Manage Existing Subscriptions
      3. Manage Billing information
      4. What are CVV2 and CID?
      5. Contact Information
    3. Preferences
    4. Two-Step Authentication
    5. Delete Account
  5. Sensor Management
    1. Add Sensors
    2. View Sensors
    3. Share Sensors
  6. Reports
    1. Report List
    2. Report Specification
    3. Sample Report
  7. Historical View
    1. Loading Bar
    2. Passive Discovery Information
      1. Host
      2. Beaconing
    3. Feedback
    4. Coloring
    5. Historical View Options
  8. Real-Time Event View
    1. Real-Time Event View Columns
    2. Real-Time Data Management
  9. Historical Flow and Payload Data
    1. Browser Initialization
    2. Preforming Queries
    3. Get Packet Payloads with Splunk
  10. Event Graphs
  11. Command Line Interface
    1. Initialization
      1. Remote Execution
      2. Re-Initialization
      3. API Key Revocation
      4. Historical Flow and Payload Data Queries
      5. Query Syntax
      6. Examples
    2. Historical Event Queries
      1. Syntax
      2. Examples
  12. Log Management
    1. Sending Logs to Sensors
      1. Configuring Log Management for Unix/Linux
      2. Configuring Log Management for Windows
    2. Exporting from the Sensor
      1. Syslog Format
      2. CEF Format
    3. References
  13. User Identification
    1. Active Directory and Microsoft Exchange Support
  14. Event Classification
    1. Classifications List
    2. Creating a Classification
      1. Classification Name
      2. Classification Domain
      3. Classification Category
      4. Classification Action
      5. Comparison Types
      6. Detail Fields
        1. Events
        2. Addresses and Ports
        3. Originating Sensor
        4. Metrics
    3. Viewing Classes
    4. Class Access and Legends
  15. Forensic Tools
    1. View Flow Details
    2. Packet Data
    3. Whois Server/Client Address
    4. Show Files in Flows(s)
    5. Resolve Server/Client Address
    6. Escalate Records
    7. Classify
    8. Filter By Server/Client
    9. Tune IDS
    10. Rule Info
    11. Server/Client Address Historical Report
    12. Block Server/Client
    13. Map These/All Addresses
    14. Scan Server/Client/Port
    15. Annotate Rule/Server/Client
  16. Rules Management Interface
    1. Entering the Rules Management Interface
    2. Selecting a Sensor
    3. Sensor Rules Controls
    4. Updating The Rule Files
    5. Rule File List
    6. Rule Lists
    7. Manual Rule Editor and Rule Info
    8. Pass Rules
    9. Tuning a Rule
    10. Automatic Rule Tuning
    11. Adding Local Rules
    12. Relevant Snort Rules Links
  17. Correlation Engine Rules
    1. Introduction
    2. CER Full Specification
      1. Actions
        1. Match
        2. Block
        3. Email
        4. Ignore
        5. Rank
        6. Trackint and Trackext
      2. <cond> and <rpc>
      3. Description of Specifications
        1. Field
        2. Op
        3. Value
      4. Examples
        1. Simple Matches: No Preconditions
        2. One Precondition: Multiple Triggers and Multiple Actions
        3. One Precondition and A Pure Flow Match
  18. Global Enterprise Controller
    1. Adding IP Reputation Feeds
    2. Adding Commercial ModSecurity Rules
      1. Manual Rule Installation
      2. Automatic Rule Installation
  19. MetaFlows Honeypots
    1. Overview
    2. Types of Honeypots
      1. Windows Server
      2. Windows Client
      3. CentOS Linux Server
      4. Ubuntu Metasploitable Server
    3. Requirements
    4. Adding a Sensor to the Honeypot
    5. Preparing the Host System
    6. Additional Notes
      1. Complications
      2. If Traffic Is Not Reaching the Honeypot
      3. Viewing the Honeypot as a Guest
      4. Modifying the Honeypot VMware Image

Alternate Deployments

  1. Stand-Alone BotHunter

Next Chapter