From The MetaFlows Security System Documentation
Jump to: navigation, search

The Report Interface manages the historical event reports. These reports summarize the events generated by the sensors at specific recurring intervals or at specific time periods. These reports can be used to document and archive past activity in a permanent format. They also provide some of the top-level information on the distribution of several invariants observed in the events. The reports are interactive; they allow you to click on most of the data that they contain to invoke a historical view (within one year).

Report List

This part of the interface provides a way to quickly locate past reports or delete old ones.

Report Specification

This form allows the creation of custom reports. The descriptions of the form fields are below.
Report specification

Report Name
This is the name given to the report.
Email PDF Report
This allows the emailing a PDF report to one or more email addresses (separated by semicolon), when is generated.
Group By
This determines how the rows of events are aggregated.
Detail Records
This limits the number of rows in each event aggregation.
Sort Aggregated Records By
This determines how the aggregated records are sorted.
Sort Detail Records By
This allows the user to sort the detailed records with each aggregate.
Include Cleared Records
This includes records that have been cleared by the analysts as irrelevant.
Ranked Events Only
This strictly includes records with ranking > 0.
Time Period
  • Last Day: This generates a daily report.
  • Last Week: This generates a weekly report.
  • Custom Time Period: This will create one report for the specific time frame.
IP Addresses
This reports only the events with specific IP addresses.
Source/Destination Ports
This reports only the events with specific ports.
Event Type
This allows specifying which events on which to report.
  • All Event Types: This shows all events.
  • IDS events can be queried from individual rule files, event classifications, or specific GID or SID.
  • Syslog events can be queried by the categories, or can be queried using a string search. In addition to the standard syslog categories, the following MetaFlows-specific events can be queried:
    1. File-inbound/outbound: This is any file transmission detected coming in our out of your network.
    2. Tracker: These are multi-session incident reports.
    3. BotHunter: They are dialog-based incident reports.
    4. MssBlock: These are SoftIPS blocking reports.
    5. ModSecurity: This details ModSecurity events.
  • The Services option searches for specific services that were discovered.
Exclude Events
This allows the user to exclude any records which match this regular expression.

Sample Report

Report1.png Report2.png Report3.png Aggregatedrecord.png

Previous Chapter Next Chapter