Ano

Topmaly
10 Det ect iosnby
event Syst em
priorit y

Wit hinGuide
User t he widget , you can:
10.03
Change t he perspect ive using t he Perspect ive drop-down list .

Rest ore t he cont ent of t he widget according t o t he current ly configured filt ers (filt ers can be found in t he upper part of t he page).
View all event s according t o select ed perspect ive, move t o Event s → Simple List , view t he chart wit h a descript ion.

The latest 10 events

The widget displays 10 newest event s.

Anomaly Detection System

Introduction

Flowmon ADS is a mode rn syste m for de te c tion of anomalie s and patte rns of unde sirable ne twork be havior, whic h is base d on an analysis of data flows in the ne twork
(Flow). T he main goal of the solution is to inc re ase e xte rnal and inte rnal se c urity of a c ompute r ne twork. T he main advantage ove r standard IDS syste ms lie s in
orie ntation on the ove rall be havior of a de vic e on the ne twork, whic h e nable s to re spond to ye t unknown or spe c ific thre ats for whic h the signature is not available .
Inte grate d dashboard displays a quic k ove rvie w of the late st e ve nts and ove rall statistic s of e ve nts. T his allows an imme diate ide ntific ation of proble ms or proble matic
de vic e s in the ne twork.

T his use r doc ume ntation is divide d into the following c hapte rs:

Introduction – the first c hapte r aims to familiarize use rs with fe ature s and c apabilitie s of the Flowmon ADS module
Installation and configuration – the se c ond c hapte r is inte nde d for syste m administrators and is de dic ate d to the installation and de taile d c onfiguration of the
module
Lat est 10Deevent s
te ction me thods – the third c hapte r spe c ifie s the fe ature s of the applic ation. Part of the c hapte r de sc ribe s the be st prac tic e s and inte rpre tation of re sults
Wit hin t he widget ,rface
Use r inte – the fourth c hapte r de sc ribe s the GUI of the applic ation and is inte nde d for an ordinary use r
you can:
Contact information – the final c hapte r c ontains a summary of c ontac ts for the ve ndor and distributor of the module
Rest ore t he cont ent of t he widget as per t he current ly configured filt ers.
View all event s in t he Event s → Simple list .

Top 10 events
Features and type by count
Capabilities
The widget shows t he t op 10 event t ypes t oget her wit h t he number of occurrences of t he event s of t hat t ype.
T he ADS module is part of the Flowmon solution and e asy to install on a probe or c olle c tor. It offe rs the following func tions and fe ature s:

S upports Ne tFlow v5/v9, for IPFIX and for IPv4 and IPv6
Imple me ntation of bidire c tional flow standard (RFC 5103)
Building of long- te rm be havioral profile s of de vic e s on the ne twork in te rms of provide d and use d se rvic e s, traffic volume s and c ommunic ation partne rs
Pre de fine d se t of rule s for de te c tion of unde sirable be havior patte rns – ope rational issue s, attac ks, unwante d se rvic e s
A c ompre he nsive dashboard with a dire c t indic ation of proble ms in the ne twork
Comple x filte ring options and e ve nt prioritization linke d to re porting and ale rts
Inte gration of tools for obtaining additional information (DNS , WHOIS )
S upport for adding c ustom information about IP addre sse s (name , role , use rname , . . . )
Automate d outputs via e mail, syslog, S NMP or c ustom sc ripts
Re mote traffic c apture trigge re d by ge ne rate d e ve nts
Ce ntral use r inte rfac e to use and manage more Flowmon ADS instanc e s from a single point
Browsing the IDS e ve nts from the IDS Colle c tor module (if installe d)

Ple ase also note the following fe ature s, whic h are c urre ntly available in all ve rsions e xc e pt the Lite ve rsion:

Pre de fine d se t of rule s for de te c ting ne twork anomalie s suc h as be havior c hange of de vic e s on the ne twork, disc ove ring ne w ne twork se rvic e s, e tc .
Inte rac tive visualization of e ve nts and re le vant c onte xt in the form of dire c te d graphs
S upport for adding c ustom information about IP addre sse s (name , role , use rname , . . . )

Selected Detection Methods

Det ect ion of net work anomalies

De te c tion of transmission of large volume s of data in the ne twork

De te c tion of se rvic e unavailability
10 most numerous event s

Wit hin t he t able, you can:

DetRest
ect ion
oreof remot
t he conteent
management
of t he widget as per t he current ly configured filt ers.

View
De a
tecomplet
c tion of Teetlne
able of all ol
t protoc kinds of event s along wit h t he number of occurrences of t he event s of a respect ive t ype in a new t ab.
Display t he cont ext menu above t he t ype of an event , which allows you t o search all event s of t he t ype (Display event s of t his t ype), a t ransit ion t o t he
Event s → Simple list view.
Det ect ion of at t acks
Top 10 IPs by event count
The widget shows
De te c tion tof
hedic
10tionary
IP addresses, which
attac ks on produce
S S H se rvic e s t he great est number of event s.
T he De nial of S e rvic e type attac ks
De te c tion of T CP sc ans
 De te c tion of outbound S PAM

Checking of errors at t he configurat ion level

De te c tion of de lays on the ne twork

Usage of unwant ed services

De te c tion of Instant Me ssaging (ICQ, Jabbe r, MS Me sse nge r, Google T alk, ...)
De te c tion of BitT orre nt P2P ne twork

Met hods available in non-lit e version only

Anomaly de te c tion syste m base d on c hange s in the be havior profile

De te c tion of he te roge ne ous c ommunic ation
De te c tion of parasite de vic e
De te c tion of sharing de sktop using T e amVie we r
De te c tion of IP addre sse s without re ve rse DNS re c ords
De te c tion of diffe re nt Voic e - ove r- IP protoc ols
De te c tion of diffe re nt VPN c onne c tions and tunne ls
De te c tion of dire c t inte rne t c ommunic ation

10Basics of Application
most numerous IPs (by number of event s)

Wit hin t he t able, you can:

Flowmon ADSt he
Rest ore is available
cont ent as
ofatstandard
he widget module
as perfor thecurrent
t he Flowmon probe /c olle c
ly configured tor.
filt er.It is a we b applic ation that use s mode rn sc ripting te c hnology (Java S c ript and AJAX).
T he applic ation is primarily optimize d for the Fire fox and Google Chrome browse rs, among the othe r supporte d browse rs are the late st ve rsions of:
View a complet e t able of all IP addresses wit h t he number of occurrences of t he event s wit h t he respect ive IP address as a source in a new t ab, view t he
chart
Inteincluding t her descript ion.
rne t Explore
Ope ra
Events in the last batch
S afari

TheTwidget
he use r shows
inte rfacmaximum
e layout is 10 event
divide t ypes,
d into thre ewhich have been
main parts. det ect
T he uppe edof
r part during t he last
the applic ationprocessed
c ontains ofbat
thech of dat
status a. information bar, the le ft c ontains the applic ation
and
main me nu. T he re maining are a of the use r inte rfac e is a use r’s de sktop, whic h shows the information and func tionalitie s that be long to the c urre ntly se le c te d ite m in
the main applic ation me nu.

T he applic ation is also offe rs a c onte xt me nu, whic h is available by right c lic king on a partic ular obje c t.

Distributed Architecture

Archit ect ure descript ion

Distribute d Arc hite c ture c an be use d for load balanc ing of the proc e ssing by utilizing more de vic e s. T he proc e ssing node s work se parate ly and use only the flows on
the give n node . It is ne c e ssary to have the whole c onte xt for a give n ne twork se gme nt on a single node to provide maximal pre c ision. Distribute d arc hite c ture allows
c e ntral manage me nt and c onfiguration. Eac h node has the same c onfiguration. T he node is a se parate hardware or virtual Flowmon instanc e with the Flowmon ADS
applic ation. T he e nc rypte d c ommunic ation be twe e n node s use s the S S H protoc ol. Eac h of the proc e ssing node has to use the same Flowmon ADS lic e nse .

Node t ypes

Maste r

T his node manage s the whole arc hite c ture . It provide s the use r inte rfac e , c olle c ts and store s the e ve nts from all Slave node s and allows to c onfigure all node s. T he
Master node ge ne rate s and se nds PDF re ports, re ports the e ve nts via e mail/S NMP/syslog, trigge rs the c ustom sc ripts and traffic c apture s. No dire c t data proc e ssing.
Master node has to have a ne twork ac c e ss to the IP addre sse s of all Slave node s, or to the IP addre ss of Proxy node if pre se nt. T he re c an be only one Master node in the
arc hite c ture .

Proxy

Event s in
T he t hewhic
node lasthbat ch
transmits the information be twe e n the Slave and Master node s. Proxy node doe s not inc lude the we b use r inte rfac e and doe s not proc e ss the data. T he
Proxy node has to have ne twork ac c e ss to the IP addre sse s of the Master node and all the Slave node s. T he re c an be more Proxy node s in the arc hite c ture , but this type of
Wit hin t he widget , you can:
node is not re quire d.
Rest ore t he cont ent of t he widget as per t he current ly configured filt er.
S lave
View a complet e t able of all event s in t he last bat ch, t he t ransit ion t o t he Event s → Simple list , view t he chart including t he descript ion.

T heDisplay
node tot he
proccont
e ssext
the menu
data. Itabove t he
re quire t ype
s the lic eof anfor
nse event
the ,proc
which allows
e ssing you t o. Tsearch
database alldoe
his node event s inc
s not of lude
t he tthe
ypewe
(Display event
b use r inte rfacseof t his
. T he t ype),
Slave nodet he t ransit
has ion t o t he
to have
Event s → Simple list view.
ne twork ac c e ss to the IP addre ss of the Proxy node (or to the Master node if the re is none Proxy node in the arc hite c ture ).

Events
Proxyslave

A Slave
This chaptnode c onc urre
er offers t hently use d as sect
following a Proxy node .
ions:
Aggregat ed View
Deployment modes
Simple List
 T heBy
ADSHost s
distribute d arc hite c ture c an ope rate without the Flowmon distribute d arc hite c ture be ing e nable d. Whe n e nable d, the Flow Distribution Model in Flowmon
distribute d arc hite c ture ne e ds to be se t to the Flow Source Related mode l to ke e p the whole c onte xt for the give n ne twork se gme nt on a single node . Only one Master
nodeEvent Det ail d. T he Top Priority Master Unit (T PM) should be use d as a Master node for the ADS distribute d arc hite c ture if the re are more Master node s available .
is supporte
Int eract ive Event Visualizat ion
Maste r S lave
Event Mode
Evidence

T heIDS Browser
simple st available c onfiguration. It re quire s one Master and one or more Slave node s.

Aggregated View
Maste r Proxy S lave Mode

If Master node c an c ommunic ate with Slave units dire c tly e ac h othe r, the ADS distribute d arc hite c ture c an be e nable d on the Maste r and S lave node s only. T o use a Proxy
Theisaggregat ed view
not ne c e ssary present
in this c ase .s event s of a part icular device in an int uit ive graphical way wit h respect t o t ime.
Each t ype of t he event , in which t he device t akes part during a respect ive t ime period is represent ed by one line called a swimline. Event occurrences are
represent ed by a colored rect angle in a part icular swimline. According t o t he select ed scale, t he neighbour event s are aggregat ed int o one rect angle. Lengt h of
t he rect angle corresponds wit h t he t ime lengt h of t he event . Time is shown on t he x-axis. The night and day alt ernat ion is also displayed.
Installation and Configuration
Comput ing aggregat ed event det ails t hat consist of more t han 25 event s is accelerat ed by sampling. When sampling is used, t he event shows informat ion
about lower accuracy of dat a.
T o install and c onfigure the Flowmon ADS module , ple ase follow the instruc tions inc lude d in the following c hapte rs.

Quic k Configuration
Installing on Probe or Colle c tor
Configuring the Flowmon ADS module
Data S torage S e ttings
Ge ne ral S e ttings of the Module
Mainte nanc e
Use r Pe rmissions
e Polic y Orc he strator Conne c tion S e ttings
S e rvic e Name s Assignme nt
Que rying LDAP S e ttings
Exte rnal que rie s
Use r pre fe re nc e s
Data fe e ds
Filte rs
De te c tion Me thods
Pe rspe c tive s
Cate gorie s of Eve nts
Example of t heFalseAggregat edsevent view
Positive
Blac klists
Data filtering Custom ac tions
It is possible t oCustom Patte
filt er dat rns
a in t he chart according t o corresponding search crit eria. To enhance t he clarit y, t he search crit eria are divided int o basic search
IDSdisplayed
crit eria, t hat are Colle c toralways, and t o t he advanced, which are available aft er clicking on t he More Filt ers but t on. The following search crit eria are available:
Distribute d Arc hite c ture Configuration
Dat e: The relevant period for displaying t he informat ion in t he Aggregat ed view, t he period can be specified direct ly or can be chosen from an associat ed
Wizard
calendar (Custom t ime int erval).
Manual Configuration
Perspect ive: The event s are displayed according t o t he select ed priorit y.
Source IP: Displays event s only for t he IP addresses specified in t his field. It is possible t o ent er IP addresses in t he following format s:

Single IP address, for t he IP version 4 and 6 (e.g. 192.168.2.1, 2001:db8::beef) or a comma-separat ed list of single IP addresses
Quick Configuration
Net work address or mask, for t he IP version 4 and 6 (e.g. 192.168.1.0/24, fc00::/7)
T he basic cRange
onfiguration of the module
of IP addresses, forc onsists of thre e4ste
t he IP version andps:6 (e.g. 10.0.1.2-10.0.1.10, fe80::-fe80::ffff)

Wildcards
1. Log into not at
the module – ion
use of
theIPv4
sameaddresses
c re de ntials(enumerat ion, range,
as whe n logging all),Flowmon
into the only single wildcard Ce
Configuration cannteber. used in cone
You c an IP address.
hange Examples:
your password and se t othe r use rs in the
Flowmon Configuration Ce nte r, the S yste m tab. More information about the manage me nt of use r ac c ounts c an be found in the doc ume ntation of the Flowmon
192.168.{1,3,20}.1: IP addresses 192.168.1.1, 192.168.3.1 and 192.168.20.1
probe or c olle c tor. T he use r c urre ntly logge d- in c an be modifie d afte r c lic king the button with use rname in the right uppe r c orne r.
2. Going through the configuration
10.[1-3].0.0: wizard –
IP addresses the we lc10.2.0.0
10.1.0.0, ome window and with the link to c onfiguration wizard will show up afte r the first login into the applic ation (the wizard
10.3.0.0
c an be starte d using the que stion mark ic on with labe l CONFIGURATION WIZARD in the S e ttings se c tion as we ll).
T he first ste172.16.*.1: Same as 172.16.[0-255].0
p of the c onfiguration wizard is to apply the c onfiguration te mplate . T he te mplate c re ate s the basic IP range filte rs and se ts de fault value s to
parame te rs of de te c tion me thods. With the e xc e ption of the Lite ve rsion of Flowmon ADS , it is possible to e xte nd the LAN filte r base d on private IP range s of the
Dat a feeds: Allows t o display only event s t hat were det ect ed by inspect ing t he flows from t he specified dat a feed.
public IP addre sse s of the monitore d ne twork se gme nt, de fine spe c ific de vic e s in the ne twork (e .g. DNS se rve rs) and se t the size of the monitore d ne twork. It is
Met hods:
also Displays
possible only specified
to e nable event
the e xte rnal s in t heupdate
automatic Aggregat ede view.
se rvic s of the re sourc e s whic h te nd to c hange ove r time , suc h as blac klists and be havioral patte rns. T o
e nable this func tionality, the Inte rne t c onne c tion is re quire d. All se t value s are use d for re le vant de te c tion me thod parame te rs.
Filt ers: It is possible t o specify t he sources of event s by choosing a defined filt er.
3. Configuring the Flow data source s – se t up partic ular sourc e s of Flow data that will be proc e sse d by the applic ation in se c tion S e ttings → Proce ssing → Data
fe e ds.
Event catFrom the aspe
egories: c t of data
Displays onlycevent
olle c tion, theare
s t hat applic
partation
of t works like ed
he select a c cat
olle egory.
c tor whic h is c apable of re c e iving the data in the Ne tFlow v5/v9 format. For e ac h
sourc e :
Visualization
a. Enteinteraction
r a unique Name
b. S e le c t the profile and the c hanne ls that should be use d as an input
Zoom c . S e t all data sourc e s you want to use as ac tive
User can zoom in t he visualizat ion by using t he left mouse but t on and select t he request ed t ime int erval direct ly in t he chart . There are Undo and Redo icons on
t he right side above t he visualizat ion t o navigat e t hrough changes of t he scale. Using t he icons of magnifier wit h Plus and Minus inside you can change t he size
of colored rect angles in t he swimline.

Installing on Probe or Collector

Simple List
Flowmon ADS is a module that c an be run on the probe and the c olle c tor. Installation on probe or c olle c tor is c arrie d out through Install (Update ) func tion found unde r
Ve rsion tab in the Flowmon Configuration Ce nte r. More information about installation of module s c an be found in the doc ume ntation of Flowmon probe or c olle c tor.
The Simple list offers a view of event s in t he form of a simple list (event s t able). It is primarily sort ed by t he t ime of t he creat ion of an event . User can show
T helyinstallation
direct t he Event proc e ssof
det ails willt he
automatic allyhapply
event wit a knownthe TID,
ypical company
using c onfiguration
t he search te mplateaft
dialog available to the applic ation.
er clicking Commonly use
t he magnifier d de
glass te c tion
icon meupper
in t he thods and
rightparame
cornerteof
rs will
t he
screen.
be acThetivateresult s ofproc
d by this t he equery are
ss. T he divided
re is int flow
also one o pages. One page
data sourc contdains
e pre pare a maximum
for the of 500port
first monitoring it ems of tprobe
of the he result . The
. T his dataresult is a be
fe e d must t able whichd manually.
ac tivate includes t he
following it ems:
Information about data fe e d c onfiguration is de sc ribe d in c hapte r Configuration of flow data sourc e s.

T heRow number
Flowmon ADS (#):
applicNumber
ation c of t heinstalle
an be t able drow.
only on Flowmon probe or c olle c tor (ple ase c he c k the re spe c tive re le ase note s for prope r ve rsion numbe rs). T he lic e nse
is part of the ge ne ral Flowmon lic e nse . T he lic e nse has to be loade d in the Flowmon Configuration Ce nte r.
ID: Unique ident ificat ion number of t he det ect ed event . Clicking on t he icon on t he right side of ID will open a new browser t ab wit h event det ail which can
be shared via URL.
Timest amp: Dat e and t ime when a part icular event was generat ed.
Configuring the Flowmon ADS module
 Priorit y: Priorit y of event s according t o select ed Perspective.
T heEvent t ype:
following Typersofwill
c hapte event , ayou
guide reference t o tproc
through the he det ect
e ss ofion met
basic hod which recognized
c onfiguration t he ADS
of the Flowmon event .
module .

Source:
Data S Event
torage originat
S e ttingsor (IP address).
Ge ne ral S e ttings of the Module
Det ail: Det ailed informat ion about t he event .
Mainte nanc e
Use r s:
Target PeEvent
rmissions
t arget s (a list of IP addresses). Maximum 4 it ems are shown in t he t able. If more t arget s are associat ed wit h t he event , t hey are available
by eclicking onhe
Polic y Orc t he ShowConne
strator targets butSt eon
c tion which appears aft er hovering over t he list of t arget s.
ttings
S e rvic e Name s Assignme nt
Dat a feed: Name of t he dat a feed where t he event has been generat ed.
Que rying LDAP S e ttings
Exte rnal que rie s
Use r pre fe re nc e s
Data fe e ds
Filte rs
De te c tion Me thods
Pe rspe c tive s
Cate gorie s of Eve nts
False Positive s
Blac klists
Custom ac tions
Custom Patte rns
IDS Colle c tor

Dat a St orage Set t ings

T his c onfiguration c an be found in S e ttings → S yste m se ttings → S torage S e ttings.

In this se c tion you c an modify se ttings of the data storage .

Parame te r De le te data afte r is use d to se t de le ting old data. T his is use ful for arc hiving e ve nts for late r analysis. T he value Ne ve r se ts data life time to infinity while
De fault pe riod se ts the de fault value s (whic h, for an e ve nt, is 183 days).

Numbe r of days for whic h the data for the ove rvie w graph are be ing store d c an be se t by the Days to ke e p ove rvie w chart data parame te r.
Example of t he Simple list
T he Flowmon ADS allows to raise the pe rformanc e using the SuperFast™ mode . Using this option is re c omme nde d only for huge ne tworks that ge ne rate s more than 1 000
It isflows
possible t oc ond.
pe r se export
T heall
acfilt ered of
tivation event
the s (up t o 10mode
SuperFast™ 000 event s) t rone
on smalle t he CSVcfile
tworks ouldusing
c auset he but t on Export
a slowdown eventation.
of the applic s t o aItCSV
is nefile. Thistobut
c e ssary t on
limit is maximal
the locat edamount
under tofhe
search crit eria sect ion. You can open t he current event list in a new browser t ab by clicking on t he but t on Open in a new t ab.
me mory that c an be use d by the SuperFast™ mode , too.

Data
T hefiltering
Filte r booste r parame te r is use ful to ac tivate if and only if the re are some filte rs with many IP range s de fine d (e . g. using wildc ards). Othe rwise the ac tivation c an
c ause lac k of pe rformanc e .
It is possible t o filt er dat a in t he t able according t o corresponding search crit eria. To enhance t he clarit y, t he search crit eria are divided int o basic search
critTeria, t hat are
he Attach displayed
flows and Flowalways,
te mplateand t o t he
parame advanced,
te rs allow to acwhich
tivate are available
saving of flowaft er clicking
sample on t he
s (assigning theMore Filt ers but
m to individual t on.
e ve nts)Search
and thecrit eria
se le can
c tion of be shared
fie lds to bevia URL
save d. aft er
applying
T he setsample
he specified crit
s are use d eria.
as anThe
attacfollowing search
hme nt to some crit
type eria
s of are re
e mail available:
ports.
Dat e: The relevant period for displaying t he event s in t he Simple list , t he period can be specified direct ly or can be chosen from an associat ed calendar
(Custom t ime int erval).
General Set t ings
Perspect ive: of t he Module
Assigns t he priorit y t o t he event s according t o t he chosen perspect ive.
Source IP: Displays only event s where t he originat or of t he event s is t he IP address specified in t his field. It is possible t o ent er IP addresses in t he
T hisfollowing format
c onfiguration c ans:be found in S e ttings → S yste m S e ttings → Ge ne ral se ttings.

T he admin Single
use r c an
IPloc k some cfor
address, onfigurations (Re ports,
t he IP version 4 andS6e ttings → S yste m S e 2001:db8::beef)
(e.g. 192.168.2.1, ttings → Use r pre fe
orre
a nce
comma-separat → Proce
s and S e ttingsed list ofssing → Custom
single actions) for non- admin
IP addresses
use rs using the Lock the configuration for non-admin use rs option.
Net work address or mask, for t he IP version 4 and 6 (e.g. 192.168.1.0/24, fc00::/7)
Ac c e ss to Flowmon se rvic e s (Inte rne t se rvic e s) may be allowe d or de nie d by e nabling or disabling the Flowmon se rvice s option. S ome se rvic e s, suc h as the whois
se rvic e or Range ofc tion
the de te IP addresses, fordet pe
me thods that he nd
IP on
version 4 and
the e xte 6 (e.g.e s10.0.1.2-10.0.1.10,
rnal sourc fe80::-fe80::ffff)
(BLACKLIS T and BPAT T ERNS ), are unavailable whe n the inte rne t ac c e ss is de nie d. S e e
information on the various de te c tion me thods for furthe r de tails.
Wildcards not at ion of IPv4 addresses (enumerat ion, range, all), only single wildcard can be used in one IP address. Examples:
T he applic ation use s all available CPUs. T he Maximal numbe r of computational thre ads parame te r allows to limit the numbe r of CPU c ore s whic h applic ation c an utilize .
192.168.{1,3,20}.1: IP addresses 192.168.1.1, 192.168.3.1 and 192.168.20.1
T he applic ation allows re solving e ve nt sourc e IP addre ss imme diate ly afte r de te c tion of an e ve nt. T his func tion e nable s to de te rmine the ide ntity of the e ve nt sourc e
assoc iate d with a 10.[1-3].0.0:
short IP addreIPssaddresses
using DHCP. 10.1.0.0,
IP addre10.2.0.0 and
sse s whic 10.3.0.0
h should be re solve d are de fine d by Capture source hostname .
172.16.*.1:
T he parame te r Limit flows in eSame as 172.16.[0-255].0
ve nt e vide nce allows to spe c ify an uppe r limit for a numbe r of flows that are displaye d for e ac h e ve nt in the Eve nt e vide nce se c tion.
Target s: Displays only event s whose t arget s are associat ed wit h t he IP addresses specified in t his field. It is possible t o specify IP addresses in t he same
format t hat is described above for t he Source IP field.
MaintDat
enance
a feeds: Allows t o display only event s t hat were det ect ed by inspect ing t he flows from t he specified dat a feed.
Met hods: Displays only specified event s in t he Simple list .
T his part of the c onfiguration c an be found in S e ttings → Mainte nance . T his se c tion inc lude s func tions of the manage me nt of de vic e c onfiguration.
Filt ers: Allows t o specify t he sources of event s by choosing a defined filt er.
All use r data c an be de le te d (De le te data) or you c an turn the de vic e into the fac tory se ttings (Re se t to factory de faults). T his ac tion also inc lude s de le ting all use r
data,Event
whic hcat egories:
in turn Displays
inc lude s the deonly event
le tion of allsetve
hat are
nts. partinformation
More of select ed
on cat egories.
managing the module c an be found in the doc ume ntation of Flowmon probe or c olle c tor.

T he applic ation store s re solve d DNS name s for a short time pe riod. It c an be de le te d by c lic king the Cle ar DNS cache button.

By THosts
o make the c onfiguration of de vic e s simple r, Flowmon ADS offe rs pre de fine d te mplate s of module se ttings (Apply configuration te mplate ). T he te mplate s inc lude
c onfiguration of Flow data filte rs, individual de te c tion te c hnique s and se ttings of pe rspe c tive s. Applic ation of te mplate c an be e nforc e d (Force ), whic h me ans that the
c urre nt se tting, whic h is in c onflic t with the se le c te d te mplate , is ove rwritte n. T he re are the following te mplate s available :
A t able view of t he event s grouped as per t he sources and t arget s of event s. The result t able is sort ed by t he IP addresses. Informat ion about each IP address
consist s Tof t he company
ypical number of event s where
configuration t he IP–address
te mplate te mplateisdet he source
signe or t he
d for small t arget
and of tsize
me dium- he event . Consequent
d organizations. Filtely, it ttings
r se is possible
inc ludet oc ommonly
view a list ofd event
use privatet addre
ypes relat
sse s ed
t o t he respect ive IP address.
(10.0.0.0/8, Specific
172.16.0.0/12, event s can be
192.168.0.0/16). Acdisplayed incttion
tivate d de te he form of aand
me thods separat
the ir e
setttings
able for each
c orre event
spond t ype.alThis
to typic t able
se c urity neincludes t heand
e ds of small same dat a as
me dium- sizet he
d
event t able Event s → Simple list .
organizations. Within the pe rspe c tive se ttings, the highe st priority is give n to e ve nts that might indic ate an attac k or a se rious bre ac h of ne twork se c urity.
Large company configuration te mplate – te mplate de signe d for large e nte rprise s. Filte r se ttings inc lude c ommonly use d private addre sse s (10.0.0.0/8,
172.16.0.0/12, 192.168.0.0/16). Ac tivate d de te c tion me thods and the ir se ttings c orre spond to typic al se c urity ne e ds of large - size d organizations. Within the
pe rspe c tive se ttings, the highe st priority is give n to e ve nts that might indic ate an attac k or a se rious bre ac h of ne twork se c urity.
Inte rne t se rvice provide r trunk te mplate – te mplate de signe d for large bac kbone ne tworks. Filte rs are not part of the te mplate . Ac tivate d de te c tion me thods and
the ir se ttings c orre spond to the typic al se c urity ne e ds of the IS P ne tworks. T he me thods foc us on massive attac ks and anomalie s in the ne twork.

It is possible to save the c urre nt c onfiguration of the applic ation and re store it if ne e de d. T he c onfiguration is not portable be twe e n diffe re nt ve rsions of the
applic ation. It c an be downloade d or uploade d bac k to the syste m in Flowmon Configuration Ce nte r → S yste m → Mainte nance .

A use r may also add his own information about IP addre sse s from CS V te xt file (IP de tails se c tion) by c lic king on Import button. T his additional information c an be
 vie we d in the de tail of the IP, whic h c ontains data from whois and othe r tools and se rvic e s. Re me mbe r, the import de le te s all pre vious information! T he following fie lds
are supporte d:

ip: IP addre ss to whic h the information is re late d

host: domain name of the IP addre ss (max. 32 c harac te rs)
use rname : re sponsible use r (max. 32 c harac te rs)
os: running ope rating syste m (max. 50 c harac te rs)
hwconfig: hardware de sc ription (max. 1,000 c harac te rs)
role : role of de vic e s on the ne twork (max. 32 c harac te rs)
note s: additional note s (max. 1,000 c harac te rs)

T he te xt file c onsists of a he ade r and re c ords. T he he ade r c ontains a list of fie lds se parate d by a se mic olon. It must inc lude the re quire d ip fie ld and at le ast one
optional fie ld (host, use rname , os, hw-config, role , note s). Eac h line c ontains one re c ord. T he fie lds are se parate d by a se mic olon. Empty line s are ignore d.

Information c an be downloade d by the Export button.

Example of the conte nt of the file to import information about IP addre sse s

ip;host;role ;use rname ;os;hwc onfig

192.168.1.33;pc 33.foo.c om;c lie nt- station;Johny;WindowsXP;VM

192.168.1.1;stone
Example of t he By host s view .foo.c om;LAN gate way;Ce ntOS 5.5;

Data filtering
It is possible t o filt er dat a in t he By host view according t o corresponding search crit eria. To enhance t he clarit y, t he search crit eria are divided int o basic search
crit eria, t hat are displayed always, and t o t he advanced, which are available aft er clicking on t he More Filt ers but t on. The following search crit eria are available:
UserDat
Permissions
e: The relevant period for displaying t he event s in t he Simple list , t he period can be specified direct ly or can be chosen from an associat ed calendar
(Custom t ime int erval).

T hisPerspect ive:
part of the Assigns t hec an
c onfiguration priorit y t o tinheS eevent
be found ttingss →
according
S yste m setttings
o t he →
chosen perspect
Use r Pe ive.
rmissions.

IP addresses:
Flowmon ADS applicDisplays onlyadmins
ation allows IP addresses t hat
to limit the arewhic
data specified
h c an beinvie
t his
we dfield. It is
by non- possible
admin use rs.t o
T ospecify
limit thet he
e veIP addresses
nts, whic h c anin
bet he following
shown format
to a partic s: admin use r,
ular non-
it is possible to assign the pe rspe c tive to e ac h of the se use rs. T he use r c an vie w only the e ve nts, that are de fine d in the pe rspe c tive , and the me thod instanc e
Single IP address, for t he IP version 4 and 6 (e.g. 192.168.2.1, 2001:db8::beef) or a comma-separat ed list of single IP addresses
c onfiguration re late d to the se e ve nts.

T he pe rspeNet work
c tive address
s c an ordmask,
be de fine for simplifie
using the t he IP version 4 and
d inte rfac e . It 6is(e.g.
suffic192.168.1.0/24,
ie nt to se le c t thefc00::/7)
data fe e d, the IP addre ss filte r and to assign the prioritie s to the e ve nt
type s. T he Range
se le c teof
d sourc e and filte for
IP addresses, r aret he
theIP
n assigne
versiond 4toand
e ac6h de
(e.g.fine10.0.1.2-10.0.1.10,
d priority (the filte rfe80::-fe80::ffff)
is assigne d twic e to e ac h priority onc e as sourc e filte r and onc e as targe t
filte r).
Wildcards not at ion of IPv4 addresses (enumerat ion, range, all), only single wildcard can be used in one IP address. Examples:
192.168.{1,3,20}.1: IP addresses 192.168.1.1, 192.168.3.1 and 192.168.20.1
User permissions summary
10.[1-3].0.0: IP addresses 10.1.0.0, 10.2.0.0 and 10.3.0.0
Use r pe rmissions for non-
172.16.*.1: admin
Same asuse rs
172.16.[0-255].0
Assigne d filte rs
IP role: Specifies
Use rwhet her
c an se t he IP
e only theaddresses from
filte rs assigne t he
d to field
him andabove
c annotshould
e dit thebe
m.searched in t he event sources, event t arget s or in bot h of t hem. The default
opt ion is t o search in bot h of t hem.
Filte r assigne d to the use r limits the c onte nt of displaye d re port c hapte rs.
Detail Assigne
Event Number of event d s:
peAllows
rspe c tive
t osfilt er IP addresses by t he number of relat ed event s.
Use r c an se e only pe rspe c tive s assigne d to him and c annot e dit the m.
Dat a feeds: Allows
Use r ctan o display
se e onlyonly
the meIP thods
addresses
(and ret hat aree ve
le vant relat
nts)ed t o are
that event s t hat
de fine d bywere det
the pe ectced
rspe tiveby inspectding
s assigne t he flows from t he specified dat a feed.
to him.
Unlike Met
ot her event
hods: Use r conly
views,
Displays tan
hese e only
Event
t he those
det
event ail e mail
s tview
hat isreavailable
mat ports
ch t hec onne
only
select c te d to
ted detpeect
hrough rspeionccont
t he tive
metsextassigne
menud tto
hods. him.
hat can be act ivat ed by t he icon of t hree dot s at t he end of t he row
wit h a det ect ed event Use. Event det
r c an se e ails
only include
data fe eallds available
c onne c te informat
d to prioritieionsabout t hecevent
in pe rspe , event dcomment
tive s assigne to him. s and classificat ion of event s int o cat egories.
Filt ers: AllowsPe t orspe
specify
c tive IP addresses
assigne d to thebyusechoosing
r limits thea filt er (t
c onte nthis crit eriond can
of displaye be cused
re port haptetrs.
oget her wit h t he IP addresses field).
Use r without assigne d pe rspe c tive c an se e all data fe e ds (inc luding re le vant e ve nts and ove rvie w c harts).
Event cat egories: Displays only event s t hat are part of select ed cat egories.
Use r with assigne d pe rspe c tive with some priority de fine d as inde pe nde nt on the data fe e d c an se e all data fe e ds (inc luding re le vant ove rvie w
c harts, but e ve nts are limite d by the pe rspe c tive ).

Page s hidde n for non- admin use rs

S e ttings → S yste m S e ttings → S torage se ttings
S e ttings → S yste m S e ttings → Ge ne ral se ttings
S e ttings → Mainte nanc e
Logs
S e ttings → S yste m S e ttings → LDAP se ttings
S e ttings → S yste m S e ttings → Custom sc ripts
The example of cont ext menu for act ivat ion of t he Event det ail
S e ttings → S yste m S e ttings → e PO se ttings
Event related ttings → Proc e ssing → S NMP me ssage
S eactions
S e ttings → Proc e ssing → S yslog me ssage
The but t ons t hat can perform
S e ttings → Proc e tssing
he following act ions can be found in t he header of t he event det ail window.
→ False positive

Copy
T heevent ID: Copies
re ad- only t henon-
page s for event ID int
admin useorst he clipboard.
S e ttings → S yste m S e ttings → Use r pe rmissions (only the pe rmissions assigne d to that use r)
Dock window: Opens t he event det ail in a new ADS t ab.
S e ttings → S yste m S e ttings → Name d se rvic e s
Three dot S es: Open→tShe
ttings yste m Sext
cont e ttings
menu→ Exte
for trnal que rie. s
he event
S e ttings → S yste m S e ttings → Eve nt c ate gorie s
Information Sin an event
e ttings → Procdetail
e ssing → Data fe e ds (ac c ording to the pe rspe c tive s assigne d to that use r)
S e ttings → Proc e ssing → Filte rs (only filte rs assigne d to him)
Every event detSail includes
e ttings t hee ssing
→ Proc following
→ Me informat
thods (ac ion:
c ording to the pe rspe c tive s assigne d to that use r)
Type: TypeS e ttings → Proc
of event e ssing → Pet o
, a reference rspe
t hec tive s (only
det ect ionpemetrspe
hodc tive s assigne
which d to thatt he
recognized useevent
r) .
S e ttings → Proc e ssing → Blac klists
Det ail: Det
S e ailed
ttingsinformat ion on→tCustom
→ Proc e ssing he event . rn
patte

Timest amp:
S e ttings Datc eanand
that be ct hange
ime when a part
d by non- icular
admin useevent
rs was generat ed.
S e ttings → Proc e ssing → E- mail notific ation (adding ne w re ports for some pe rspe c tive assigne d to him, vie wing and e diting re ports owne d by him)
First Flow: Timest amp of t he first flow on which t he event det ect ion was based.
S e ttings → Proc e ssing → Custom sc ripts (adding ne w re ports for some pe rspe c tive assigne d to him, vie wing and e diting re ports owne d by him)
Event source: Originat
S e ttings → Procor of an→event
e ssing (IP
T raffic readdress).
c ording (adding ne w c apture s for some pe rspe c tive assigne d to him, vie wing and e diting c apture s owne d by him)
S e ttings → S yste m S e ttings → Use r pre fe re nc e s
Capt ured source host name: DNS name assigned t o t he IP address at t he t ime of event det ect ion.
Vie wing and e diting the re ports by non- admin use rs
MAC address: MAC address (t he most used) det ect ed in relat ion t o t he event source IP.
Use r c an se e the re port if he is the owne r of the re port, or if the re port is share d and he c an se e at le ast one of its c hapte rs (the re port is ge ne rate d only
with
User ident the
it y: allowe
User ID dobt
c hapte
ainedrs).
from a domain cont roller (for more informat ion see t he Flowmon collect or document at ion).
 Probabilit
Use y: rProbabilit y of
c an se e the event det
following ect ion.
c hapte rs if:
Eve nts by priority: T he filte r and pe rspe c tive that are se t have a non- e mpty inte rse c tion with the filte rs and pe rspe c tive s assigne d to the use r.
False posit ive:Eve
Indicat es whet her t he event is a false posit ive (according t o t he rules for marking event s as false posit ives current ly in effect ). An event
nt matrix: T he pe rspe c tive that is se t have a non- e mpty inte rse c tion with the pe rspe c tive s assigne d to the use r.
can be marked as a false posit ive by t he Mark as a false positive opt ion in t he cont ext menu. When marking an event , it is necessary t o ent er t he expirat ion
Ove rall
t ime of t he false status:
posit T he(individual
ive rule pe rspe c tive thatofis tse
days het has
week,a non- e mpty
t ime inte rse cTo
t olerance). tionmark
with the pe rspeas
an event c tive s assigne
a false positd ive
to the use r.t hat event of t he same t ype and
means
originat or willEve
notnts
becount
generat ed if: Tthe
by type he pe
false
rspeposit
c tive ive
thatrule ist in
is se haseffect
a non-. e mpty inte rse c tion with the pe rspe c tive s assigne d to the use r.
Use r c an c re ate ne w re ports from allowe d c hapte rs. He be c ome s the owne r of the re port.
Det ect ed by inst ance: Name of t he inst ance of det ect ion met hod which generat ed t he event .
Use r c an e dit and de le te the re ports owne d by him.
UseFlow
Dat a feed: r c andat
de fine sc he dule
a source on dwhich
re porting on re ports
t he event was he c an seed.
generat e.
Use r c an e dit and de le te the sc he dule d re ports owne d by him.
The following informat
Ge ne ral fac ts ion is t hen st ruct ured in t abs:
Admin use r c an se e e ve n the non- share d re ports of othe r use rs.
Target s: Event t arget s (a list of IP address). The t arget s can be grouped as per individual count ries or address prefixes.
Admin use r c an assign the owne r to the re ports and to the PDF re ports.
Comment s: cIthange
T he is possible t orspe
of the pe at t ach
c tivea has
comment
no influet o
ncevery event
e on the alre.ady
These comment
e xisting s are t hen ordered chronologically. A comment always includes t he aut hor
e ve nts.
(User) and t imest
T he Lock theampconfiguration
of commentforinsert ion (Time).
non-admin use rs Comment s may
c hoic e is loc king be
the changed
S e ttings →(icon ofmpencil)
S yste or delet
S e ttings → Useed (icon
r pre fe reof dustbin),
nce depending
s, S e ttings on t he
→ Proce ssing → aut hor and
Email
t he current ly logged on user. It is always possible t o add a new comment (New comment).
notification and the Re ports se ttings.
Cat egories: Event det ails also include event cat egories. The cat egory always includes t he aut hor (User) and t he t imest amp (Time). Individual
cat egorizat ion can be removed or added (using t he Manage categories but t on). Not e t hat t he management of event cat egories is also available t hrough
t he Manage event cat egories opt ion of a cont ext menu.
ePolicy Orchest
Event rat orDisplays
evidence: Connectflows
ion Set t ings
from which t he event has been generat ed. For more info see t he Event evidence chapt er.
Relat ed IDS event s: Shows event s from t he IDS Collect or module which may be relat ed t o ADS event . If t he IDS collect or module is not inst alled, t hen t his
T hisfeat
parture willcnot
of the be available.
onfiguration Byfound
c an be default , tehe
in S source
ttings IP of
→ S yste mSane ttings
event →inetPO
he se
ADS module (Search by source IP opt ion) is used for searching IDS event s. If t he
ttings.
source IP of t he ADS event is equal t o t he source or dest inat ion IP of t he IDS event , t he IDS event is select ed. Similarly, t he IDS event s can be searched by
ADS event t arget IPs (Search by destination IPs opt ion). If one of t he t arget s of t he ADS event is equal t o t he source or dest inat ion IP of t he IDS event , t he
IDS event is select ed. If bot h opt ions are unchecked, an IDS event wit h any source or dest inat ion IP is select ed. IDS event s are searched in t ime int erval
TimestNote
amp +/- 10 minut es.

T his se ttings is not available in the Busine ss, IS P, Lite and Corporate ve rsions.

Flowmon ADS allows to obtain additional information about the IP addre ss from the e Policy Orche strator applic ation (produc t of the Mc Afe e c ompany). It is ne c e ssary
to se t the c onne c tion to the e PO se rve r (the IP addre ss and port numbe r) and login information c orre c tly.

Service Names Assignment

T his part of the c onfiguration c an be found in S e ttings → S yste m S e ttings → Name d se rvice s.

In c ase that the re are se rvic e s that run on unc onve ntional ports in the monitore d ne twork, it is use ful to add the ir assignme nt (port numbe r- se rvic e name ) to the Name d
se rvic e s list. T his assignme nt is use d in e ve nt de tails of DOS and S RVNA de te c tion me thods. If the assignme nt is re le vant only for some subne ts, it is use ful to use the
IP addre ss fie ld or the Filte r fie ld to furthe r spe c ify the assignme nt more .

Querying LDAP Set t ings

T his part of the c onfiguration c an be found in S e ttings → S yste m S e ttings → LDAP S e ttings.

Note

T his se ttings is not available in the Lite and S tandard ve rsions.

Flowmon ADS c an be c onne c te d to the LDAP or Ac tive Dire c tory database . T his c onne c tion c an be use d to ge t additional information about the IP addre sse s from a
monitore d ne twork. T his information c an be obtaine d using the IP tools from the c onte xt me nu.
Example of t he Event det ail
It is ne c e ssary to prope rly c onfigure the addre ss of the LDAP or AD se rve r and authe ntic ation use rname and password, se arc h base , name of the fie ld, that c ontains the
IP addre ss and the spe c ific ation if the se rve r is Ac tive Dire c tory se rve r or not. Whe n using the S S L, it is also ne c e ssary to upload the .pe m c e rtific ate file of the
c e rtific ate authority that signs a se rve r c e rtific ate .
Interactive Event Visualization

Not
Exte ernal queries
This feat ure is available in all versions, except t he Lit e version.
T his part of the c onfiguration c an be found in S e ttings → S yste m S e ttings → Exte rnal que rie s.
The Int eract ive event visualizat ion view enables t o view t he net work t raffic dat a, based on which t he event was det ect ed. The view is available for each event
det Tect
he ed
useon t heuse
r may basis
anyof net work
available we tbraffic
se rvictehrough
s to ge ttadditional
he Visualize infoevent
about cont ext sse
IP addre menu it em.
s, MAC Similarly,
addre as in t he
sse s, domain Event
name s anddet ails that
paths view, t he
are event
part det
of the ailsTare
URL. displayed
he que rie s
firstc an
in be
t heinvoke
t able,d in order
using thet coonte
clarify
xt mewhat
nu ofevent is ular
a partic being visualized.
obje c t (IP addre ss, MAC addre ss, e tc .) by c lic king the Exte rnal que rie s c hoic e . Whe n the que rying is finishe d, a
ne w tab in the browse r ope ns. It is possible to use the following plac e holde rs to de fine Exte rnal que ry:
Int eract ive visualizat ion displays individual IP addresses as nodes and dat a t ransmission bet ween t he IP addresses as edges. Size of nodes and edges is
proport ional t o t he volume of t ransmit t ed dat a and t heir colors, which range from green t o red, are corresponding t o t he number of flows. Event visualizat ion
can be int eract ively browsed; each node has a cont ext menu marked by t he “+” symbol. The More dat a it em of t his menu ensures downloading of all relevant
communicat ion of t he IP address. The Info it em obt ains and displays t he det ails of t he net work t raffic in t he form of a moving t able. In t he case of nodes, it
Placeholders
displays $IP,
a t able of $IP4, $IP6
aggregat and $IP6HOST
ed communicat ion wit h ot her IP addresses. In t he case of inbound t raffic, t he communicat ion is aggregat ed based on source IP
address, dest inat ion port and prot ocol. In t he case of t he out bound t raffic, t he communicat ion is aggregat ed based on t he dest inat ion IP address, source port
andAll
prot
theocol. Inetholde
se plac he case
rs reof t he
pre edges,
se nt it displays
an IP addre ss. T hea ct onte
able xt
ofme
individual dat a ular
nu for a partic flows t hat const
IP addre ss c anitfound
ut e t he
foredge, including
e xample in the sedet ailsEve
c tion such asSdurat
nts → imple ion
list,of t he cconnect
in the olumn ion,
flags and t he t ype of service (TOS).
S ource . It is possible to use ge ne ral $IP plac e holde r for both IPv4 and IPv6 addre sse s or to spe c ify whe the r the de finition of an Exte rnal que ry should be applie d only on
IPv4 or tIPv6
A special ype addre sseis
of node s using the $IP4 or
t he so-called $IP6 plac
aggregat e holde
ion. rs. S incion
Aggregat e the IPv6 addre
represent s asse s in the
larger addreof
number ss bar of browse rs
IP addresses must
and be e nte re d as
is visualized in the square brac kenode.
a circle-shaped ts (whe n
Clicking
such node
using an displays a ss
IPv6 addre listasofanIP addresses
addre t hat
ss of a se const
rve r), it ut e t hetoaggregat
it is possible ion. Select
use the $IP6HOS ingeany
T plac ofr.t he displayed IP address will exclude it from t he aggregat ion.
holde
Furt hermore, it is possible t o work wit h t he IP address and det ails of it s communicat ion by a st andard means which are described above.

T he usage of place holde rs e xample

https://$IP4/path/to/file → Whe n using this de finition for the IPv4 addre ss 192.168.1.1, the re sult will be : https://192.168.1.1/path/to/file
https://www.myse arc he ngine .c om/se arc h?q=$IP6 → Whe n using this de finition for the IPv6 addre ss ff02::1, the re sult will be :
https://www.myse arc he ngine .c om/se arc h?q=ff02::1
https://$IP6HOS T → Whe n using this de finition for the IPv6 addre ss fe 80::1:1:1:1, the re sult will be : https://[fe 80::1:1:1:1]
 Placeholder $MAC

T his plac e holde r is use d for MAC addre sse s. T he c onte xt me nu for a partic ular MAC addre ss c an be ope ne d for e xample in the Eve nt de tail se c tion.

T he usage of place holde r e xample

https://www.myse arc he ngine .c om/se arc h?q=$MAC → Whe n using this de finition for the MAC addre ss ff:ff:ff:ff:ff:ff, the re sult will be :
https://www.myse arc he ngine .c om/se arc h?q=ff:ff:ff:ff:ff:ff

Placeholder $URL

T his plac e holde r is use d for paths that follow the domain name in URL. T he c onte xt me nu for a partic ular path c an be found for e xample in the Eve nt e vide nc e , as one of
the ite ms in flows.

Example of t he int eract ive event visualizat ion

Event Evidence

The Event evidence view provides t he means of export ing t he evidence (net work dat a flows on t he basis of which t he event has been det ect ed) from t he
applicat ion. The displayed web page is adjust ed t o be able t o copy it s cont ent t o t he clipboard as a plain t ext . The event evidence consist s of t he basic info
described in t he Event Det ail sect ion. This info is followed by t he hist ogram, which could display relat ions bet ween various pairs of variables. The list of dat a
flows (raw flow dat a from t he collect or) is displayed below. The displayed informat ion includes t he source and t he t arget IP address, t imest amp of t he dat a
flow, it s durat ion, prot ocol, source and dest inat ion port , t he volume of t ransferred dat a, number of t ransmit t ed packet s, t he t ype of service and t he addit ional
informat ion according t o t he t ype of flow.
The shown flows can be filt ered as per one of t he columns. The filt er can be defined by choosing t he list of columns, list of relat ions and by writ ing t he value
int o t he t ext box.
The list ed flows t hat have t he same (or reversed) set , which consist s of source IP address, dest inat ion IP address, source port , dest inat ion port and prot ocol,
can be highlight ed using t he cont ext menu (t he icon of a brush at t he beginning of t he row) over t he single flows (Cont ext menu → Follow flow). The flows
wit hout corresponding opposit e flow can be highlight ed using t he Cont ext menu → Single flow it em.
The example o f an URL o ccurrence
The list shown in t he user int erface is limit ed t o 10,000 flows. The export ed t ext file, t hat can be downloaded by clicking on t he Save as t ext file but t on,
includes a full
T o c larify list
the of t he
usage flowplac
of this records.
e holde It is ealso
r, se the possible t oxample
following e display
: t he flows from t he event evidence in t he Flowmon monit oring cent er. By clicking on t he
Query t he Monit oring Cent er but t on a user can copy t o clipboard t he filt er t hat may be used in t he FMC.

T he usage of place holde r e xample :

https://www.mydomain.c om$URL → Whe n using this de finition for the path addre ss /my/path, the re sult will be :
https://www.mydomain.c om/my/path

Placeholder $HOSTNAME

T his plac e holde r is use d for a domain name . T he c onte xt me nu for a partic ular domain name c an be found for e xample in the Eve nt e vide nc e , as one of the ite ms in flows.

Example o f a ho s t name o ccurrence

Example of t he Event evidence window

T he usage of place holde r e xample :

https://$HOS T NAME → Whe n using this de finition for the path addre ss se rvice s.flowmon.com, the re sult will be : https://se rvic e s.flowmon.c om
 Placeholder $ANY

T he ke yword $ANY c an be use d as a plac e holde r for all the obje c ts me ntione d above (IP addre sse s, MAC addre sse s, domain name s and paths in the URL). Whe n using
this plac e holde r in the de finition of an Exte rnal que ry, it is possible to use the Exte rnal que ry with all of the me ntione d obje c ts.

User preferences

T his part of the c onfiguration c an be found in S e ttings → S yste m S e ttings → Use r Pre fe re nce s.

Use r c an c ustomize the use r inte rfac e . It is possible to turn on or off the showing the we lc ome sc re e n window and disable the automatic loading of the dashboard
IDStable s. It is also possible to hide the inac tive me thods in the se arc h c rite ria filte rs. Eac h use r c an se t the de fault sc ale (logarithmic or line ar) of the Eve nt c hart in the
Browser
Dashboard → Analysis se c tion, the de fault data fe e d and the pe rspe c tive whic h will be applie d in the se arc h c rite ria.

The IDS browser shows event s from t he IDS collect or. IDS event s wit h t he same source and dest inat ion IP and signat ure are aggregat ed. An aggregat ed event
can be expanded by clicking on t he row wit h t he respect ive event . The number of displayed aggregat ed event s is limit ed by t he Limit field. IDS event s are shown
asDat
pera tfeeds
he t ime int erval defined by t he From and To fields. IDS event s can be furt her filt ered by Source IP and Target IP. Clicking t he IDS event shows a det ail of
t he IDS event wit h all informat ion about it .
T his part of the c onfiguration c an be found in S e ttings → Proce ssing → Data fe e ds.

Descript ion

Flow data sourc e s re pre se nt individual monitore d points of the ne twork and are one of the lic e nsing re stric tions (the numbe r of simultane ously ac tive Flow data
sourc e s). For e ac h monitore d point of the ne twork, a Flow data sourc e must be c re ate d in the plug- in.

Configurat ion

Name : Unique data sourc e name .

Location: Node of the Distribute d Arc hite c ture to run the data fe e d. Eac h node must have a unique name . T he re is localhost only if the Distribute d Arc hite c ture is
turne d off.
Lice nse unit: Assigne d lic e nse unit spe c ifie s the maximum amount of flows pe r se c ond that may be proc e sse d by the give n data fe e d. Lic e nse units are lic e nc e -
de pe nde d.
Profile : Name of the profile whic h is use d as an input.
Channe ls: S e le c tion of c hanne ls whic h are use d as input data for the applic ation.
S ampling rate : Rate for sampling the input data.
De duplicate : If ac tive , duplic ate flows are skippe d. T he flows that are c onside re d to be duplic ate s are those with the same 5- tuple (src IP, dst IP, src port, dst
port, protoc ol) and ove rlapping time inte rval (flow start, duration).
Che ck time stamps: If ac tive , a Flow with a time stamp that diffe rs more than 30 minute s from syste m c loc k are de le te d.
S IP traffic proce ssing: T he switc h be twe e n the Flow data proc e ssing and proc e ssing of Flow data e nhanc e d with the S IP e ntrie s. It is impossible to proc e ss both
(Flow data with S IP e ntrie s and Flow data without S IP e ntrie s) on the single data fe e d toge the r. Only the de te c tion me thods with "S IP" pre fix are use d if the S IP
proc e ssing is ac tive .

Note

The example of t heTIDS browser window

his fe ature is available in all ve rsions, e xc e pt the Lite ve rsion.

S tate : T he c urre nt state of the data fe e d.

Active proxy: pe rforms the re plac e me nt of two flows c lie nt- proxy and proxy- se rve r by one flow c lie nt- se rve r. T his c orre lation allows the func tioning of some
me thods that would not be able to de te c t e ve nts c orre c tly in the ne twork with proxy to work prope rly. Within the me thod c onfiguration, it is possible to se t up the
tole rate d data amount diffe re nc e be twe e n the two partic ular flows that have to be c orre late d (T ole rance ) and the c ounts of millise c onds that c ould take the
flows oute r the proxy longe r (Re que st Ove rload, Re sponse Ove rload). T he c orre lation has got high ac c urac y and c ove rage but it is not absolute .
T he c orre lation of flows be fore and be hind the proxy is possible only if the ne twork is monitore d at two points – inside the ne twork be hind the proxy se rve r and
outside the proxy se rve r. It is ne c e ssary to se t up the IP addre sse s of the oute r (Exte rnal IP) and inne r (Inte rnal IP) inte rfac e s and the proxy se rve r’s liste ning port
(Inte rnal Port). For re duc ing false positive s, the proxy c lie nts (Clie nts Filte r) c an be spe c ifie d. It is possible to de fine more proxy se rve rs for e ac h data fe e d. T he
maximum c ount is limite d by lic e nse .

Note

T his fe ature is available in all ve rsions, e xc e pt the Lite and S tandard ve rsions.

Channe ls as virtual data fe e ds: It is possible to ac tivate so- c alle d Virtual sources for data fe e ds. T he se virtual sourc e s are de dic ate d to isolating Flow data from
individual c hanne ls of the input profile . T he se virtual sourc e s allow the c hanne ls to be assigne d to the instanc e s of de te c tion me thods and to the prioritie s. Data
from diffe re nt c hanne ls are proc e sse d se parate ly from e ac h othe r if ac tive . T he maximal numbe r of virtual data sourc e s is limite d by the lic e nc e type , se e the
following table .
Logs
Lice nce type Maximal numbe r of virtual source s

S tandard
Flowmon ADS allows t o display configurat ion changes,5t hat have been performed by individual users. Changes are shown in t he form of a t ree and sort ed by
username and dat e when t he change t ook place. The changes could be searched using t he search crit eria filt er where it is possible t o filt er according t o t he
following crit eria:
Busine sss 10

Dat e: Allows t o set cust om or pre-built t ime int erval.

Corporate 30

Act ion t ype: Allows t o display only specified act ions

Ultimate 50 (add, change or delet e).
Det ail cont ains: Displays only configurat ion changes whose det ail cont ains specified st ring.
Example : An IS P c an c re ate virtual sourc e s pe r AS N groups and analyse traffic anomalie s for e ve ry group se parate ly. Just c re ate a ne w profile with c hanne ls for
e ve ry AS N group, assign the profile to ADS data fe e d, se le c t all c hanne ls and ac tivate virtual sourc e s.
 Note

T his fe ature is available in all ve rsions, e xc e pt the Lite ve rsion.

View of log det ail

De tails on c onfiguring the e xporte rs c an be found in Flowmon probe doc ume ntation. T he granularity of flows impac ts the ac c urac y of de te c tion me thods. T o
Reports
re duc e the numbe r of flows that are ge ne rate d by the probe following value s are appropriate :
ac tive time out – 300 s
inac tive time out – 30 s
The report s are a means t o obt ain complet e informat ion about t he IP addresses regist ered in t he applicat ion. Report s save informat ion about event s int o a set ,
which can be direct ly export ed t o t he PDF.
TheAct
report
ionss consist of chapt ers which can be modified by t he user.

Assign to de te ction me thods: Assigns data fe e d to all de te c tion me thods. Assigning to a spe c ific me thod c an be also done manually in Me thods c onfiguration.
Chapters

There are t he following t ypes of chapt ers available:

Overall status
Filt ers
Cont ains t he chart t hat displays t he t raffic in flows per second and t he chart wit h event s generat ed during a t ime period. In t his t ype of chart , event s are
grouped by event t ype. The overall st at us also includes t he t able wit h t op event s by priorit y and t heir corresponding count .
Filte rs c an be c onfigure d in S e ttings → Proce ssing → Filte rs.
Event
Corrematrix
c t se ttings of Flow data sourc e s and the logic al ne twork topology has a positive e ffe c t on the re sults obtaine d by the de te c tion me thods and on the ove rall
pre dic tive c apability of the ADS module . T he basic distinguishable e ntity in the module is an IP addre ss. Whe n the oc c urre nc e of an e ve nt is de te c te d, the e ve nt is
Table of occurrences of t he most severe event s in t he net work. It is displayed by single days and devices.
bound to the re sponsible IP addre ss and to the flow data sourc e on whic h the e ve nt has be e n de te c te d. T hat implie s that the re is a numbe r of limitations whe n IP
addre sse
Events by spriority
are dynamic ally alloc ate d and stable alloc ation of ide ntic al IP addre sse s to e ac h ne twork de vic e is not guarante e d. In suc h c ase , it is not possible to de rive a
dire c t re sponsibility of a partic ular use r for the de te c te d e ve nt.
List of t he most import ant event s in t he net work displayed as in t he Event s → Simple list view.
Filte r re pre se nts a name d logic al grouping of arbitrary IP addre sse s. Eac h filte r has a unique name and inc lude s an unre stric te d numbe r of IP addre ss range s. Filte rs are
also use
Events byd by de te c tion me thods to limit the range of the addre sse s that are re le vant for e ac h de te c tion me thod.
type
T he re are two type s of filte rs – atomic and re lational filte rs. Atomic filte rs are filte rs that are de fine d and store d dire c tly as IP addre ss range s (se e be low for possible
List (and t he piechart ) of t he number of t he most import ant event s in t he net work.
formats). T he re lational filte rs are de fine d as re lations on othe r filte rs (a re lation c an be sum or diffe re nc e of more filte rs or inve rsion of the single filte r and
Thec respect
ombinations). Re lational
ive chapt filte rs
er is creat edare
bystore d the same
configuring t heway as de
chapt erfinitions of re
t o cert ain lations.ItWhe
values. n the partial
is possible filte r is
t o creat c hange
e more d, theers
chapt re le
ofvant
t heresame
lational filtebut
t ype r is wit
modifie d as we ll.
h different
set t ings. Only admin user can creat e, modify and delet e t he chapt ers. If t he delet ed chapt er belongs t o some report , t he user is warned prior t o delet ion. If t he
IP ed
delet addre sseer
chapt s of
is filte
t he rs c anone
last be einnte re dreport
t he in the, following
t he user ways:
is warned and t he report is event ually delet ed.
Ne twork addre ss or mask, for the IP ve rsion 4 and 6 (e .g. 192.168.1.0/24, fc 00::/7)

ReportsRange of IP addre sse s, for the IP ve rsion 4 and 6 (e .g. 10.0.1.2- 10.0.1.10, fe 80::- fe 80::ffff)
S ingle IP addre ss, for the IP ve rsion 4 and 6 (e .g. 192.168.2.1, 2001:db8::be e f) or c omma se parate d list of single IP addre sse s
Wildc ards notation of IPv4 addre sse s (e nume ration, range , all), only single wildc ard c an be use d in one IP addre ss. Example s:
The report is defined as t he sequence of t he select ed chapt ers. Each user can creat e and edit his own report s. The user can mark t he report as a shared (it
192.168.{1,3,20}.1:
could be seen by ot herIP users).
addre sse s 192.168.1.1,
The common user 192.168.3.1
can edit and 192.168.20.1
or delet e only his own report s, t he administ rat or can see, modify or delet e all report s.
10.[1-3].0.0: IP addre sse s 10.1.0.0, 10.2.0.0 and 10.3.0.0
Generat ing t he report is possible at t he Creat e report t ab and it consist s of choosing a report t emplat e and specifying a t ime window, which will be included
int o172.16.*.1:
t he reportS.ame
Theasgenerat ed report
172.16.[0- 255].0 can be direct ly export ed t o t he PDF. Generat ing t he report can consume much t ime and syst em resources wit h respect t o
t he chapt er paramet ers set t ings and t he chosen t ime window. The generat ing of t he report can be st opped anyt ime.
In the c ase of c re ation of a gre ate r numbe r of IP range s, it is strongly re c omme nde d to ac tivate the Filte r booste r parame te r in S e ttings → S yste m S e ttings → S torage
S e ttings.
Default Report

Note
Apart from set s of report s defined by a user, t he syst em also offers t emplat es of default report s. The default report consist s of t he following chapt ers:
T he import fe ature is available in all ve rsions, e xc e pt the Lite ve rsion.
Overall status for Security Issues
Based on t he Securit y Issues perspect ive, t he chart is generat ed t oget her wit h t he flow count in t he logarit hmic or linear scale for each dat a feed separat ely.
You may import filte r de finitions from the te xt file by c lic king the Import Atomic Filte rs button. Eac h line of the file spe c ifie s one ite m of the filte r and c onsists of IP
Overall status for Operational Issues
addre ss de finition and filte r name (se parate d by a se mic olon). T he IP addre ss c an be spe c ifie d the same way as a de finition of a manual filte r. If the name of the filte r
alre ady e xists, you will be notic e d and the import will fail. If the c he c kbox Ove rwrite and skip the proble matic is c he c ke d, the n the IP range s of the filte rs with the same
Based on t he Operat ional Issues perspect ive, t he chart is generat ed t oget her wit h t he flow count in t he logarit hmic or linear scale for each dat a feed
nameely.
separat as in the uploade d file are ove rwritte n by those from the file . S hould the re lational filte r be ove rwritte n, the import of that filte r will be skippe d.

Event matrix for Security Issues

Example of filte r de finition file
For t he priorit y HIGH or higher.
192.168.1.0/24;LAN
Event matrix for Operational Issues
192.168.10.0- 192.168.10.25;LAN
For t he priorit y HIGH or higher.
192.168.1.1 ;S MT P

Scheduling Reports
Both atomic and re lational filte rs are shown in one c onfiguration table with the possibility of filte ring by type . Above the table , the re is a se arc h fie ld whic h allows full-
te xt se arc h in all c olumns.
The Flowmon ADS applicat ion allows t o set aut omat ic generat ing of report s and t heir sending in t he PDF format . It is necessary t o choose t he report (Report ),
t hen t o act ivat e or deact ivat e t he generat ing and sending (Act ive), select t he period used for t he generat ing (Int erval). When t he daily or weekly report ing is
select ed, it is necessary t o choose on which weekdays should t he report s be generat ed. The mont hly report is generat ed on t he first day of t he mont h t hat
follows. Set t ing t he Cust om int erval (it is needed t o choose t he first and last day of t he report ) will generat e at t he end of t he ent ered period.
It is possible t o set t he email addresses of t he sender (Sender email) and of t he recipient s (Recipient email).

Contact and Other Info

Contacts
Flowmon Net works a.s.
Filt er co nf igurat io n t able
Sochorova 3232/34
616Example
00 Brnoof filte r configuration: c onside r the e nvironme nt of an organization whic h monitors its ne twork at two points. T he first point, whic h is c onne c te d to the probe
port 1 and 2, is the Inte rne t c onne c tion be hind a fire wall, whic h is monitore d via T AP. T he se c ond monitore d point is a c e ntral switc h of the organization c onne c te d to
Czech Republic
the probe port 3 via S PAN port.
Web: www.flowmon.com
What to pe rform in the ADS module :
Email: 1.
info@flowmon.com
S e tting the WAN data sourc e , whic h re pre se nts the Inte rne t c onne c tion and the LAN data sourc e whic h re pre se nts the c e ntral switc h.
2. Exporting
Tel.: +420 530 510the
601data from probe port 1 and 2 into the WAN sourc e and data from probe port 3 into the LAN sourc e .
3. Cre ation of a filte r "LANout" whic h c omprise s addre sse s 192.168.1.0/24, and bind it to the WAN sourc e
Feedback
4. Cre ation of a filte r "LANin" whic h c omprise s also addre sse s 192.168.1.0/24, whic h we bind to the LAN sourc e .
5. Ac tivation of de te c tion of instant me ssaging se rvic e s on the LANout filte r. T his de te c tion doe s not make se nse for inte rnal c ommunic ation.
We would be pleased if you t ell us your comment s t o t his t ext (t yping errors, incomplet e or unclear informat ion). Please, cont act us via email
support @flowmon.com.
If we didn’t bind filte rs with the flow data sourc e s, the re would be duplic ation in the de te c tion of instant me ssaging (ide ntic al data would be proc e sse d twic e ).

Copyright
Whe n c re ating a re lational filte r, the dialog window allows to de fine the re lations as a filte r union (the Add ope ration) or a filte r subtrac tion (ope ration S ubtract). T he
ope ration c an be c ombine d with inve rsion of the give n filte r. T he ne w filte r c an be save d as an atomic one by c hoosing the Atomize option (store d are the IP addre ss
This document
range is of
s inste ad intthe
ended for informat
re lation ional purposes only. Any informat ion herein is believed t o be reliable. However, Flowmon Net works assumes no
de finition).
responsibilit y for t he accuracy of t he informat ion. Flowmon Net works reserves t he right t o change t he document and t he product s described wit hout not ice.
Flowmon Net works
T he re lation filte rsand
c ant be
he eaut hors
dite disclaim
d, atomize d orany and
de le te dall liabilit
using theies.
re le vant buttons. It is also possible to show the de pe nde nc ie s on a give n filte r.

Except as st at ed herein, none of t he document may be copied, reproduced, dist ribut ed, republished, downloaded, displayed, post ed, or t ransmit t ed in any form
orDet
by ect
anyion
means including, but not limit ed t o, elect ronic, mechanical, phot ocopying, recording, or ot herwise, wit hout t he prior writ t en consent of Flowmon
Met hods
Net works. Any unaut horized use of t his specificat ion may violat e copyright laws, t rademark laws, t he laws of privacy and publicit y, and communicat ions
regulat ions and st at ut es.
De te c tion me thods c an be c onfigure d in S e ttings → Proce ssing → Me thods.
Flowmon Net works, t he company logo, and ot her designat ed brands included herein are t rademarks of Flowmon Net works a.s. All ot her t rademarks are t he
propert
De teyc tion
of t heir respect
me thods are ive
pre owners.
de fine d by the manufac ture r and use d to de te c t various pote ntially unde sirable ac tivitie s on the ne twork. T he various me thods are
deproduct
This sc ribe d in de tail
uses in theand
NfSen De te c tion mesoft
Nfdump thods c hapte
ware r.
Copyright © 2004, SWITCH Teleinformat ikdienst e fuer Lehre und Forschung.
Copyright © 2007 – 2019 Flowmon Net works a.s. All right s reserved.

Met ho ds co nf igurat io n t able

Above the table , the re is a se arc h fie ld that supports full- te xt se arc h.

T he c onfiguration c onsists of:

ac tivation and de ac tivation of a me thod

assignme nt of filte rs to me thods (any numbe r of filte rs c an be assigne d)
spe c ific c onfiguration (me thods may have spe c ific c onfiguration parame te rs that c an be se t or ac tions that c an be pe rforme d)

De pe nding on the nature of the me thod, some of the options above c an be inac tive . T he syste m me thods for e xample , (e .g. e ve nt re porting) c annot be turne d off nor
have filte rs assigne d. All c onfiguration c hange s will take e ffe c t imme diate ly afte r proc e ssing of the ne xt batc h of flow data by the re spe c tive me thod.

Perspect ives

T his part of the c onfiguration c an be found in S e ttings → Proce ssing → Pe rspe ctive s.

T he Flowmon ADS module allows you to c re ate your own e ve nt pe rspe c tive s that assign prioritie s to e ve nts. T his ope ration is pe rforme d base d on the type of e ve nt, the
ne twork se gme nt whe re the e ve nt oc c urre d (base d on the filte r) and on the data fe e d, whic h provide s the flow data use d for e ve nt de te c tion. Pe rspe c tive s c an be use d
for re porting e ve nts, ale rting or se arc hing in the applic ation GUI. Eac h pe rspe c tive is a unique ly name d group of prioritie s assigne d to e ve nts of a give n type (i.e . to
e ve nts ge ne rate d by the give n de te c tion me thod). T he assignme nt c an be e ithe r ne twork- wide or de pe nde nt on the filte r.

You c an c re ate or e dit the pe rspe c tive using the simple or the advanc e d form. T he simple form allows you to manage basic se ttings, suc h as c hoosing filte r and data
fe e d and distribute the me thods to the c hose n prioritie s. T he filte r is assigne d to e ac h priority twic e – onc e as a sourc e filte r and onc e as a targe t filte r. T he me thod
c an only be assigne d to one priority.

Flowmon ADS module offe rs five e ve nt prioritie s:

CRIT ICAL
HIGH
MEDIUM
LOW
INFORMAT ION

T he advanc e d form allows you to furthe r spe c ify the se ttings. You c an assign a spe c ific filte r and data fe e d to e ac h me thod se parate ly. You c an c hoose the filte r to be a
sourc e and/or targe t one for e ac h me thod. It is possible to assign the priority to e ac h me thod, base d on a substring that is a part of an e ve nt de tail. An e mpty substring
matc he s any e ve nt de tail. T he advanc e d form allows to c re ate c onflic ting rule s with a non- e mpty inte rse c tion. In this c ase , the e ve nt se t to the highe st possible
priority. You c an also c all the func tion of assigning the information priority to the re maining ite ms. It is possible to switc h to the simple form only whe n the se t of rule s of
the advanc e d form c orre sponds to the rule s of simple form.

T he pre de fine d pe rspe c tive s c an be ge ne rate d using the Cre ate de fault pe rspe ctive s button.

Cat egories of Event s

 T his part of c onfiguration c an be found in S e ttings→ S yste m S e ttings → Eve nt cate gorie s.

T he Eve nt cate gorie s subse c tion allows you to de fine your own e ve nt c ate gorie s. You may the n assign the m to e ve nts using the Manage cate gorie s c onte xt me nu (for
e xample in Eve nts → S imple list, whe n ope ning Eve nt de tail of a partic ular e ve nt, tab Cate gorie s). T his way you c an mark e ve nts that should be furthe r e xplore d; the se
marks c an be also use d in subse que nt se arc he s.

False Posit ives

T his part of the c onfiguration c an be found in S e ttings → Proce ssing → False positive .

T he de te c te d e ve nts c an be marke d as false positive s using the Mark as a false positive option of the c onte xt me nu. T his mark me ans that the e ve nt of the re spe c tive
type c ause d by the give n IP addre ss will no longe r be re porte d. T he validity of the false positive mark c an be limite d to individual days of the we e k, time inte rvals and a
partic ular data fe e d. T he validity of marking an e ve nt c an be limite d to the targe ts of the c urre nt e ve nt as we ll. If the re is a limitation base d on the targe ts of the e ve nts,
it is possible to ignore the e ve nt sourc e . T he e ve nt sourc e or e ve nt targe ts that are re le vant for the rule c an be de fine d by the filte r as we ll. T he numbe r of false
positive s is limite d by the ove rall c omple xity of all rule s re pre se nte d by slots.

Overview

Fals e po s it ive co nf igurat io n t able

T he usage of available false positive slots is visible on the top right c orne r of the c onfiguration page . Use d slots are c alc ulate d base d on the c omple xity of a false
positive rule . Available slots re pre se nt the re maining re sourc e s of the syste m for false positive proc e ssing.

T able c olumns c an be c ustomize d by adding or re moving optional c olumns (the button). List of optional c olumns:

Data fe e ds
Cre ate d
Late st usage
Usage c ount

Above the table , the re is a se arc h fie ld that supports a full- te xt se arc h and a se arc h by IP addre ss.

T he false positive rule may be te mporarily de ac tivate d. T his c an be done by c lic king the De activate button in a c onte xt me nu of the c orre sponding false positive rule in
the se c tion S e ttings → Proce ssing → False positive . T he false positive rule may be ac tivate d again by c lic king on the Activate button that is loc ate d at the same plac e .

Re moval of rule s for false positive s marking is done on the same page . It is done by c lic king the De le te rule button in a c onte xt me nu of the c orre sponding false positive
rule .

Clic king on the row of the spe c ific false positive rule will e xpand the row showing de taile d information about the rule .

Configurat ion opt ions

T he false positive rule c an be de fine d by c hoosing spe c ific days of the we e k. T he e ve nts c an be ignore d during the whole day or within the inte rval spe c ifie d by the
e ve nt time and by the range of the inte rval in minute s. T he rule has to be c onne c te d to e ve nt sourc e or to some (or all) e ve nt targe ts. It is also possible to assign validity
and a c omme nt to the rule .

It is possible to de fine the false positive rule re gardle ss of the de te c te d e ve nt. T his option c an be found in the S e ttings → Proce ssing → False positive . It is possible to
manually c hoose the de te c tion me thods, e nte r the sourc e and targe t IP addre sse s, and e nte r the time range . T he rule is always c re ate d for e ac h c ombination of the
de te c tion me thod and the sourc e IP addre sse s. All targe ts are assigne d to e ac h rule .

IP addre sse s c an be e nte re d as a c omma- se parate d list. Whe n e nte ring the IPv4 addre ss, one of its fie lds c an be writte n using a wildc ard. T his wildc ard c an re pre se nt
the e nume ration of numbe rs (a c omma- se parate d list e nc lose d in c urly brac e s), range of two numbe rs (two numbe rs se parate d by dash e nc lose d in square brac ke ts) or
the aste risk that re pre se nts the 0- 255 range .

Example s:

192.168.{1,7,100}.1: IP addre sse s 192.168.1.1, 192.168.7.1, 192.168.100.1

10.[1-3].0.0: IP addre sse s 10.1.0.0, 10.2.0.0, 10.3.0.0

172.16.*.1: e quivale nt to 172.16.[0- 255].0

It is possible to de le te all e ve nts whic h c orre spond to the false positive rule using the De le te e ve nts marke d as false positive s c hoic e . T his ac tion c an also be limite d to
spe c ific time inte rvals to the past, spe c ific ally day, we e k or month. It c an be found in se c tion Othe rs. Ple ase note that this ope ration may take a ve ry long time whe n
more than one day is se le c te d.

Usage st at ist ics

Eac h de fine d false positive rule c ounts the statistic s of its own usage (how many time s and whic h part of the rule was applie d). T he statistic s are use ful for false
positive tuning. Whe n false positive rule is modifie d, the statistic s of usage and last usage time stamp are re se t.
 T o display the statistic s it is ne c e ssary to e xpand the row with a partic ular false positive rule and c lic k on the button Usage statistics.

The example o f t he us age s t at is t ics f o r Fals e po s it ive rule

Usage count t ypes

S ource filte rs: how many time s has the sourc e filte r be e n use d. All e ve nts have e xac tly one sourc e IP addre ss. If the rule is c onfigure d with a sourc e filte r and the
filte r matc he s the e ve nt sourc e IP, the c ount is inc re me nte d by 1.
T arge t filte rs: how many time s have the targe t filte rs be e n use d. An e ve nt c an have ze ro, one or more IP addre sse s. If the rule is c onfigure d with a targe t filte r and
the filte r matc he s some targe t IP addre sse s of e ve nt, the c ount is inc re me nte d by the numbe r of matc he d IPs.
IP addre sse s: how many time s has the sourc e or the targe t IP be e n use d. It is sum of usage from Usage pe r IP addre ss table .
Ove rall: S um of all pre vious c ounte r type s. T his sum is also displaye d in the ove rvie w false positive table as usage c ount.

Usage pe r IP addre ss table is matrix c re ate d from sourc e and targe t IP addre sse s de fine d inside the rule . For e xample , whe n the rule s is de fine d by 1 sourc e and 5
targe t IP addre sse s, the table has 5 rows. T he table is e mpty whe n no sourc e and targe t IP addre sse s is de fine d. Eac h row of the table c ontains the time stamp of the
late st usage and usage c ount. Usage c ount is inc re me nte d by 1 whe n sourc e and targe t pair matc h an e ve nt. One e ve nt may inc re me nt a usage c ount on more rows.

Blacklist s

T his c onfiguration c an be found in S e ttings → Blacklists.

T his page allows to manage the blac klists that are use d by the de te c tion me thod BLACKLIS T . T he re are basic ally two type s of blac klists:

Flowmon Blacklist s

Note

T he P2PBotne tActivitie s, Botne tDomains a PhishingDomains blac klists are available only whe n the lic e nse with Platinum or Gold support is ac tive .

T his type of blac klists is dire c tly maintaine d by the Flowmon Ne tworks c ompany. T he blac klists of this type are pe riodic ally (e ve ry 6 hours) update d from the Flowmon
se rvice s portal if the Flowmon de vic e is c onne c te d to the Inte rne t. T he partic ular Flowmon blac klists are de signe d for the de te c tion of the following malic ious
ac tivitie s:

Communic ation with IP addre sse s of known attac ke rs (Attacke rActivitie s blac klist)
Communic ation with IP addre sse s of known botne t c ommand and c ontrol se rve rs (Botne tActivitie s blac klist)
Communic ation with IP addre sse s of known S PAM sourc e s (S pamme rActivitie s blac klist)
Communic ation with known malware domains (Malware Domains blac klist)
Communic ation with known P2P botne t supe rnode s (P2PBotne tActivitie s blac klist)
Communic ation with known botne t domains (Botne tDomains blac klist)
Communic ation with known phishing domains (PhishingDomains blac klists)

Cust om Blacklist s

Note

Ple ase note that Local custom blacklists are not inc lude d in the ADS c onfiguration file (c an be e xporte d in Flowmon Configuration Ce nte r → S yste m →
Mainte nance ) and the ir c onte nt is lost afte r the import of the c onfiguration. It is re quire d to manually upload the original blac klist file s to e ac h Loc al
c ustom blac klist afte r the import proc e ss.

It is also possible to add c ustom blac klists whose c onte nt is the n use d by the BLACKLIS T de te c tion me thod to de te c t c ommunic ation with spe c ifie d IP addre sse s,
domains or se rvic e s at the spe c ifie d IP addre sse s. T he sourc e of c ustom blac klists may be a loc al file (Local custom blacklists - possible to add by c lic king on the Ne w
local blacklist button) or a URL to the file at a re mote se rve r (Re mote custom blacklists - possible to add by c lic king on the Ne w re mote blacklist button). In both c ase s,
the file s must be in CS V format and the ir c onte nt must c orre spond with e xac tly one of the following type s.

Host (IP addre ss)

T his type of c ustom blac klists c onsists only of IP addre sse s, one IP addre ss pe r line . Only the IPv4 addre sse s are supporte d. Whe n c ommunic ation with any of the
provide d IP addre ss is de te c te d, the BLACKLIS T e ve nt is ge ne rate d. T he format of this c ustom blac klist type is available in the following e xample :

Example of Host blacklist type

 Example of Host blacklist type

1.1.1.1

2.2.2.2

3.3.3.3

We b or domain (hostname , path, comme nt)

T his type of c ustom blac klists is de signe d to de te c t c ommunic ation with a spe c ifie d domain and a path within this domain. T he BLACKLIS T e ve nt is ge ne rate d whe n the
domain and path de te c te d in a flow matc h any e ntry in the spe c ifie d blac klist. One e ntry in this type of blac klist c onsists of a triple t with the following ite ms, se parate d
by a c omma:

Domain name (hostname ): Consists only of the AS CII c harac te rs. T he maximal le ngth is limite d by 32 c harac te rs.
Path within this domain (path): Consists only of the AS CII c harac te rs. T he maximal le ngth is limite d by 64 c harac te rs. Whe n the re is a symbol of slash inse rte d
inste ad of a valid path, any path within the domain is c onside re d to be a positive matc h.
Comme nt: Consists only of the AS CII c harac te rs. T his ite m is optional and its maximal le ngth is limite d by 256 c harac te rs.

Example of We b or domain blacklist type

myfirstdomain.c om, /,I will ge ne rate the BLACKLIS T e ve nt for any path within this domain

myse c onddomain.c om,/path/to/any/file ,I will ge ne rate e ve nt only for path /path/to/any/file within this domain

mythirddomain.c om,/,

myfourthdomain.c om,/,T he pre vious e ntry has no c omme nt

S e rvice (IP addre ss, port, protocol, comme nt)

T his type of c ustom blac klists is de signe d to de te c t usage of spe c ifie d se rvic e at the spe c ific IP addre ss. One e ntry in this type of blac klist c onsists of five ite ms,
se parate d by a c omma:

IP addre ss: Only IPv4 addre ss type is supporte d.

Port: An inte ge r numbe r in range 0 - 65535.
Protocol: S tring with value TCP or UDP.
Comme nt: Consists only of the AS CII c harac te rs. T his ite m is optional and its maximal le ngth is limite d by 256 c harac te rs.

Example of IP addre ss, port, protocol, comme nt blacklist type

1.1.1.1,53,UDP,Malic ious DNS se rve r

2.2.2.2,443,T CP,Phishing we b page

3.3.3.3,22,T CP,Malic ious S S H se rve r

Adding a new cust om blacklist

It is possible to add a ne w c ustom blac klist using the buttons Ne w re mote /local blacklist base d on the sourc e of a blac klist file . Afte r c lic king one of the se buttons it is
ne c e ssary to fill in the following fie lds:

Blacklist name : Unique name of a c ustom blac klist.

De scription: De sc ription of a c ustom blac klist. T his de sc ription is use d in the de tail of BLACKLIS T de te c tion me thod. T his parame te r is optional, in c ase the re is
no de sc ription is provide d, the Blacklist name is use d in the e ve nt de tail.
File to upload/Re mote URL: Loc al file or re mote URL that is a sourc e of the blac kliste d c onte nt.
Data format: T ype of a c ustom blac klist (the se type s are me ntione d above ).

The dialo g windo w t hat is us ed f o r adding a new lo cal blacklis t

T he c onte nt of the c ustom blac klist (c an be displaye d by e xpanding a row with a partic ular blac klist and c lic king on the Blacklist conte nt button) should be loade d
imme diate ly afte r the adding proc e ss. If the c ustom blac klist is e mpty afte r the proc e ss of adding, it may be c ause d by the download fail of the Re mote c ustom
blac klist.
 Afte r a ne w c ustom blac klist is adde d, it is ne c e ssary to assign it to some BLACKLIS T me thod instanc e so it c an by prope rly e valuate d by the de te c tion me thod. T his c an
be done by c lic king on the Assign button in the row with a c ustom blac klist and c hoosing a me thod instanc e s that blac klist should be assigne d to. T his is also possible in
the c onfiguration of the BLACKLIS T me thod using the ActiveBlacklists parame te r whic h is de sc ribe d in the se c tion BLACKLIS T – Communic ation with blac kliste d hosts.

Management of blacklist s

It is possible to filte r blac klists ac c ording to the ir name or de sc ription at the top le ft c orne r of the blac klist se ttings page . It is also possible to c hoose whic h blac klists
should be displaye d, base d on the ir origin, with the c he c kboxe s in the top right c orne r. T o e dit the alre ady e xisting blac klists it is possible to use the Edit button. It is
also possible to de le te any c ustom blac klist with the c onte xt me nu that is ac tivate d by the thre e dots ic on at the e nd of a row with a c ustom blac klist. Whe n the re is an
orange ic on with a symbol of ge ar toge the r with an e xc lamation mark displaye d on the le ft of the blac klist name , the blac klist is not assigne d to any instanc e of the
BLACKLIS T me thod, whic h me ans, that the blac klist is not proc e sse d.

Cust om act ions

T his part of the c onfiguration c an be found in S e ttings → Proce ssing, the Custom actions se c tion.

Email not ificat ions

Flowmon ADS module allows to de fine re gular re ports whic h will be se nt via e mail by the applic ation.

Eac h e mail re port must be unique ly name d and bound to e xac tly one pe rspe c tive . A re port c an be in the ac tive or inac tive state . An inac tive re port is de fine d in the
syste m but is not be ing se nt re gularly. A re port c an be assigne d with any numbe r of re c ipie nt addre sse s by Add ne w e mail. T he re is also an option to suppre ss se nding
of an e mpty re port (Do not se nd e mpty re ports – only daily and we e kly re ports c an be se nt e mpty, if disable d) and option to se t a minimum priority of e ve nts to be
re porte d (Minimal priority to be re porte d). Re ports are se nt pe r the following rule s:

CRIT ICAL: re porting imme diate ly afte r proc e ssing of a batc h of the flow data, approximate ly e ve ry 5 minute s; a blank re port is ne ve r se nt.
HIGH: re porting hourly summarie s
MEDIUM: re porting six- hour summarie s
LOW: re porting daily summarie s
INFORMAT ION: re porting we e kly summarie s

You c an use the S kip ide ntical e ve nts parame te r to disable re pe titive se nding of the same e ve nt in the re spe c tive re port for the se le c te d time pe riod. T he e ve nts with
the same e ve nt type and e ve nt sourc e are c onside re d to be ide ntic al. Only one of suc h e ve nts is re porte d in the long- te rm re port (re ports for the HIGH priority or lowe r)
if se t to a non- ze ro value .

Othe r options:

Active links: se ts all links in the Full e mail re ports to be c lic kable
S how time zone info: shows time zone in Full, Compact and Email pe r e ve nt e mail re ports

T he Flowmon ADS module allows to se nd e mail re ports in se ve ral formats:

S ummary re ports

T he Full format provide s the re ports as an HT ML- formatte d table , the Compact format se nds the re ports as a plain te xt, the Extra compact format is also as a plain te xt,
but with some information omitte d (e .g. e ve nt de tail, e ve nt targe ts e tc .), the re port is also aggre gate d with re spe c t to the e ve nt type . All thre e type s are summary
re ports. T he y re port all e ve nts for a spe c ific time pe riod and priority. T he time pe riod c orre sponds to priority rule s above .

S e parate e ve nt re ports

T he e mail pe r e ve nt format provide s only the information about a single e ve nt and it is de dic ate d e spe c ially to automatic proc e ssing. It c an ge ne rate a huge numbe r of
e mail re ports (e qual to a numbe r of e ve nts). T his numbe r c an be re duc e d by using the Skip identical events fe ature to filte r the same e ve nts during the give n time pe riod.
Like othe r formats, the e mail e ve nt re ports are se nt in ac c ordanc e with priority rule s.

T he RT e mail format

Flowmon ADS also allows to se nd re ports as tic ke ts to the RT tic ke ting syste m. T o e nable this func tion, you ne e d to se t the format to the RT value . T his format adds
thre e attribute s into the e mail he ade r: X-RT -T ool-Name , X-RT -Incide nt-IP and X-RT -Incide nt-T ime . T he first attribute is always se t to “Flowmon ADS ” and c onc ate nate d
with the name of the e ve nt. T he othe rs have assigne d the ir value s ac c ording to the re porte d e ve nts. T he re are all e ve nts with the give n type re late d to the one IP in the
single e mail or tic ke t for the re spe c tive time pe riod. T he time pe riod c orre sponds to priority rule s. T he first e ve nt of the row is use d as a le ade r e ve nt. All
c orre sponding e ve nts are liste d in the Event details.

Bo dy o f t he e ma i l pe r e ve nt f o rma t

<ID>: (unique event identifier);

<Category>: (code of the detection method);
<Type>: (name of the detection method);
<Perspective>: (name of the perspective assigned to the report);
<Severity>: (priority of the event);
<Time>: (start time in UTC);
<Protocol>: (protocol related to the event or empty value);
<Source>: (source IP address);
<Target IPs>: (first 10 target IP addresses);
<Ports involved>: (port numbers related to the event or empty value);

Bo dy o f t he RT e ma i l , t he e ve nt de t a i l s we re s ho rt e ne d

IP: 192.168.1.1 // event source

Type: DNS traffic anomaly // detection method description
Severity:
Use of unauthorized DNS server (connections: 20). // leader event
detail Time: 2015-11-05 17:00:13 GMT+0100 // leader event timestamp
Incident details: // event id, timestamp, detail, targets
5102353 2015-11-05 17:00:13 GMT+0100 Use of ... (connections: 20). 8.8.8.8
5102382 2015-11-05 17:00:13 GMT+0100 Use of ... (connections: 20). 8.8.8.8

If the Attach flows parame te r in the S torage se ttings se c tion is ac tivate d, the flow sample s use d for e ve nt de te c tion are attac he d to the re ports formatte d as the RT
and the e mail pe r e ve nt re ports.

It is possible to se nd re ports using your own S MS gate way. Ple ase c ontac t the ve ndor, Flowmon Ne tworks, a.s., in c ase you want to use this option. Ple ase note that this
option is not available in the Lite and S tandard ve rsions.

Syslog

T he applic ation also supports e ve nt e xport in the Common Eve nt Format (CEF). It is possible to se t multiple targe ts for the syslog me ssage s in the Settings →
Proc essing → S yslog me ssage se c tion. S yslog me ssage s are assigne d to the local6 fac ility. It is possible to c onfigure the following parame te rs:

Name : Name of the c onfiguration.

Pe rspe ctive : T he pe rspe c tive that se rve s as a base for the syslog me ssage s. T he priority is translate d to the CEF severity and, and with ac c ordanc e with the
c onfiguration, also to the syslog severity (se e the table be low).
Active : Ac tivation of se nding of the syslog me ssage s.
Priority as se ve rity: Ac tivate the translation of the Flowmon ADS priority to the syslog severity. S e e the table be low.
T arge t: T he c hoic e whic h allows to c hoose whe the r the global Flowmon OS c onfiguration should be applie d (from Flowmon Configuration Center ) or whe the r to se nd
syslog me ssage s to the spe c ific IP and port.
Re mote IP: IP addre ss for se nding of the syslog me ssage s.
Port: Port numbe r (UDP protoc ol) for se nding of the syslog me ssage s.
Use e ve nt ID: Adding the e ve nt ID to the syslog me ssage s (c an be use d to find the e ve nt in the use r inte rfac e ).
Divide by e ve nt targe ts: T his se tting allows to de c ide whe the r to se nd e ve nt targe ts in one syslog me ssage or in a single syslog me ssage for e ac h e ve nt targe t.
Maximal numbe r of me ssage s pe r e ve nt: Maximal numbe r of syslog me ssage s (in the c ase that the syslog me ssage s are divide d ac c ording to the single e ve nt
targe t assignme nt). T he last me ssage c ontains all the re maining e ve nt targe ts.
Machine -re adable de tail: Ac tivation of the e ve nt de tail in the format suitable for the following mac hine proc e ssing. T he variable s of the e ve nt de tails are writte n
in the form parameter:value.
Proce ssing me ssage s: T he syslog me ssage s informing about start and e nd of the batc h proc e ssing, whic h are se nt to the give n targe t (if ac tive ).

In the following table the re is a translation of Flowmon ADS prioritie s to syslog and CEF prioritie s:

Priority of the pe rspe ctive S yslog se ve rity CEF se ve rity

CRIT ICAL Ale rt 10

HIGH Critic al 8

MEDIUM Error 6

LOW Warning 4

INFORMAT ION Notic e 2

SNMP

T he applic ation also supports the e xport of the e ve nts using the S NMP. Eve nts are ge ne rate d as a S NMP traps that are ge ne rate d base d on MIB file FLOWMON- ADS -
MIB.txt (this file c an be downloade d from the authe ntic ate d subse c tion of the Flowmon site ). Be side the S NMP traps that re port the e ve nts, the re are also S NMP traps,
whic h inform about the numbe r of proc e sse d flows pe r a batc h and about the time ne c e ssary for proc e ssing the batc h. T he S NMP e ve nt re ports c an be re - c re ate d
se ve ral time s with diffe re nt targe ts and pe rspe c tive .

A de stination IP addre ss, port, S NMP ve rsion and the c ommunity string c an be e asily se t by se le c ting T arge t groups. T he se are de fine d in the Configuration Ce nte r
module in S yste m → S NMP Eve nt Logging. In the ADS module , you may c onfigure the following parame te rs:

Name : Name of the re spe c tive c onfiguration.

Pe rspe ctive : T he pe rspe c tive ac c ording to whic h the S NMP traps are ge ne rate d.
Active : Ac tivation of se nding S NMP traps.
T arge t groups: S e le c tion of de stinations whe re the S NMP trap is to be se nt.

Cust om script s

T he Flowmon ADS applic ation allows to use your own c ustom sc ripts for e ve nt e xport (or any e xe c utable – e .g. in bash/sh, Pe rl, Python C, C++, . . . ). T he sc ript func tions
are limite d only by the pe rmissions of the Flowmon syste m use r. It is the re fore re c omme nde d to validate the e xe c utable s by an administrator. T he use r sc ripts c an
affe c t the duration of the flow data proc e ssing, the re fore it is re c omme nde d to make the se sc ripts fast e nough.

Exe c ution of the c ustom sc ripts is manage d by the c hose n pe rspe c tive and a pre - se t minimal priority. T he sc ripts are e xe c ute d imme diate ly re gardle ss of the priority
of the give n e ve nt. Exe c ution of the sc ripts for the same e ve nt c an be suppre sse d for a se le c te d time pe riod.

T he e xe c utable s c an be uploade d by the admin use r, in the S e ttings → S yste m S e ttings→ Custom scripts vie w. T he re are two type s of sc ripts:

For e ach e ve nt se parate ly: T he sc ript whic h c an proc e ss only a single e ve nt (and whic h is e xe c ute d for e ac h e ve nt). T he numbe r of e xe c ute s pe r priority and data
fe e d is limite d by the Limit parame te r.
For e ach priority se parate ly: T he sc ript c an proc e ss all e ve nts with the same priority at onc e (c an be e xe c ute d up to five time s).

T he e ve nts are hande d ove r to the n standard input of the sc ript (one e ve nt pe r line ).

Eac h e ve nt is de sc ribe d by following fie lds (in this orde r):

ID
e ve nt time stamp
time stamp of the first flow
e ve nt type
type de sc ription
pe rspe c tive
priority
e ve nt de tail
port numbe rs
protoc ol
e ve nt sourc e
c apture d sourc e name
e ve nt targe ts
data fe e d
 use r ide ntity

T he se fie lds are se parate d by a tab symbol. Whe n a fie ld is e mpty, it is re plac e d by a spac e c harac te r.

Additional parame te rs

It is possible to de fine additional c ommand line parame te rs for the c ustom sc ripts. T he se parame te rs are use d for handing ove r the supple me ntary information. T he
value s of the parame te rs c an be se t se parate ly for individual e xe c utions of the c ustom sc ripts. T he parame te rs are optional and must be supporte d by the sc ript.
Parame te rs are passe d to the sc ript in the following orde r: ./sc ript_ name .sh PARAM_ 1 ’VAL_ 1’ PARAM_ 2 ’VAL_ 2’ ... PARAM_ n ’VAL_ n’

T he name of the parame te r must be none mpty, it may c onsist of alphanume ric c harac te rs, dash or unde rsc ore . T he parame te rs are hande d ove r always in the same
orde r. It is, the re fore possible to re fe re nc e the m by a position numbe r.

De mo script

T he de mo sc ript is c re ate d afte r installation or afte r applic ation of the c onfiguration te mplate . T his sc ript is use d for se nding e ve nt re ports by e mail. T he sc ript c an be
ge ne rate d manually on the Settings → System Settings→ Custom scripts page and c an also be downloade d. It is writte n as a Bash sc ript. It c an be use d for Call pe r e ve nt
and Call pe r priority. T he sc ript is using thre e parame te rs for passing the e mail addre ss, the e mail body and the e mail subje c t. T he parame te rs are parse d using the
standard getopt func tion. Email re ports are se nt by Flowmon PHP CLI, the S MT P c onfiguration is obtaine d from the c onfiguration of the applic ation.

Traffic recording

In orde r to re ac t to the de te c te d e ve nts, you may e nable automatic pac ke t c apture with the Flowmon T raffic Re c orde r (FT R, ve rsion 10.0 or highe r is re quire d). T he
c apture c an be starte d on a re mote or a loc al de vic e . T o start c apturing on a loc al de vic e , use the Local for a script owne r option. It will utilize the sc ript Owne r ac c ount
to start loc al pac ke t c apturing. T he mandatory parame te rs for the re mote c apture are FT R se rve r, Login and Password. T he FT R Age ncy ID parame te r is the nume ric
ide ntifie r of the FT R group (de fine d in the Flowmon Configuration Ce nte r) whic h is use d for c apturing.

Exe c ution of the c apture is manage d by the c hose n pe rspe c tive . T he c apture s are e xe c ute d imme diate ly for all e ve nts that have at le ast of the Minimal priority. T he
maximum numbe r of e xe c ute d c apture s is limite d by the Limit parame te r. T he limit is applie d pe r the priority of the pe rspe c tive and data fe e d. For e xample , the limit se t
to 10 allows to e xe c ute up to 10 c apture s for e ve nts with priority CRIT ICAL de te c te d on one data fe e d, but also up to 10 c apture s for priority MEDIUM. T he S kip
ide ntical e ve nts option c an be use d to suppre ss re pe titive e xe c uting of the c apture s, whic h are base d on the same e ve nts (spe c ifie d by the e ve nt type and sourc e ) for
the c hose n time pe riod. T he c apturing is stoppe d afte r the time inte rval de fine d in the Live re cording duration parame te r. T he c ountdown of this inte rval is initiate d
whe n the live c apture starts.

Flowmon traffic re c orde r store s the pac ke ts from the past for a time inte rval that c an be spe c ifie d in Configuration ce nte r → Monitoring ports. For e ac h monitoring
inte rfac e , the re is the Recorder tab, whe re it is possible to se t this inte rval by spe c ifying the T T L parame te r. Be c ause of this fe ature , it is possible to inc lude the se
pac ke ts c apture d in the past into the final c apture file . For this purpose , use the parame te r Re cording start offse t. It spe c ifie s the numbe r of se c onds from the start of
an e ve nt. Pac ke ts from inte rval spe c ifie d by this parame te r are the n inc lude d in the final c apture file toge the r with the pac ke ts c apture d during the live traffic
re c ording. If the value of the Re cording start offse t fie ld is highe r the n the value of the T T L fie ld for a spe c ific inte rfac e , the notific ation in the GUI is shown and the
value of T T L parame te r should be inc re ase d. Afte r finishing the c apture , the PCAP file s with traffic are available for download in the e ve nt de tail window. T he se PCAP
file s inc lude the pac ke ts that we re c apture d during the live pac ke t c apture toge the r with pac ke ts from the past (pac ke ts that we re c apture d be fore the e ve nt starte d).

Cust om Pat t erns

Note

Custom patte rns are available in all ve rsions, e xc e pt the Lite and S tandard ve rsions.

T he Flowmon ADS applic ation allows to c re ate simple c ustom be havior patte rns. T he y c an be de fine d in the S e ttings → Proce ssing → Custom patte ns. T he se c an be
e nable d for proc e ssing by the BPAT T ERNS me thod. A patte rn is de fine d as a simplifie d S QL que ry from biflow re c ords (se e Fie lds of the biflow e ntrie s).

Biflow re c ords are forme d by paire d flows (the re que st and re ply). T he flow ite ms that are diffe re nt in e ac h dire c tion are store d in the biflow re c ord with pre fix
ac c ording to the original orie ntation. For e xample amount of transfe rre d data is store d in the re q_ transfe rre d and re p_ transfe rre d fie lds. T he flow ite ms that are the
same in both original flows are store d only onc e ac c ording to re que st flow. For e xample , the sourc e IP addre ss of the biflow re c ord c orre sponds to the sourc e IP
addre ss of the re que st flow, although in the re ply the IP addre ss is spe c ifie d as the de stination. In a c ase of unpaire d flow, only the ite ms c orre sponding to the re que st
flow are fille d in the biflow re c ord.

T he e ditable parame te rs of the c ustom patte rn inc lude the Patte rn code , Patte rn de scription and Patte rn de tail and the patte rn e xpre ssion parame te rs. T he Patte rn
code ide ntifie s the patte rn (it is use d as a parame te r in the BPAT T ERNS me thod to (de )ac tivate give n patte rn), the Patte rn de scription parame te r de sc ribe s the e ve nts
de te c te d by the patte rn, the Patte rn de tail is use d as a substring in the e ve nt de tails. T he patte rn e xpre ssion is de sc ribe d by Whe re clause , Having clause and Eve nt
source .

T he e ve nt de tail string ge ne rate d for the c ustom be havior patte rn c ontains:

S hort de sc ription of the patte rn (from Patte rn de tail parame te r)

Numbe r of the outgoing flows from the e ve nt sourc e to e ve nt targe ts
Numbe r of the inc oming flows to the e ve nt sourc e from e ve nt targe ts
Numbe r of the data se nt by the e ve nt sourc e to e ve nt targe ts
Numbe r of the data re c e ive d by the e ve nt sourc e from e ve nt targe ts
Numbe r of pac ke ts se nt by the e ve nt sourc e to e ve nt targe ts
Numbe r of pac ke ts re c e ive d by the e ve nt sourc e from e ve nt targe ts
Numbe r of e ve nt targe ts

T he option Eve nt source allows to c hoose the role of IP in the e ve nt and the IP addre ss fie ld, by whic h the re c ords will be groupe d, from a biflow table . T he e ve nt sourc e
c an be e ithe r the sourc e IP addre ss (de fault option) or the de stination IP addre ss. In the c ase of c hoosing de stination IP addre ss as the e ve nt sourc e , the e ve nt is
de te c te d from re c ords, whic h are groupe d by de stination IP addre ss, the de stination IP addre ss will be use d as the e ve nt sourc e and the e ve nt targe ts will be all
re le vant sourc e IP addre sse s. De pe nding on c hoic e of the Eve nt source , all the de stination or sourc e IP addre sse s that we re c ommunic ating with the targe t IP addre ss
are the n liste d as e ve nt targe ts. Grouping by de stination IP addre ss is use d for e xample by the S RVNA de te c tion me thod, whic h marks an unavailable targe t (IP addre ss
of se rvic e ) as the e ve nt sourc e and all sourc e IP addre sse s (c lie nt’s atte mpts to c onne c t) as the e ve nt targe ts.

Where and Having clauses

T he patte rn itse lf is de fine d using the whe re and having e xpre ssions whic h are writte n in S QL form. All the c onstruc tions of Cac hé S QL language that are valid for the
whe re and having e xpre ssion are supporte d, inc luding ope rators and func tions state d be low. S ingle quote s (apostrophe s) are re quire d for a string e nc losing - this
applie s to both e xpre ssions. Parts of logic al e xpre ssion c an be inse rte d into pare nthe se s.

T he Whe re e xpre ssion is inte nde d to filte r the re c ords base d on de fine d c onditions and using logic al ope rators and func tions. T he Having e xpre ssion allows to use the
aggre gate func tions that use the se re sults. T he re fore the diffe re nc e be twe e n the having and the whe re e xpre ssion is that the whe re works with table rows and allows
to filte r individual rows. T he having the n adds the option of working with a group of re c ords using the aggre gation func tions. T he following aggre gation func tions are
supporte d:

S UM: sum of value s

AVG: ave rage of value s
COUNT : numbe r of value s
MAX: maximal value
MIN: minimal value
VARIANCE: varianc e of value s
S T DDEV: standard de viation

T he c omple te list of aggre gation func tions with the ir de sc ription c an be found in the Cac hé S QL doc ume ntation (se e Aggre gate func tions). T he c omple te
doc ume ntation for the whe re and having e xpre ssions c an be found he re or he re re spe c tive ly.

S e e Custom patte rn e xample s.

Fields of t he biflow ent ries

T he following fie lds c an be use d for filte ring:

source _ip_addre ss: S ourc e IP addre ss in the inte rnal form. S e e Func tions for the translation func tionality.
de stination_ip_addre ss: De stination IP addre ss in the inte rnal form. S e e Func tions for the translation func tionality.
protocol: Protoc ol numbe r.
source _port: S ourc e port numbe r.
de stination_port: De stination port numbe r.
re q_duration: Duration of the re que st flow in se c onds (float numbe r).
re p_duration: Duration of the re sponse flow in se c onds (float numbe r).
re q_transfe rre d: T otal transmitte d byte s in the re que st flow (inte ge r).
re p_transfe rre d: T otal transmitte d byte s in the re sponse flow (inte ge r).
re q_packe ts: T otal c ount of pac ke ts in the re que st flow (inte ge r).
re p_packe ts: T otal c ount of pac ke ts in the re sponse flow (inte ge r).
re q_flags: T CP flags of re que st flow, it is re c omme nde d to use suitable filte ring func tion (se e Func tions for the translation func tionality).
re p_flags: T CP flags of re sponse flow.
src_mac: S ouc e MAC addre ss in de c adic form. S e e Func tions for the translation func tionality.
dst_mac: De stination MAC addre ss in de c adic form. S e e Func tions for the translation func tionality.
src_as: T he sourc e autonomous syste m numbe r.
dst_as: T he de stination autonomous syste m numbe r.
src_country: T he c ountry numbe r, whic h is assigne d to the sourc e IP addre ss (se e List of c ountrie s).
dst_country: T he c ountry numbe r, whic h is assigne d to the de stination IP addre ss.
http_host: Last 32 c harac te rs of the HT T P hostname . It c an c ontain the que rie d DNS name if it is a DNS que ry.
http_url: First 64 c harac te rs of the URL from HT T P GET re que st.
src_use r_id: Ide ntific ation of the use r whic h is using the sourc e IP addre ss (obtaine d from Ac tive Dire c tory in c ase of the c onfiguration in Flowmon OS ).
dst_use r_id: Ide ntific ation of the use r whic h is using the de stination IP addre ss.
tcp_ttl: T CP T T L, se t only if the T CP S YN flag is se t.
tcp_window: T CP window, se t only if the T CP S YN flag is se t.
syn_size : S ize of T CP S YN pac ke t in re que st flow.
ua_os: T he numbe r of the ope rating syste m (obtaine d from HT T P use r age nt, se e the List of ope rating syste ms), 65535 me ans that the OS is unknown.
ua_os_ve rsion: T he numbe r of the ve rsion of the ope rating syste m (obtaine d from the HT T P use r age nt), de c imal – its inte ge r part e quals to the major ve rsion,
de c imal part to the minor ve rsion. T he numbe r gre ate r than or e qual to 65535 me ans unknown ve rsion.
paire d: S pe c ifie s whe the r the biflow c ontains the whole flow- pair or the re is only single unpaire d flow. Numbe r 0 or 1.

Variable s that c an be use d in the c ustom patte rns de finitions:

# src_filte r# : T he assigne d filte r, whic h is applie d to sourc e IP addre sse s.

# dst_filte r# : T he assigne d filte r, whic h is applie d to de stination IP addre sse s.
# ne g_src_filte r# : T he ne gative ve rsion of the assigne d filte r, whic h is applie d to sourc e IP addre sse s (IP adre ss has to be outside the give n filte r).
# ne g_dst_filte r# : T he ne gative ve rsion of the assigne d filte r, whic h is applie d to de stination IP addre sse s.

Ope rators that c an be use d in the c ustom patte rns de finitions.

= Equality te st (sourc e _ port = 80)

<> Une quality te st (protoc ol <> 6)
> Is gre ate r than (re q_ transfe rre d > 102400)
< Is lowe r than (re q_ duration < 10)
>= Gre ate r than or e qual to
<= Lowe r than or e qual to
IN Be longs to the give n se t (de stination_ port IN (80, 443))
BET WEEN . . . AND Be longs to the give n range (re q_ duration BET WEEN 10 AND 60, inc luding the give n borde rs)
LIKE T he string that c ontains give n substring (http_ host LIKE ’%fac e book%’, the pe rc e nt signs re pre se nt any string).
%S T ART S WIT H T he string that starts with the give n substring (http_ url '%S T ART S WIT H%’/../../../’)
NOT Ne gation of the give n c onstraint (NOT (re q_ duration < 10 AND sourc e _ port = 80))
+ Addition (re q_ transfe rre d + re p_ transfe rre d >= 1048576)
− S ubtrac tion (re q_ duration - re p_ duration > 3)
∗ Multiplic ation (re q_ transfe rre d * paire d > 0)
/ Division (re q_ transfe rre d / re q_ pac ke ts = 40)

Functions that c an be use d in the c ustom patte rns de finitions:

T ools.matchflags(flags, re quire d, forbidde n): Func tion for matc hing T CP flags, flags should be re plac e d by req_flags or rep_flags. T he func tion re turns 0 if and only
if flags c ontains all required flags and doe sn’t c ontain any forbidden flag. T he func tion has to be use d as an e quality te st with 0.

Example s:

T ools.matc hflags(’RUAPS F’, ’AP’, ’- ’) = 0

T ools.matc hflags(’..APS .’, ’A’, ’F’) = 0
T ools.matc hflags(’..APS .’, ’A’, ’S ’) <> 0
T ools.matc hflags(’..APS .’, ’- ’, ’R’) = 0
 T ools.ip_to_int(re adable _ip) Func tion for translating IP addre sse s into inte rnal form.
T ools.re _match(patte rn, te xt) Func tion for matc hing the string with the give n re gular e xpre ssion. If the re is a matc h, the func tion re turns 1, 0.
T ools.re _e xact(patte rn, te xt) Func tion for matc hing the string with the give n re gular e xpre ssion. T he re gular e xpre ssion must de sc ribe the whole string.
T ools.re _ge t(patte rn, te xt, position) T he func tion re turns the substring that is matc he d by the re gular e xpre ssion. If the position parame te r is gre ate r than o, the
func tion re turns appropriate "variable " from re gular e xpre ssion (the part in brac ke ts).
T ools.mac_to_int(re adable _mac) Func tion for translating MAC addre ss into inte rnal form.

Note

For more information about re gular e xpre ssions se e the Inte rS yste ms doc ume ntation

List of count ries

LAN Loc al Are a Ne twork 0

AF Afghanistan 4

AX Aland Islands 248

AL Albania 8

DZ Alge ria 12

AS Ame ric an S amoa 16

AD Andorra 20

AO Angola 24

AI Anguilla 660

AQ Antarc tic a 10

AG Antigua and Barbuda 28

AR Arge ntina 32

AM Arme nia 51

AW Aruba 533

AU Australia 36

AT Austria 40

AZ Aze rbaijan 31

BS Bahamas 44

BH Bahrain 48

BD Banglade sh 50

BB Barbados 52

BY Be larus 112

BE Be lgium 56

BZ Be lize 84

BJ Be nin 204

BM Be rmuda 60

BT Bhutan 64

BO Bolivia, Plurinational S tate of 68

BQ Bonaire , S int Eustatius and S aba 535

BA Bosnia and He rze govina 70

BW Botswana 72

BV Bouve t Island 74

BR Brazil 76

IO British Indian Oc e an T e rritory 86

BN Brune i Darussalam 96

BG Bulgaria 100

BF Burkina Faso 854

BI Burundi 108

KH Cambodia 116

CM Came roon 120

CA Canada 124

CV Cape Ve rde 132

KY Cayman Islands 136

CF Ce ntral Afric an Re public 140

TD Chad 148

CL Chile 152

CN China 156

CX Christmas Island 162

CC Coc os (Ke e ling) Islands 166

CO Colombia 170

KM Comoros 174

CG Congo 178

CD Congo, the De moc ratic Re public of the 180

CK Cook Islands 184

CR Costa Ric a 188

CI Côte d’Ivoire 384

HR Croatia 191

CU Cuba 192

CW Curaç ao 531

CY Cyprus 196

CZ Cze c h Re public 203

DK De nmark 208

DJ Djibouti 262

DM Dominic a 212

DO Dominic an Re public 214

EC Ec uador 218

EG Egypt 818

SV El S alvador 222

GQ Equatorial Guine a 226

ER Eritre a 232

EE Estonia 233

ET Ethiopia 231

FK Falkland Islands (Malvinas) 238

FO Faroe Islands 234

FJ Fiji 242

FI Finland 246

FR Franc e 250

GF Fre nc h Guiana 254

PF Fre nc h Polyne sia 258

TF Fre nc h S outhe rn T e rritorie s 260

GA Gabon 266

GM Gambia 270

GE Ge orgia 268

DE Ge rmany 276

GH Ghana 288

GI Gibraltar 292

GR Gre e c e 300

GL Gre e nland 304

GD Gre nada 308

GP Guade loupe 312

GU Guam 316

GT Guate mala 320

GG Gue rnse y 831

GN Guine a 324

GW Guine a- Bissau 624

GY Guyana 328

HT Haiti 332

HM He ard Island and Mc Donald Islands 334

VA Holy S e e (Vatic an City S tate ) 336

HN Honduras 340

HK Hong Kong 344

HU Hungary 348

IS Ic e land 352

IN India 356

ID Indone sia 360

IR Iran, Islamic Re public of 364

IQ Iraq 368

IE Ire land 372

IM Isle of Man 833

IL Israe l 376

IT Italy 380

JM Jamaic a 388

JP Japan 392

JE Je rse y 832

JO Jordan 400

KZ Kazakhstan 398

KE Ke nya 404

KI Kiribati 296

KP Kore a, De moc ratic Pe ople ’s Re public of 408

KR Kore a, Re public of 410

KW Kuwait 414

KG Kyrgyzstan 417

LA Lao Pe ople ’s De moc ratic Re public 418

LV Latvia 428

LB Le banon 422

LS Le sotho 426

LR Libe ria 430

LY Libya 434

LI Lie c hte nste in 438

LT Lithuania 440

LU Luxe mbourg 442

MO Mac ao 446

MK Mac e donia 807

MG Madagasc ar 450

MW Malawi 454

MY Malaysia 458

MV Maldive s 462

ML Mali 466

MT Malta 470

MH Marshall Islands 584

MQ Martinique 474
MR Mauritania 478

MU Mauritius 480

YT Mayotte 175

MX Me xic o 484

FM Mic rone sia, Fe de rate d S tate s of 583

MD Moldova, Re public of 498

MC Monac o 492

MN Mongolia 496

ME Monte ne gro 499

MS Montse rrat 500

MA Moroc c o 504

MZ Mozambique 508

MM Myanmar 104

NA Namibia 516

NR Nauru 520

NP Ne pal 524

NL Ne the rlands 528

NC Ne w Cale donia 540

NZ Ne w Ze aland 554

NI Nic aragua 558

NE Nige r 562

NG Nige ria 566

NU Niue 570

NF Norfolk Island 574

MP Northe rn Mariana Islands 580

NO Norway 578

OM Oman 512

PK Pakistan 586

PW Palau 585

PS Pale stine , S tate of 275

PA Panama 591

PG Papua Ne w Guine a 598

PY Paraguay 600

PE Pe ru 604

PH Philippine s 608

PN Pitc airn 612

PL Poland 616

PT Portugal 620

PR Pue rto Ric o 630

QA Qatar 634

RE Ré union 638

RO Romania 642

RU Russian Fe de ration 643

RW Rwanda 646

BL S aint Barthé le my 652

SH S aint He le na, Asc e nsion and T ristan da Cunha 654

KN S aint Kitts and Ne vis 659

LC S aint Luc ia 662

MF S aint Martin (Fre nc h part) 663

PM S aint Pie rre and Mique lon 666
VC S aint Vinc e nt and the Gre nadine s 670

WS S amoa 882

SM S an Marino 674

ST S ao T ome and Princ ipe 678

SA S audi Arabia 682

SN S e ne gal 686

RS S e rbia 688

SC S e yc he lle s 690

SL S ie rra Le one 694

SG S ingapore 702

SX S int Maarte n (Dutc h part) 534

SK S lovakia 703

SI S love nia 705

SB S olomon Islands 90

SO S omalia 706

ZA S outh Afric a 710

GS S outh Ge orgia and the S outh S andwic h Islands 239

SS S outh S udan 728

ES S pain 724

LK S ri Lanka 144

SD S udan 729

SR S uriname 740

SJ S valbard and Jan Maye n 744

SZ S waziland 748

SE S we de n 752

CH S witze rland 756

SY S yrian Arab Re public 760

TW T aiwan, Provinc e of China 158

TJ T ajikistan 762

TZ T anzania, Unite d Re public of 834

TH T hailand 764

TL T imor- Le ste 626

TG T ogo 768

TK T oke lau 772

TO T onga 776

TT T rinidad and T obago 780

TN T unisia 788

TR T urke y 792

TM T urkme nistan 795

TC T urks and Caic os Islands 796

TV T uvalu 798

UG Uganda 800

UA Ukraine 804

AE Unite d Arab Emirate s 784

GB Unite d Kingdom 826

US Unite d S tate s 840

UM Unite d S tate s Minor Outlying Islands 581

UY Uruguay 858

UZ Uzbe kistan 860

VU Vanuatu 548
 VE Ve ne zue la, Bolivarian Re public of 862

VN Vie t Nam 704

VG Virgin Islands, British 92

VI Virgin Islands, U.S . 850

WF Wallis and Futuna 876

EH We ste rn S ahara 732

YE Ye me n 887

ZM Zambia 894

ZW Zimbabwe 716

List of operat ing syst ems

ID OS name ID OS name ID OS name

1 AIX 26 Arc h Linux 51 Ninte nto WII U

2 Amiga OS 27 Ce ntOS 52 Ope nBS D

3 Android 28 De bian 53 Ope nVMS

4 iOS 29 Fe dora 54 OS /2

5 Mac OS 30 Ge ntoo 55 OS /2 Warp

6 Mac OS X 31 Knoppix 56 Palm OS

7 AROS 32 Kanotix 57 OPClinuxOS

8 Bada 33 Lindspire 58 QNX

9 Be OS 34 Mage ia 59 RIS C OS

10 Blac kBe rry 35 Mandriva 60 S ailfish

11 Blac kBe rry T able t 36 Mint 61 S kyOS

12 Bre w 37 Re d Hat 62 S olaris

13 Chrome OS 38 S lac kware 63 S yllable

14 Dange r Hiptop 39 S US E 64 S ymbian

15 Darwin 40 Ubuntu 65 T ize n

16 DragonFly BS D 41 Ve c torLinux 66 Ubuntu T ouc h

17 Fire fox OS 42 Live Are a 67 we bOS

18 Fre e BS D 43 Me e Go 68 Windows

19 GNU OS 44 MINIX 69 Windows 3.x

20 Haiku OS 45 MorphOS 70 Windows CE

21 HP- UX 46 MS N T V (We bT V) 71 Windows Phone

22 Infe rno 47 Ne tBS D 72 Windows Xbox

23 IRIX 48 Ninte nto 3DS 73 XrossMe diaBar

24 Joli OS 49 Ninte nto DS

25 Linux 50 Ninte nto WII

Cust om pat t ern examples

Example of de te ction of communication on the S S H hone ypot running on 192.168.1.10 – only the flows with more than 5 packe ts are take n into account:

Where expression:

# ne g_ src _ filte r# AND

de stination_ ip_ addre ss = T ools.ip_ to_ int('192.168.1.10') AND de stination_ port = 22 AND

protoc ol = 6 AND

T ools.matc hflags(re q_ flags, 'S ', '- ') = 0 AND re q_ pac ke ts > 5

S QL inje ction de te ction base d on re gular e xpre ssions. T he re gular e xpre ssion is use d for finding strings that are similar to OR 1=1:

Where expression:
 # src _ filte r# AND de stination_ port = 80 AND protoc ol = 6 AND

T ools.re _ matc h('.{1,4}[Oo][Rr].{1,4}\d.{1,3}\d', 'http_ url') = 1

An e xample of de te ction of the station that transmits more than 1 GB of data in total via the samba protocol:

Where expression:

# src _ filte r# AND de stination_ port = 445 AND protoc ol = 6

Having expression:

S UM(re q_ transfe rre d) + S UM(re p_ transfe rre d) > 1048576000

An e xample of port scan de te ction. In this case , the having e xpre ssion limits the minimal numbe r of scan atte mpts:

Where expression:

# src _ filte r# AND de stination_ port < 1024 AND protoc ol = 6 AND

re q_ flags IN ('....S .', '......', '.....F', 'U.P..F')

Having expression:

COUNT (*) >= 100

IDS Collect or

IDS Colle c tor c an be c onfigure d in S e ttings → S yste m S e ttings → IDS Colle ctor .

Descript ion

IDS Colle c tor allows you to c olle c t and aggre gate e ve nts from Flowmon IDS Probe or othe r c ompatible IDS syste ms (e .g. S uric ata) via syslog. T he se e ve nts c an be
browse d using the c onte xt me nu options Browse IDS Eve nts or Re late d IDS Eve nts whic h are de sc ribe d in the se c tion Conte xt Me nu.

Configurat ion

In orde r to ac tivate IDS e ve nts proc e ssing func tionality, you ne e d to e nable IDS e ve nt c olle c tor.

IDS co llect o r s et t ings page

If the module Flowmon IDS Probe is installe d loc ally, IDS e ve nts are proc e sse d automatic ally without any furthe r c onfiguration. In orde r to re c e ive e ve nts from re mote
de vic e (s), e xte rnal syslogs ne e ds to be e nable d. T his option c an be found in Flowmon Configuration Ce nte r →S yste m → S yste m se ttings → S yslog se rve r → Enable
e xte rnal syslogs. All IDS e ve nts sourc e s should be de fine d as ne w syslog c lie nts.

IDS Colle c tor quota c an be se parate ly c onfigure d in Flowmon Configuration Ce nte r → Quotas Manage r. Quota size limits the maximum numbe r of e ve nts store d from IDS
Colle c tor.

Distributed Architecture Configuration

T o suc c e ssfully c onfigure the distribute d arc hite c ture , it is ne c e ssary to have at le ast 1 Master node and 1 Slave node (se e the Distribute d arc hite c ture page ). T he ADS
distribute d arc hite c ture c an be e nable d on any e xisting installation. Whe n the e xisting standalone ADS is turne d to a Master node , proc e ssing of the database is
disable d. Whe n it is turne d to a Slave node , the we b use r inte rfac e is disable d. Eve nts and c onfiguration are still ke pt in storage on the Slave node , but not use d. It allows
to c hange the mode of ADS without ne e d to re install it.

Afte r c hanging the mode of ADS , the alloc ate d quota ne e ds to be c he c ke d. T he quota for Maste r c an be c onfigure d via Flowmon Configuration Ce nte r → Quotas
Manage r. T he quota for S lave in the Flowmon distribute d arc hite c ture is available on Master (T PM) via Flowmon Configuration Ce nte r → Distribute d Archite cture →
S ource Group → Ope n FCC → Quotas Manage r for all S lave units in the S ourc e Group.

T he distribute d arc hite c ture c an be e nable d through the wizard or manually. T he re is no GUI. Ac c e ss to the Flowmon de vic e te rminal is ne c e ssary.

Wizard

T he Configuration wizard is de signe d for the Flowmon OS without manual c onfiguration of the distribute d arc hite c ture e nable d. T he wizard c an be e xe c ute d on the
Master node only. Afte r the initialization, S lave or Proxy node s c an also be initialize d and adde d. T he whole ADS distribute d arc hite c ture is c onfigure d from one plac e .

Log in to the Flowmon OS te rminal and e xe c ute the kads- wizard.py c ommand to start the wizard. T he first ste p is the initialization of the Master node c onfiguration.

[flow mon@localhost ~]$ kads-w izard.py KADS Wizard initialization...

...checking local configuration files.

...reading local configuration.

 ! No 'kadsmode' configuration found.

Do you w ant to start the master configuration? (yes/no)

Afte r the initialization, the re are options for assigning ne w Slave unit to Master node , showing the c urre nt status and de initializing the whole Distribute d Arc hite c ture .

Welcome to KADS Configuration Wizard.

Master: 192.168.3.219 (NO CHILDS DEFINED)

What do you w ant to do?

Assign new Unit to Master

Deinitialize Distributed Architecture
Show status
Exit

Select number:

Manual Configurat ion

Manual c onfiguration of the distribute d arc hite c ture re quire s advanc e d knowle dge of UNIX- like syste ms. Communic ation be twe e n node s utilize s S S H se rvic e on
Flowmon de vic e s.

Generat ing encrypt ion keys

It is ne e de d to se t the S S H e nc ryption ke ys on single node s of the distribute d arc hite c ture . T he ke y pair c an be ge ne rate d using ssh-keygen.

Exa mpl e o f t he s s h-k e yg e n ut i l i t y

$ ssh-keygen -N "" -f /data/ads/tmp/auth.key Generating public/private rsa key pair.

Your identification has been saved in /data/ads/tmp/auth.key.
Your public key has been saved in /data/ads/tmp/auth.key.pub. The key fingerprint is:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX flow mon@testmachine

T he ge ne rate d private ke y has to be adde d to e ac h node (e .g. using the sftp/scp applic ation). T he file s must have pe rmissions se t as pe r the following e xample :

chmod 0600 /data/ads/tmp/auth.key

chow n flow mon:flow mon /data/ads/tmp/auth.key

T he ge ne rate d public ke y has to be adde d on e ac h node to authorize d ke ys of the flowmon use r:

cat /data/ads/tmp/auth.key.pub >> /home/flow mon/.ssh/authorized_keys chmod 600 /home/flow mon/.ssh/authorized_keys

chow n flow mon:flow mon /home/flow mon/.ssh/authorized_keys

Configuring t he archit ect ure

Eac h node has to be c onfigure d se parate ly using the /data/ads/KADS.cfg c onfiguration file . If the file is not pre se nt in the syste m or if e ve ry line of the file is c omme nte d,
the distribute d arc hite c ture is turne d off. Doc ume ntation of the c onfig file is available in the file itse lf in the c omme nt strings.

Example o f KADS.cf g co nf igurat io n

 Detection Methods

De te c tion me thods are the c ore of Flowmon ADS . T he y se rve for de te c ting various pote ntially unde sirable ac tivitie s on the ne twork or to ac c umulate appropriate
information (be havior profile s). De te c tion me thods are pre de fine d by the manufac ture r who guarante e s the ir de ve lopme nt and e xpansion ac c ording to the c urre nt
tre nds in the are a of ne twork se rvic e s and se c urity of c ompute r ne tworks in partic ular. De te c tion me thods c an be imagine d as signature s for IDS syste ms (e .g. S NORT ).
Unlike signature s, whic h re pre se nt partic ular strings that are se arc he d in individual pac ke ts, de te c tion me thods c ontain spe c ific be havior patte rns of ne twork de vic e s.
Flowmon ADS use s the princ iple of de te c tion me thods also for othe r tasks (e .g. e ve nt re porting).

De te c tion me thods are divide d into the following groups:

Common ne twork be havior patte rns: c ommon ne twork be havior patte rns that ge ne rate e ve nts always whe n proc e ssing the c urre nt batc h of Flow data (typic ally
e ve ry 5 minute s).
Common be havior patte rns for S IP traffic: c ommon be havior patte rns that are base d on the S IP e xte nsions. T he se me thods works only with data fe e ds that have
the S IP proc e ssing ac tivate d.
Advance d ne twork be havior patte rns: advanc e d ne twork be havior patte rns that de te c t long te rm tre nds in ne twork be havior base d on c ontinuous proc e ssing of
the flow data.
De rive d be havior patte rns: de rive d be havior patte rns that ge ne rate c harac te ristic s of individual de vic e s. T he y do not dire c tly de pe nd on proc e ssing of the flow
data. T ypic ally the y use the outputs of two of the de te c tion me thod groups me ntione d above and are run pe riodic ally (e ve ry hour).
Anomaly de te ction syste m: me thods of a ge ne ral anomaly de te c tion syste m base d on c hange s in be havior of the ne twork de vic e s.

Note

T he anomaly de te c tion syste m is available in all ve rsions, e xc e pt the Lite ve rsion.

A typic al duty c yc le of the Flowmon ADS applic ation inc lude s the following ste ps:

1. Re ce iving and saving the flow data: re c e iving of flow data batc h re pre se nting the c urre nt ne twork traffic , typic ally e ve ry 5 minute s.
2. Proce ssing the flow data batch: applic ation of all ac tive de te c tion me thods on give n Flow data batc h whic h re sults in e ve nts ge ne ration and e ve nt re porting.
Applic ation le ve rage s multi- thre ading to inc re ase ove rall proc e ssing throughput.

Inde pe nde ntly of the flow data proc e ssing, the applic ation pe rforms ac tive de te c tion me thods from Ge ne ral syste m proce dure s and De rive d be havior patte rns groups
on a re gular basis (e ve ry hour).

Introduction to Detection Methods

De te c tion me thods have many c ommon fe ature s and the y are c onfigure d using a single use r inte rfac e . T he re maining te xt of this subse c tion is de dic ate d to the
de sc ription of ope ration princ iple s of the individual de te c tion me thods, the ir c onfiguration and inte rpre tation of the ir re sults. T his inte rpre tation is typic ally base d on
prac tic al e xpe rie nc e with de te c tion me thods. Information about the de te c tion me thod always inc lude s a ge ne ral de sc ription and tips for me thod c onfiguration.
Me thods that are provide d by the Anomaly De te c tion syste m c an be divide d into the following groups:

Common ne twork be havior patte rns

Advanc e d ne twork be havior patte rns
Common be havior patte rns for S IP traffic
De rive d be havior patte rns
Anomaly de te c tion syste m

Common Configurat ion Opt ions

A de te c tion me thod c an be use d as a base for individual me thod instanc e s. Eac h instanc e re pre se nts spe c ific se ttings of the de te c tion me thod and it should be
c onne c te d to some data fe e ds. T he numbe r of instanc e s for one de te c tion me thod is limite d by thre e time s the data fe e ds.

S e ttings of de te c tion me thods c onsist of two type s of ac tion – ac tions pe rforme d c olle c tive ly on the whole group of instanc e s and ac tions pe rforme d on single
me thod instanc e s.

Act ions for group of inst ances

Instance group activation or de activation: e ac h me thod, e xc e pt for the syste m me thods, c an be ac tivate d or de ac tivate d. T his option take s e ffe c t imme diate ly,
during the proc e ssing of the ne xt batc h of flow data.
Adding a ne w me thod instance : it c re ate s a ne w me thod instanc e with c onfiguration base d on the me thod c onfiguration te mplate . It is ne c e ssary to assign the
instanc e of a me thod to some data fe e ds (Ne w instance ).

Act ions for single met hod inst ances

De le te me thod instance : it re move s the give n me thod instanc e (De le te instance ).

Pe rform me thod action: some me thods allows to c all ac tions that are re late d to the give n me thod. T his ac tion c ould be for e xample de le ting the le arne d
c lassifie r. T he ac tion is pe rforme d afte r c lic king the Pe rform me thod actions button.
Activate /De activate me thod instance : ac tivate s or de ac tivate s the give n me thod instanc e (S tart/S top button).
Edit me thod instance : allows to c onfigure the give n me thod instanc e (Edit instance ).
S e tting the time to store outputs: it se ts the time pe riod within whic h are the outputs of the de te c tion me thod store d in the syste m (S e t De le te Eve ntsAfte r
parame te r).
Assigning filte rs to the me thod instance : most me thods may be re stric te d in te rms of proc e sse d traffic by assigning filte rs to the m (Filte rs in the me thod
c onfiguration). T his se tting is re fle c te d imme diate ly, pre c ise ly whe n proc e ssing the ne xt batc h of Flow data.
Copying of a me thod instance : it is possible to make a c opy of any e xisting me thod instanc e (Copy instance ).
Re se t me thod instance : it se ts the give n me thod instanc e to de fault se ttings ac c ording to the me thod te mplate (Re se t to de fault).
Common Feat ures

Basic ally, the re are two c ommon fe ature s for de te c tion me thods:

Eve nt ge ne rating: most de te c tion me thods ge ne rate e ve nts. Eve nts always inc lude s e ve nt origin (IP addre ss), e ve nt type (c orre sponding to a type of the me thod
whic h de te c te d the e ve nt), the time stamp of e ve nt oc c urre nc e ac c ording to flow data, link to the data fe e d, e ve nt de tails (additional information on the e ve nt
ac c ording to its type ) and the list of all e ve nt targe ts (IP addre sse s).
Pe riodic de le tion of e ve nts: all de te c tion me thods whic h ge ne rate e ve nts offe r the ir pe riodic de le tion through a c onfiguration option De le te Eve ntsAfte r. T his
indic ate s the numbe r of days for whic h the e ve nts re main in applic ation me mory. Olde r e ve nts are automatic ally de le te d. Whe n the option is se t to value “0” e ve nts
are ne ve r de le te d.

Dat a feeds and assigned filt ers

Rule s for data fe e ds and assigne d filte rs that are assoc iate d with a me thod instanc e :

T he me thod instanc e has to be assigne d to at le ast one data fe e d. Assigne d filte rs are optional e xc e pt for some de te c tion me thods.
T he me thod instanc e is always proc e ssing only the data from assigne d data fe e ds.
Data from a single data fe e d is proc e sse d alone , the c lassifie rs base d on the se data are also ke pt se parate ly for e ac h data fe e d and e ac h instanc e of a me thod.
T he assigne d IP addre ss filte r re stric ts the data ac c ording to the sourc e or de stination IP addre sse s (de tails follow).
T he re is no ne e d to use the IP filte r if all data from the c urre nt data fe e d satisfie s this filte r.
It is be tte r not to use any filte r inste ad of using the filte r with all IP addre sse s.
S ome of the de te c tion me thods ne e d to have a filte r assigne d to ac hie ve be tte r pe rformanc e .

Common Network Behavior Patterns

BIT T ORRENT – BitT orre nt traffic

BLACKLIS T – Communic ation with Blac kliste d Hosts
BPAT T ERNS – Flow- base d Be havior Patte rns
DIRINET – Dire c t Inte rne t Communic ation
DICT AT T ACK – Dic tionary attac k
DIVCOM – T arge t Hosts/Ports Anomaly
REFLECT DOS – Amplific ate d DoS Attac k
HIGHT RANS F – High Volume of T ransfe rre d Data
HONEYPOT – Hone ypot T raffic
HT T PDICT – We b Form Attac k
ICGUARD – Inte rne t Conne c tion Utilization Anomaly
IPV6T UNNEL – IPv6 T unne le d T raffic
INS T MS G – Instant Me ssaging T raffic
L3ANOMALY – L3 Ne twork Anomaly
LAT ENCY – Ne twork Late nc y Anomaly
MULT ICAS T – Multic ast T raffic
NAT DET – Ne twork Addre ss T ranslation
S CANS – Port S c anning
S RVNA – S e rvic e Not Available
T EAMVIEWER – T e amVie we r traffic
T ELNET – T e lne t Anomaly
T OR – T OR traffic
UPLOAD – Data Upload Anomaly
VOIP – VoIP T raffic
VPN – VPN T raffic
WEBS HARE – We b S haring T raffic

BITTORRENT – Bit Torrent t raffic

Note

T his patte rn is available in all ve rsions, e xc e pt the IS P ve rsion.

Met hod descript ion

A me thod for de te c ting P2P ne tworks of the BitT orre nt type . T his me thod c onsists of four diffe re nt de te c tion subme thods that analyze ne twork traffic c onc urre ntly.
T he inc ide nts de te c te d by the se subme thods are the n c ompare d. T he e ve nt is ge ne rate d in c ase of de te c ting the BitT orre nt traffic by multiple subme thods. T he
MinimalProbability option allows you to se t the minimal pe rc e ntage of subme thods, that have to de te c t the inc ide nt. T his way it is possible to de te c t almost any
BitT orre nt c lie nts. T he LANFilte r parame te r e nable s re duc tion of possible false positive s by e xc luding inte rnal ne twork c ommunic ation from de te c tion. Othe r
parame te rs are MinS e e ds and MinHighPorts, whic h allow to se t minimal c ount of re mote pe e r sourc e s the data are downloade d from, and minimal c ount of c onne c tions
on ports highe r than 10240.

Met hod configurat ion

 It is use ful to ac tivate this me thod ne twork- wide for all traffic on the ne twork, re gardle ss of the IP addre sse s e xc lude d from c ommunic ations on the LAN by the
LANFilte r option. T he re c omme nde d plac e for the monitoring of the traffic is the Inte rne t c onne c tion line .

Met hod paramet ers

LANFilte r: Name of the filte r that de fine s the IP addre sse s in the monitore d ne twork. T he c ommunic ation be twe e n the se de vic e s is ignore d within this de te c tion
me thod for the improve me nt of false positive ratio.
MinS e e ds: Minimal c ount of de vic e s use d as a sourc e for a file download.
MinHighPorts: Minimal c ount of c onne c tions on the ports gre ate r than 10240.
MinimalProbability: T he probability of downloading using the BitT orre nt se rvic e is e valuate d during the de te c tion. T he e valuation is base d on the re sults of partial
me thods. T he parame te r e xpre sse s the minimal probability to re port the e ve nt.

Assigned filt er

T he filte r is use d for re stric ting the sourc e IP addre sse s.

Int erpret at ion of result s

T his me thod ac hie ve s ve ry re liable re sults in de te c tion of notorious P2P downloade rs. On the othe r hand, inc ide ntal and oc c asional use of P2P ne twork may not be
de te c te d, e spe c ially whe n the me thod is c onfigure d with stric t value s of the parame te rs. Furthe rmore , this me thod may ale rt on the spyware - infe c te d de vic e s, whose
be havior is ofte n similar to that of the P2P ne tworks.

BLACKLIST – Communicat ion wit h Blacklist ed Host s

Note

T his patte rn is available in all ve rsions, e xc e pt the Lite ve rsion.

Met hod descript ion

A me thod for de te c ting c ommunic ation with IP addre sse s, domains, we b page s or se rvic e s at spe c ifie d se rve rs whic h are inc lude d in the blac klists maintaine d by
Flowmon Ne tworks a.s or c ustom blac klists maintaine d by a use r of the module . T he Ignore Unre achable parame te r allows to ignore the ICMP type 3 (de stination
unre ac hable ) re plie s to re que sts from the blac kliste d IPs. If the Ignore UnsuccExt parame te r (or Ignore UnsuccInt) is se t to yes, the unsuc c e ssful atte mpts from the
blac kliste d IP addre sse s (or from the monitore d ne twork) are ignore d. It is also possible to ignore c ommunic ation at spe c ific ports, whic h c an be se t by the
Ignore Ports parame te r.

It is possible to de fine a c ustom blac klists that are maintaine d by a use r of the module . T he manage me nt of the Flowmon and the c ustom blac klists is de sc ribe d in the
Blac klists c hapte r.

Met hod configurat ion

It is re c omme nde d to ac tivate this me thod ne twork- wide for all traffic on the ne twork, re gardle ss of IP addre sse s. T he right plac e for the monitoring of the traffic is
the Inte rne t c onne c tion line . T o update the Flowmon blac klists it is ne c e ssary not to bloc k the c ommunic ation of the de vic e (probe /c olle c tor) to port 443 (HT T PS ,
standard se c ure d we b traffic ) on the se rvic e s.flowmon.c om se rve r.

Met hod paramet ers

Ignore Unre achable : Ignore the ICMP type 3 re sponse s (de stination unre ac hable ) to re que sts from the blac kliste d IP addre sse s.
Ignore UnsuccExt: Ignore unsuc c e ssful re que sts from blac kliste d IP addre sse s.
Ignore UnsuccInt: Ignore unsuc c e ssful re que sts from the IP addre sse s within the monitore d se gme nt.
Ignore Ports: List of ports, that will be ignore d during the de te c tion.
Active Blacklists: List of blac klists that should be proc e sse d by the me thod instanc e . T he manage me nt of the blac klist's c onte nt is de sc ribe d in the Blac klists
c hapte r.

Assigned filt er

T he filte r is use d for re stric ting sourc e or de stination IP addre sse s.

Int erpret at ion of result s

T his me thod use s the Flowmon Ne twork blac klist se rvic e or c ustom blac klists de fine d by a use r. If some of the blac kliste d IP addre sse s are marke d as the e ve nt
originator it’s probably a ne twork attac k on the organization. If some of the organization IP addre sse s is the e ve nt originator it’s like ly to be part of a botne t or infe c te d
with some form of malware .

BPATTERNS – Flow-based Behavior Pat t erns

Note
 T his patte rn is available in all ve rsions, e xc e pt the Lite and S tandard ve rsion.

Note

T his me thod is de pre c ate d. It will be de le te d in ve rsion 11.0.

Met hod descript ion

T his de te c tion me thod is de signe d to unve il c urre nt thre ats suc h as ze ro- day vulne rabilitie s. T he be havior patte rns are distribute d from the services.invea.com se rve r.
Downloading and applying the se patte rns is allowe d only for de vic e s with ac tive Gold support. T he list of the be havior patte rns (inc luding time stamps of last
modific ation) is downloade d from the se rve r e ve ry hour. A single be havior patte rn is downloade d only if the re is a ne we r ve rsion on the se rve r.

De te c tion of e ve ry be havior patte rn c an be de ac tivate d using re le vant c onfiguration parame te rs. S ome patte rns c an provide othe r c onfiguration parame te rs for
se tting the de te c tion.

Met hod configurat ion

It is re c omme nde d to apply this me thod to the whole c ommunic ation of IP addre sse s in the monitore d ne twork. T o update the be havior patte rns c orre c tly it is
ne c e ssary not to bloc k the c ommunic ation of the de vic e (probe /c olle c tor) to port 443 (HT T PS , standard se c ure d we b traffic ) on services.invea.com se rve r.

Met hod paramet ers

Activation: S e ts the status (ac tive /inac tive ) for ne wly adde d patte rns.

Othe r parame te rs of this de te c tion me thod are re le vant to partic ular be havior patte rns whic h are downloade d from the services.invea.com. T he se parame te rs may vary in
time .

Assigned filt er

Re stric tion for sourc e or de stination IP addre sse s (this c an diffe r base d on give n be havior patte rn).

Int erpret at ion of result s

T his me thod use s the be havior patte rn database , inte rpre tation of e ac h patte rn c an diffe r.

DIRINET – Direct Int ernet Communicat ion

Note

T his patte rn is available in all ve rsions, e xc e pt the IS P and Lite ve rsions.

Met hod descript ion

T his me thod de te c ts de vic e s that are c ommunic ating dire c tly into the Inte rne t (be yond the se gme nt de fine d by the LANS e gme nt parame te r). It is possible to se t
re porting of unsuc c e ssful and suc c e ssful c ommunic ation out of the allowe d ne twork se gme nt using parame te r Re portT rie s (e ve ntually Re portCommunication). T he
minimal transfe r is give n by the value of MinimalT ransfe r parame te r.

Met hod configurat ion

It is re c omme nde d to apply this me thod on the IP addre sse s from own ne twork, that shouldn’t be able to c ommunic ate dire c tly into the Inte rne t (e .g. due to se c urity
guide line s). T he right plac e for monitoring the Inte rne t is the c onne c tion line .

Met hod paramet ers

LANS e gme nt: T he name of the filte r that de fine s IP addre sse s whic h are allowe d to c ommunic ate only with IP addre sse s from this filte r and with the proxy se rve r.
Re portT rie s: De fine s whe the r to re port unsuc c e ssful atte mpts of c ommunic ation with IP addre sse s outside the ne twork de fine d by the LANS e gme nt parame te r.
Re portCommunication: De fine s whe the r to re port suc c e ssful c ommunic ation with IP addre sse s outside the ne twork de fine d by the LANS e gme nt parame te r.
MinimalT ransfe r: T he minimal amount of transfe rre d data be twe e n the IP addre sse s inside and outside the ne twork de fine d by the LANS e gme nt parame te r.

Assigned filt er

T he filte r is use d for re stric ting sourc e IP addre sse s.

Int erpret at ion of result s

 T his me thod is c apable to de te c t de vic e s that c ommunic ate dire c tly into the Inte rne t e ve n if the y are e xpe c te d not to do this (the y should use a proxy se rve r or the y
should c ommunic ate only with othe r de vic e s inside the loc al se gme nt).

DICTATTACK – Dict ionary at t ack

Met hod descript ion

T his de te c tion me thod re ve als the dic tionary attac ks aime d to various ne twork protoc ols. It de te c ts re que sts that are re c urring pe riodic ally and with the same data
flow c harac te ristic s be twe e n the sourc e and the targe t IP addre ss. First to de te c t are re gularly re c urring flows with the maximum time span de fine d by the MaxInte rval
parame te r. If the minimum numbe r of re trie s of the se flow (the MinAtte mpts parame te r) is re ac he d, the c ommunic ation on the re spe c tive protoc ol is c onside re d
suspic ious and the data transfe r c harac te ristic s are c ompute d. T he se c harac te ristic s c apture the variability of transfe rre d data. If the variability of transfe rre d data
within the suspic ious flows is smalle r than de fine d tole rance , the c ommunic ation be twe e n the se two stations is marke d as an attac k.

Met hod configurat ion

It is re c omme nde d to apply the me thod for all the IP addre sse s in the ne twork and obse rve not only the attac ks against your own se ve rs but also the attac ks c onduc te d
from your ne twork towards the Inte rne t. T he right plac e for traffic monitoring is the c e ntral switc h or possibly in/out Inte rne t line .

Met hod paramet ers

MaxInte rval> Maximal time de lay be twe e n login atte mpts.

MinAtte mpts: Minimal numbe r of login atte mpts.
T ole rance : De te c tion tole ranc e se ttings. T ole ranc e c an be se t in the inte rval of re al numbe rs from - 1 to 1, whe re 0 me ans ze ro tole ranc e . If positive numbe rs are
e nte re d, the tole ranc e inc re ase s. Ente ring ne gative value s de c re ase s tole ranc e . T his allows to de c re ase de te c tion tole ranc e in c ase of large numbe rs of false
positive de te c tions. T ole ranc e c an be se t for e ac h protoc ol se parate ly.
Ports: Ports on whic h the de te c tion should take plac e .

Assigned filt er

Re stric tions for sourc e or targe t IP addre sse s.

Int erpret at ion of result s

T he re sult of the me thod is the ide ntific ation of dic tionary attac ks. Due to the me c hanism of the de te c tion, the me thod may e valuate as an attac k also a le gitimate ,
pe riodic ally re c urring c ommunic ation. In c ase of a large r numbe r of false de te c tions, it is re c omme nde d to de c re ase the value of T ole ranc e parame te r or to inc re ase
the value of the MinAtte mpts parame te r.

DIVCOM – Target Host s/Port s Anomaly

Note

T his patte rn is available in all ve rsions, e xc e pt the IS P and Lite ve rsion.

Met hod descript ion

A me thod for de te c tion of de vic e s whic h e xhibit a gre at dive rsity of c ommunic ation. T he me thod se ts a c ommunic ation fac tor for e ac h IP addre ss as a multiply of the
unique de stination addre ss and unique de stination ports. If the de fine d tole ranc e limit (value of the CommunicationFactor option) is re ac he d, the c orre sponding e ve nt
is ge ne rate d. T he Exclude S e rve rs parame te r spe c ifie s a name of a filte r that de fine s IP addre sse s of se rve rs, whic h should be e xc lude d from de te c tion. T he se rve rs
have a highe r dive rsity of c ommunic ation than the c lie nt’s stations.

Met hod configurat ion

It is re c omme nde d to apply this me thod for IP addre sse s from own ne twork or for all addre sse s whe n monitoring public ly available se rve r farms. T he right plac e for
traffic monitoring is the c e ntral switc h and the Inte rne t c onne c tion line .

Met hod paramet ers

CommunicationFactor: T he thre shold for multiplic ation of a numbe r of the c ommunic ation partne rs and the de stination ports c ounts, to whic h the c ommunic ation
from the give n IP addre sse s take s plac e (so- c alle d c ommunic ation fac tor).
Exclude S e rve rs: T he name of the filte r that de fine s the IP addre sse s for whic h the c ommunic ation fac tor is not c ompute d during the de te c tion (e spe c ially for
se rve rs).

Assigned filt er

T he filte r is use d for re stric ting the sourc e IP addre sse s.

 Int erpret at ion of result s

T his me thod is c apable of de te c ting de vic e s that sc an ports, de vic e s attac ke d by spyware , infe c te d de vic e s or the de vic e s with a wrong c onfiguration. T ypic al false
positive s inc lude de te c tion of de vic e s imple me nting S NMP monitoring suc h as Zabbix.

REFLECTDOS – Amplificat ed DoS At t ack

Note

T his patte rn is available in all ve rsions, e xc e pt the Lite ve rsion.

Met hod descript ion

T his de te c tion me thod allows to unve il the DoS attac ks using the we akne sse s of some se rvic e s that amplify the attac k (the se rvic e s c an se nd a muc h bigge r re sponse
on spe c ific re que sts, this re sponse is se nt to a forge d sourc e IP addre ss of the re que st). Purpose of this me thod is to de te c t the misuse of the se rve rs in the
monitore d ne twork to this type of DoS attac k. T he de te c tion of misuse of the NT P (UDP/123), DNS (UDP/53, T CP/53), Portmap (UDP/111) and T FT P (UDP/69) se rvic e s
are imple me nte d.

T he misuse d se rve rs are de te c te d using the ratio of se nt and re c e ive d data (c ommunic ation with a single c lie nt). T o ge ne rate an e ve nt, a se rve r has to se nd at le ast x-
time s more data, than it re c e ive s (for x be ing the value of the T hre sholdChange s parame te r) and the se rve r has to se nd at le ast as muc h data to all of its c lie nts as it is
the value of the MinimalRe plie s parame te r.

T he de te c tion me thod has to have assigne d the filte rs de fining the IP addre sse s of NT P and DNS se rve rs in the DNS S e rve rs and NT PS e rve rs parame te rs. If one of
the se filte rs is not assigne d, the re spe c tive part of de te c tion is not ac tive . T he de te c tion of amplific ation attac ks that misuse the Portmap or T FT P se rvic e doe s not
re quire filte r assignme nt, this part of the de te c tion me thod c an be ac tivate d using the Portmap and T rivialFT P parame te rs.

Met hod configurat ion

It is re c omme nde d to apply this me thod ne twork- wide for all traffic on the ne twork re gardle ss of IP addre sse s. T he right plac e for traffic monitoring is the c e ntral
switc h.

Met hod paramet ers

MinimalRe plie s: Minimal amount of data se nt by the re le vant se rve r.

T hre sholdChange : T he thre shold value of the ratio be twe e n data se nt and re c e ive d by the re le vant se rve r.
DNS S e rve rs: T he name of filte r whic h de fine s the IP addre sse s of DNS se rve rs. If none filte r is assigne d, the de te c tion of the amplifie d DoS attac ks whic h misuse
the DNS se rvic e (UDP/53, T CP/53) is disable d.
NT PS e rve rs: T he name of filte r whic h de fine s the IP addre sse s of NT P se rve rs. If none filte r is assigne d, the de te c tion of the amplifie d DoS attac ks whic h misuse
the NT P se rvic e (UDP/123) is disable d.
Portmap: Ac tivate s the amplifie d DoS attac ks whic h misuse the Portmap se rvic e (UDP/111).
T rivialFT P: Ac tivate s the amplifie d DoS attac ks whic h misuse the T FT P se rvic e (UDP/69).

Assigned filt er

T he filte r is use d for re stric tion the sourc e or the de stination IP addre sse s.

Int erpret at ion of result s

T his me thod ale rts in c ase of misuse of the provide d se rvic e . T he solution to this situation c ould be the c hange in a se rvic e c onfiguration.

HIGHTRANSF – High Volume of Transferred Dat a

Met hod descript ion

A me thod for de te c tion of massive usage of the data link by one use r (IP addre ss). Me thod aggre gate s all traffic for an IP addre ss and c he c ks whe the r it e xc e e ds the
maximum limit. T he T ransfe rT hre shold option spe c ifie s the absolute data volume thre shold for a single IP addre ss (in MiB). Whe n this limit is re ac he d or e xc e e de d, an
e ve nt is re porte d. IP addre sse s, on whic h at le ast the pre se t pe rc e ntage of maximal transfe r be twe e n two addre sse s was transfe rre d (the T arge tPe rce ntile
parame te r), are marke d as targe ts of the e ve nt. T he Exclude S e rve rs parame te r spe c ifie s the name of a filte r that de fine s IP addre sse s of se rve rs, whic h should be
e xc lude d from de te c tion. T he se rve rs have typic ally highe r data transfe rs than the c lie nt’s stations. T he Le galS e rve rs parame te r spe c ifie s the name of the filte r that
de fine s IP addre sse s be twe e n whic h are the high transfe rs allowe d.

Met hod configurat ion

It is re c omme nde d to apply this me thod only on the IP addre sse s from own ne twork. T he right plac e for monitoring the traffic is the Inte rne t c onne c tion line .

Met hod paramet ers

T ransfe rT hre shold: T he thre shold for the transfe rre d data amount (in MiB).
Exclude S e rve r: Name of the filte r that de fine s the IP addre sse s of the de vic e s, whic h are allowe d to transfe r big amounts of data (e spe c ially the se rve rs in the
monitore d ne twork).
T arge tPe rce ntile : Value of the parame te r de fine s the minimal pe rc e ntage of the total data amount should be transfe rre d with a single c ommunic ation pe e r to
 indic ate it as an e ve nt targe t.
Le galS e rve rs: Name of the filte r that de fine s the IP addre sse s of the de vic e s that are allowe d for big data transfe rs by the de vic e s in the monitore d se gme nt.

Assigned filt er

T he filte r is use d for re stric ting sourc e IP addre sse s.

Int erpret at ion of result s

T his me thod re liably ale rts to the IP addre sse s whic h transfe rre d more data the n it is allowe d.

HONEYPOT – Honeypot Traffic

Note

T his patte rn is available in all ve rsions, e xc e pt the Lite ve rsion.

Met hod descript ion

T his me thod is inspire d by so- c alle d hone ypots, the ne twork traps. Compute rs on whic h no inc oming traffic is e xpe c te d. All suc h traffic c an, the re fore , be c onside re d
as an anomaly. T he de te c tion me thod works similarly. T he IP addre sse s re pre se nting hone ypots are de fine d as filte rs and if the re is any ac c e ss to the se IP addre sse s,
the e ve nt is ge ne rate d.

Met hod configurat ion

It is re c omme nde d to apply this me thod ne twork- wide for all traffic on the ne twork e xc e pt for the IP addre sse s from whic h we e xc e pt the ac c e ss to the hone ypots (e .g.
be c ause of c onfiguration). It is ne c e ssary to se t up the name of the filte r that de fine s hone ypots for prope r func tioning. T he right plac e for traffic monitoring is the
Inte rne t c onne c tion line or the c e ntral switc h.

Met hod paramet ers

Ignore Acce ssFrom: T he name of the filte r whic h de fine s the IP addre sse s that are allowe d to c ommunic ate with the hone ypots (e .g. be c ause of the manage me nt).
Hone ypotFilte r: T he name of the filte r whic h de fine s the IP addre sse s of the ne twork traps that shouldn’t be re que ste d by any de vic e (be side s the IP addre sse s
de fine d by the Ignore Acce ssFrom parame te r).

Assigned filt er

T he filte r is use d for re stric ting sourc e IP addre sse s.

Int erpret at ion of result s

T his me thod ale rts to the unauthorize d ac c e ss on the c hose n c ompute rs in the ne twork. It c ould me an horizontal sc anning or the atte mpt to a ne twork- wide ssh attac k.

HTTPDICT – Web Form At t ack

Note

T his patte rn is available in all ve rsions, e xc e pt the Lite ve rsion.

Met hod descript ion

T his de te c tion me thod is foc use d on de te c ting we b login form dic tionary attac ks (or brute forc e attac ks). A minimal numbe r of atte mpts to log in from a single IP
addre ss is se t by the MinimalPe rClie nt parame te r. Due to possibility of some false positive s c ause d by re gular we bpage update s (using e .g. AJAX te c hnology) is
ne c e ssary to se t the MinimalPage S ize parame te r as the minimal size of the page re turne d in c ase of an unsuc c e ssful login atte mpt.

Met hod configurat ion

It is re c omme nde d to apply this me thod only on the we b se rve rs in the monitore d ne twork, possibly for all traffic on the ne twork (to de te c t attac ks from c lie nts in the
monitore d ne twork). T he right plac e for traffic monitoring is the Inte rne t c onne c tion line or the c e ntral switc h.

Met hod paramet ers

 MinimalPe rClie nt: T hre shold for a minimal c ount of unsuc c e ssful atte mpts to log in from a single IP addre ss.
MinimalPage S ize : Minimal size of the we b se rve r re sponse se nt afte r an unsuc c e ssful login atte mpt.

Assigned filt er

T he filte r is use d for re stric ting de stination IP addre sse s.

Int erpret at ion of result s

T he me thod highlights the inc re ase d c ount of se nding the same - size d file from the we bse rve r to a single c lie nt. T hat probably me ans the dic tionary attac k on the we b
login form.

ICGUARD – Int ernet Connect ion Ut ilizat ion Anomaly

Note

T his patte rn is available in all ve rsions, e xc e pt the Lite and IS P ve rsions.

Note

T his me thod is de pre c ate d. It will be de le te d in ve rsion 11.0.

Met hod descript ion

T his de te c tion me thod monitors the usage of the inte rne t c onne c tion line . It is able to ale rt to an e xc e ssive usage pe r host (use r) or in total base d on the de fine d
thre shold value s. It is ne c e ssary to se t a c onne c tion type (symme tric al line , asymme tric al line ) and de fine the line spe e d in Mbps. Anothe r c onfiguration option is the
LANFilte r whic h de fine s loc al IP addre sse s; c ommunic ation be twe e n the se addre sse s is ignore d during c omputation of line usage . It is mandatory to se t up loc al
addre sse s.

T his me thod c an de te c t a high numbe r of pac ke ts pe r se c ond transfe rre d ove r a c onne c tion to the inte rne t. Eve nt is de te c te d if the ove rall sum of pac ke ts pe r se c ond
e xc e e ds the value of the T otalPPS parame te r. If at le ast half of this traffic is ge ne rate d by one IP addre ss, the addre ss is ide ntifie d as the originator of an e ve nt.

Met hod configurat ion

It is re c omme nde d to apply this me thod ne twork- wide for all traffic on the ne twork re gardle ss of IP addre sse s. T he right plac e for traffic monitoring is the Inte rne t
c onne c tion line or the c e ntral switc h.

Met hod paramet ers

Conne ctionT ype : T ype of c onne c tion to the Inte rne t (symme tric al or asymme tric al line ).
S Line S pe e d: Conne c tion spe e d in c ase of a symme tric al line (in Mbps).
ADownLine S pe e d: Download spe e d in c ase of an asymme tric al line (in Mbps).
AUpLine S pe e d: Upload spe e d in c ase of an asymme tric al line (in Mbps).
LANFilte r: Name of the filte r that de fine s the IP addre sse s of the de vic e s whic h are c onne c te d to the Inte rne t by the de sc ribe d line .
T otalGuard: T hre shold of total utilization of the c onne c tion line , whic h will be re porte d as an e ve nt (in pe rc e nts).
Pe rHostGuard: T hre shold of the utilization of the c onne c tion line by single IP addre ss to be re porte d as an e ve nt (in pe rc e nts).
T otalPPS : T hre shold of minimal c ount of pac ke ts pe r se c ond.

Assigned filt er

T he filte r use d for re stric ting sourc e IP addre sse s.

Int erpret at ion of result s

T his me thod shows the e xc e ssive usage of inte rne t c onne c tion.

IPV6TUNNEL – IPv6 Tunneled Traffic

Note

T his patte rn is available in all ve rsions, e xc e pt the Lite and IS P ve rsions.

Met hod descript ion

 T he IPV6T UNNEL de te c tion me thod allows to de te c t the ne twork de vic e s that are c ommunic ating through tunne lle d IPv6 protoc ol using T e re do or 6in4 protoc ol. T he
first parame te r is Conne ctionsT hre shold, whic h allows to re stric t the minimum amount of c onne c tions be twe e n stations. With the UploadDataT hre shold and
DownloadDataT hre shold parame te r is possible to limit the minimal amount of transfe rre d data. Anothe r parame te r is Ignore Faile dConne ctions, whic h allows to ignore
unpaire d c ommunic ation. You may also se t the me thod for ignoring the T e re do protoc ol (value of Ignore T e re do is se t to “ye s”) or for ignoring the 6in4 protoc ol (value
of Ignore 6in4 is se t to “ye s”).

Met hod configurat ion

It is re c omme nde d to ac tivate this me thod for all IP addre sse s. T he right plac e for traffic monitoring is the c e ntral switc h and the Inte rne t c onne c tion line .

Met hod paramet ers

Conne ctionsT hre shold: T hre shold for a minimal c ount of c onne c tions using the IPv6 tunne ls.
UploadDataT hre shold: T hre shold for a minimal amount of data se nt by the de vic e using the IPv6 tunne ls.
DownloadDataT hre shold: T hre shold for a minimal amount of data re c e ive d by the de vic e using the IPv6 tunne ls.
Ignore Faile dConne ctions: Omission of c onne c tions without re sponse .
Ignore T e re do: De ac tivation of the de te c tion of the T e re do tunne lling protoc ol.
Ignore 6in4: De ac tivation of the de te c tion of the 6in4 tunne lling protoc ol.

Assigned filt er

T he filte r is use d for re stric ting sourc e or de stination IP addre sse s.

Int erpret at ion of result s

T his me thod de te c ts de vic e s c ommunic ating using the IPv6 protoc ol that is tunne lle d through IPv4.

INSTMSG – Inst ant Messaging Traffic

Note

T his patte rn is available in all ve rsions, e xc e pt the IS P ve rsion.

Met hod descript ion

T his me thod de te c ts the use of instant me ssaging se rvic e s e ve n if the y mask through the ports that are re se rve d for othe r se rvic e s (e .g. port 80 for we b traffic ). T he
me thod use s the statistic al c harac te ristic s of the instant me ssaging traffic , to distinguish be twe e n the OS CAR protoc ol (ICQ and its de rivative s), XMPP (Jabbe r
se rvic e and its de rivative s, inc luding Google T alk) and S kype . Any c lie nt of any of the above - liste d se rvic e s is suffic ie nt for suc c e ssful de te c tion. De te c tion of
partic ular instant me ssaging type s c an be suppre sse d by c hoosing the Ignore option. For suppre ssion of false positive s whic h may arise from the loc al ne twork, the re is
the option LANFilte r available , whic h allows you to spe c ify the name of the filte r c omprising loc al ne twork addre sse s be twe e n whic h the traffic e xhibiting instant
me ssaging c harac te ristic s is ignore d. T he Ignore Ports parame te r allows to ignore c ommunic ation on ports 993 and 443 for re duc ing false positive s during XMPP
instant me ssaging de te c tion.

Met hod configurat ion

It is re c omme nde d to apply this me thod ne twork- wide for all traffic on the ne twork re gardle ss of IP addre sse s. T he right plac e for traffic monitoring is the Inte rne t
c onne c tion line or the c e ntral switc h (with the LANFilte r se t).

Met hod paramet ers

LANFilte r: Name of the filte r that de fine s the IP addre sse s whose c ommunic ation is ignore d during the de te c tion.
Ignore OS CAR: De ac tivation of de te c tion of the OS CAR instant me ssaging protoc ol (use d e .g. by the ICQ se rvic e ).
Ignore XMPP: De ac tivation of de te c tion of the XMPP instant me ssaging protoc ol (use d e .g. by the Jabbe r se rvic e ).
Ignore Ports: Omission of T CP ports 443 and 993 within the XMPP protoc ol de te c tion.
Ignore S kype : De ac tivation of de te c tion of the S kype c ommunic ation applic ation.
Ignore Online MS G: De ac tivation of de te c tion of c hose n instant me ssaging we b applic ations.
Ignore S NGL: Omission of atte mpts to c onne c t to the instant me ssaging we b applic ation without re sponse .

Assigned filt er

T he filte r is use d for re stric ting sourc e IP addre sse s.

Int erpret at ion of result s

Although this is a he uristic , the me thod ac hie ve s ve ry re liable re sults in the re al traffic . T he role s of the e ve nt origin and e ve nt targe t may switc h, i.e . IP addre ss from a
loc al ne twork that runs the c lie nt’s instant me ssaging is marke d as the e ve nt targe t and the se rve r of the se rvic e as the e ve nt originator.

L3ANOMALY – L3 Net work Anomaly

 Note

T his patte rn is available in all ve rsions, e xc e pt the Lite ve rsion.

Met hod descript ion

T he de te c tion me thod re ve als traffic anomalie s on the third, ne twork laye r. T he first part de te c ts situations in whic h the sourc e or de stination IP addre ss of the
c ommunic ating partie s is not from our le gitimate inte rnal ne tworks (additional info is available in RFC 2827). T he se c ond part re ports the flows with broadc ast or
multic ast sourc e IP addre ss. T he third one de te c ts pac ke ts with ide ntic al sourc e and de stination IP addre ss. Both IPv4 and IPv6 protoc ols are supporte d.

T he Inte rnalNe tworks filte r spe c ifie s the IP addre ss range of the allowe d inte rnal ne twork. It is important for the first part of the de te c tion (IP spoofing). It is possible
to e nable or disable e ac h part of the de te c tion individually, using the IPS poof, S ource IPAnom and S ame S rcDe stAnom parame te rs. Enabling the Ignore BroadMulticast
parame te r allows to inhibit the de te c tion of IP spoofing for the flows with a multic ast or broadc ast de stination IP addre ss. T he flows with the link- loc al IP addre sse s
and ze ro ne twork broadc asts are e xc lude d from the de te c tion of IP spoofing by de fault.

Met hod configurat ion

It is re c omme nde d to apply this me thod ne twork- wide for all traffic on the ne twork re gardle ss of IP addre sse s. T he right plac e for traffic monitoring is the Inte rne t
c onne c tion line or the c e ntral switc h (with option Inte rnalNe tworks turne d on).

Met hod paramet ers

Inte rnalNe tworks: Name of the filte r that de fine s all IP addre sse s of the monitore d ne twork.
S ource IPAnom: Ac tivate s the de te c tion of c onne c tions with broadc ast or multic ast IP addre ss as a sourc e .
S ame S rcDe stAnom: Ac tivate s the de te c tion of c onne c tions with the same sourc e and de stination IP addre sse s.
IPS poof: Ac tivate s the de te c tion of c onne c tions be twe e n the sourc e and de stination IP addre sse s, whic h are both outside the ne twork de fine d by the
Inte rnalNe tworks parame te r.
Ignore BroadMulticast: Omission of c onne c tions with the broadc ast or multic ast de stination IP addre ss during the IPS poof de te c tion.

Assigned filt er

T he filte r is use d for re stric ting sourc e or de stination IP addre sse s.

Int erpret at ion of result s

T he c ommunic ation of IP addre sse s outside the sc ope of loc al ne tworks may indic ate IP spoofing or an atte mpt to modify IP he ade rs. In c ase of flows with inc orre c t IP
addre sse s (broadc ast or multic ast sourc e IP addre ss or the same sourc e and de stination IP addre ss), it c ould be an attac k on some imple me ntation issue of T CP/IP
stac k of ne twork e quipme nt.

LATENCY – Net work Lat ency Anomaly

Note

T his patte rn is available in all ve rsions, e xc e pt the IS P ve rsion.

Note

T his me thod is de pre c ate d. It will be de le te d in ve rsion 11.0.

Met hod descript ion

A me thod for me asuring the de lay on the ne twork le ve l, i.e . de lay be twe e n the re c ording of the first re que st pac ke t and the first re sponse pac ke t. T he me thod use s the
bidire c tional flows standard (RFC 5103), i.e . c lassific ation of data flows suc h as re que sts and re sponse s. T he de lay has to be me asure d for a give n group of IP
addre sse s spe c ifie d by a filte r. Within the c onfiguration, it is ne c e ssary to se t the option Late ncyT hre shold whose value de te rmine s the maximum tole rate d value of the
de lay be twe e n the re que st and the re sponse . Anothe r option is S trictMode whic h de te rmine s whe the r the de lay will be me asure d for addre sse s matc hing the filte r
assigne d to the de te c tion me thod (value “normal” of the option) or e xc lusive ly be twe e n the se addre sse s (value “stric t” of the option). It is possible to affe c t the
be havior of this me thod using option T CPFlags whic h e nable s to de te c t the late nc y only during the c onne c tion e stablishme nt.

Met hod configurat ion

It is re c omme nde d to apply this me thod ac c ording to the ne twork topology and the obje c tive s of the me asure me nt. Me asuring the de lay on any targe ts within the
Inte rne t doe s not provide use ful re sults. T he optimal plac e for monitoring the traffic is for e xample data link be twe e n two workplac e s of the organization or line to the
organization se rve rs.

Met hod paramet ers

 Late ncyT hre shold: T hre shold for the minimal diffe re nc e be twe e n the time stamps of the re que st and re sponse (in millise c onds).
S trictMode : De te c tion of late nc y only among the IP addre sse s de fine d by the assigne d filte r.
T CPFlags: Limitation of de te c tion just on the flows c ontaining pac ke ts with T CP S YN flag.

Assigned filt er

T he filte r is use d for re stric ting sourc e or de stination IP addre sse s.

Int erpret at ion of result s

T his me thod shows the value of de lay be twe e n the re c ording of the first re que st pac ke t and the first re sponse pac ke t. T his value thus indic ate s the de lay in the
ne twork laye r and it c an he lp in analyzing the proble m of late nc y in the se le c te d applic ation or data link. T he me thod c an also be use d to c he c k the S LA on the se le c te d
data link.

MULTICAST – Mult icast Traffic

Met hod descript ion

A me thod for de te c tion of IPv4 multic ast traffic base d on the use of multic ast addre sse s (224.0.0.0 to 239.255.255.255), dire c te d broadc ast addre sse s (X.Y.Z.255),
all- host broadc ast addre ss (255. 255. 255. 255) and IPv6 multic ast (ff00::/8). De te c tion of dire c te d broadc ast and all- host broadc ast traffic c an be suppre sse d by
se tting the option Ignore Broadcast to value “Ye s”. A minimum numbe r of multic ast re que sts to be re porte d c an be se t via option MinimalAtte mpts (this thre shold is
always e valuate d). T he c ondition is satisfie d traffic at le ast one of the MaxBPP and MinT ransfe rre d thre sholds satisfie s. If some of the se thre sholds are e qual to ze ro,
the othe r one has to be satisfie d. If both of the se thre sholds are e qual to ze ro, the y are ignore d.

Met hod configurat ion

In c ase of ne twork proble ms assoc iate d with multic ast traffic , it is re c omme nde d to apply this me thod ne twork- wide for all c ommunic ation in the ne twork re gardle ss of
IP addre sse s. T he right plac e for traffic monitoring is the Inte rne t c onne c tion line or the c e ntral switc h.

Met hod paramet ers

Ignore Broadcast: Omission of broadc ast and IPv6 all- host multic ast within the de te c tion.
MinimalAtte mpts: T hre shold for a minimal c ount of multic ast (or broadc ast) c onne c tions.
MaxBPP: Maximal ave rage value of byte s pe r pac ke t (this me tric is not use d if the parame te r is se t to 0).
MinPPS : Minimal ave rage value of pac ke ts pe r se c ond (this me tric is use d only toge the r with the MaxBPP parame te r).
MinT ransfe rre d: Minimal amount of data transfe rre d to Multic ast or Broadc ast IP addre sse s (in MiB).

Assigned filt er

T he filte r is use d for re stric ting sourc e IP addre sse s.

Int erpret at ion of result s

T his me thod re liably ale rts to the IP addre sse s on the ne twork that ge ne rate multic ast traffic .

NATDET – Net work Address Translat ion

Met hod descript ion

T he de te c tion me thod re ve als the IP addre sse s use d by more de vic e s (using NAT ). As the de te c tion me thod use s spe c ific be havior patte rns of distinc t ope rating
syste ms, the de te c tion is limite d only to NAT s with at le ast two de vic e s with diffe re nt ope rating syste ms.

Met hod configurat ion

It is re c omme nde d to apply this me thod only for the IP addre sse s of the monitore d ne twork se gme nt. T he right plac e for traffic monitoring is the c e ntral switc h. T he
de te c tion me thod re quire s proprie tary IPFIX fie lds by Flowmon Ne tworks. It is ne c e ssary to ac tivate the Use r- Age nt fie lds from HTTP OS & Application info e xte nsion and
the whole L3/L4 extended fields e xte nsion. T his is possible at the Flowmon probe in the FCC → Monitoring ports. T his page inc lude s the monitoring port on whic h you may
find and ac tivate the e xte nsion (in the Advanced settings tab ).

Met hod paramet ers

DistinctS YNS ize : Minimal numbe r of T CP S YN pac ke ts with distinc t size for single IP addre ss.
DistinctT T L: Minimal numbe r of T CP S YN pac ke ts with distinc t T T L se t for single IP addre ss.
DistinctT CPWindow: Minimal numbe r of T CP S YN pac ke ts with distinc t T CP window se t for single IP addre ss.
DistinctOS : Minimal numbe r of distinc t ope rating syste ms (from HT T P use r age nt) for single IP addre ss.
MinimalProbability: Minimal probability that the give n IP addre ss c orre sponds to more diffe re nt de vic e s (the re is a NAT ).
MaxHop: Maximal numbe r of hops e xpe c te d in the re spe c tive ne twork (i.e . the maximal numbe r of the route rs that c an be passe d by the single pac ke t). S e rve s for
the NAT de te c tion base d on nonstandard T T L value s.
 Assigned filt er

T he filte r is use d for re stric ting sourc e IP addre sse s.

Int erpret at ion of result s

T his de te c tion me thod ale rts to the IP addre sse s c orre sponding to many diffe re nt de vic e s using NAT (physic al e ve ntually virtual de vic e s).

SCANS – Port Scanning

Met hod descript ion

T he de te c tion me thod use d for de te c tion of c ommon and use d te c hnique s of ne twork mapping and running se rvic e s through the port sc anning. T he me thod
distinguishe s be twe e n diffe re nt type s of sc ans (S YN sc an, FIN sc an, Xmas sc an and Null sc an) and the ir style s (horizontal sc an, ve rtic al sc an, c haotic sc an). De tails
inc lude a numbe r of sc ans, numbe r of unique targe ts, information about a re sponse from a sc anne d de vic e and a list of sc anne d ports. T he S cansT hre shold option
se rve s to adjust the se nsitivity of the me thod. Its value indic ate s the minimum numbe r of sc an atte mpts from a sourc e , whic h should be re c ognize d as an e ve nt. T he
Ignore Chaotic option allows to ignore c haotic sc ans and de te c t only horizontal and ve rtic al sc anning. T he Ignore Unsucc option allows to ignore sc ans with no re sponse .
You may limit the de te c tion to the ports smalle r than 1024 using the De te ctOnlyKnown parame te r. T his c an be e xte nde d by a c omma- se parate d list of port numbe rs
de fine d as the value of the De te ctT he se Ports parame te r. T he de te c tion c an be limite d only to the ports liste d in the De te ctT he se Ports parame te r, i n c ombination with
the detect specified value of the De te ctOnlyKnown parame te r.

T his de te c tion me thod is also able to de te c t the unsuc c e ssful atte mpts to sc an the ports on protoc ol UDP. T his part of de te c tion c an be se t by the UDPT hre shold
parame te r, whic h de fine s the minimal numbe r of atte mpts. Chaotic sc ans are ignore d.

T he de te c tion that c an be ac tivate d using the PortBase dDe te ction parame te r is inte nde d for the monitore d ne twork with flows without c orre c tly assigne d T CP flags.
T his de te c tion is using the port list de fine d by the De te ctT he se Ports parame te r. Only the c ommunic ation on the se ports is c ontrolle d. In orde r to de te c t the sc an
suc c e ssfully, the attac ke r has to ac c e ss e ac h port from this list on e ac h targe t. T he De te ctOnlyKnown and Ignore Chaotic are ignore d during this type of de te c tion.

Met hod paramet ers

S cansT hre shold: T hre shold for a minimal numbe r of atte mpts to port sc anning by a single de vic e .
Ignore Chaotic: Omission of the c haotic port sc ans (it is not possible to de te rmine if the sc an is ve rtic al or horizontal).
Ignore Unsucc: Omission of atte mpts to port sc anning without re sponse .
De te ctOnlyKnown: De te c tion of port sc anning on the ports le sse r than 1024 or on ports de fine d by the list.
De te ctT he se Ports: T he c omma- se parate d list of the port numbe rs, whic h limits the port sc ans de te c tion.
PortBase dDe te ction: De te c tion base d on give n port numbe rs. T his type of de te c tion is suitable whe n the re are the T CP flags inc orre c tly re c ognize d in the
monitore d traffic (c ause d by some type s of data sourc e s). If the PortBase dDe te ction parame te r is ac tive , it is re c omme nde d to ac tivate this me thod only for IP
addre sse s from the monitore d ne twork. T he e ve nt is the n re porte d only if an IP addre ss from this de finition is sc anne d.
UDPT hre shold: T hre shold of a minimal numbe r of unsuc c e ssful atte mpts of sc anning the UDP ports by a single de vic e . T he de te c tion is base d on monitoring of
the ICMP traffic . If the value of the parame te r is 0, the UDP ports sc anning de te c tion is inac tive .
ARPS can: T hre shold of minimal numbe r of ARP re que ste d to be c onside re d as an ARP sc anning. If the value of the parame te r e quals 0, the ARP sc ans de te c tion is
inac tive .
MinT arge ts: T he minimal c ount of IP addre sse s sc anne d using the ARP re que sts.

Met hod configurat ion

It is re c omme nde d to apply this me thod for all IP addre sse s. T he right plac e for traffic monitoring is the c e ntral switc h and the Inte rne t c onne c tion line .

Assigned filt er

T he filte r is use d for re stric ting sourc e or de stination IP addre sse s. T he de stination IP addre sse s are re stric te d only in c ase of port- base d de te c tion.

Int erpret at ion of result s

Apart from de te c ting the atte mpts to de libe rate port sc anning, this me thod may de te c t misc onfigure d de vic e s, whic h are unsuc c e ssfully trying to e stablish a
c onne c tion or de vic e s infe c te d with malware whic h is trying to re plic ate itse lf to othe r de vic e s.

SRVNA – Service Not Available

Met hod descript ion

T he de te c tion me thod is use d to de te c t unavailable se rvic e s (IP addre ss/port), to whic h c lie nts want to gain ac c e ss. T his me thod c an be re stric te d by minimal numbe r
of ac c e sse s to the se rvic e (the Atte mptsT hre shold parame te r) and by the filte r that de fine s IP addre sse s of provide d se rvic e s (the S e rvice Provide rs parame te r). In
c ase that the e ve nt is ge ne rate d, the sourc e IP addre ss is the addre ss of provide r of the unavailable se rvic e . T he numbe r of suc c e ssful c onne c tion and suc c e ssfully
c onne c te d c lie nts in the de tail, too. It is possible to limit the de te c tion using the Re lative Unsucce ssful parame te r that de fine s minimal ratio be twe e n unsuc c e ssful
re que sts and all c onne c tions to the give n se rvic e .

T his me thod also allows to de te c t the unavailable se rvic e s on the UDP protoc ol. T his part of de te c tion c an be se t by the UDPT hre shold parame te r whic h de fine s the
minimal thre shold of unsuc c e ssful atte mpts.

Met hod configurat ion

It is re c omme nde d to ac tivate this me thod for all IP addre sse s. T he right plac e for traffic monitoring the traffic is the c e ntral switc h and the Inte rne t c onne c tion line . It
 is re c omme nde d to ac tivate the OnlyRe je cte d parame te r if the de te c tion is pe rforme d on the sample d traffic .

Met hod paramet ers

S e rvice Provide rs: Name of the filte r that de fine s the IP addre sse s of se rve rs whose failure s should be de te c te d.
Atte mptsT hre shold: T hre shold of minimal numbe r of ac c e sse s to single se rvic e (de fine d as IP addre ss, protoc ol and port).
Re lative Unsucce ssful: T hre shold of ratio be twe e n the unsuc c e ssful ac c e sse s to a se rvic e and the total numbe r of ac c e sse s (in pe rc e nts).
OnlyRe je cte d: Evaluation of re je c te d ac c e sse s to the se rvic e (ac c e ss atte mpts with re sponse with T CP RES ET flag).
UDPT hre shold: T hre shold of minimal numbe r of ac c e sse s to the se rvic e on UDP protoc ol. If the value of the parame te r is e qual to 0, the de te c tion of the
unavailable se rvic e on the UDP protoc ol is inac tive .

Assigned filt er

T he filte r is use d for re stric ting sourc e IP addre sse s (se rve rs).

Int erpret at ion of result s

Apart from de te c ting the suc c e ssful De nial of S e rvic e attac k, this me thod may also de te c t wrong c onfiguration – e ithe r on the se rve r whic h doe s not provide the
inte nde d se rvic e , or on the c lie nt, whic h de mands se rvic e s that are not provide d.

TEAMVIEWER – TeamViewer t raffic

Note

T his patte rn is available in all ve rsions, e xc e pt the Lite and IS P ve rsions.

Met hod descript ion

Me thod for de te c tion of de sktop sharing via the T e amVie we r applic ation.

Met hod configurat ion

It is re c omme nde d to apply this me thod only for the IP addre sse s from the monitore d ne twork. T he right plac e for traffic monitoring is the c e ntral switc h.

Met hod paramet ers

T his de te c tion me thod has are no additional parame te rs.

Assigned filt er

T he filte r is use d for re stric ting sourc e IP addre sse s.

Int erpret at ion of result s

T his me thod de te c ts de vic e s that are sharing the ir de sktop using T e amVie we r.

TELNET – Telnet Anomaly

Met hod descript ion

T he me thod is use d for the de te c tion of inc re ase d use of the T e lne t se rvic e . T his se rvic e is obsole te and c urre ntly should not be use d at all due safe ty re asons. Its use
should, the re fore , be subje c t to a spe c ial re gime . T he me thod de te c ts all c onne c tions to the T CP port 23 (the T e lne t se rvic e ) inc luding c onne c tion atte mpts. It c ounts
the numbe r of c onne c tions of individual IP addre sse s. As a part of me thod c onfiguration, you must se t up the minimum numbe r of T e lne t c onne c tions whic h should be
c onside re d unwante d (the T e lne tT hre shold option). De te c tion may inc lude all c onne c tion atte mpts inc luding sc ans (the no value of the Ignore S cans option) or only the
suc c e ssfully e stablishe d c onne c tions (the yes value of the Ignore S cans option). T he se rve rs to whic h is allowe d to log via the te lne t protoc ol c an be e xc lude d from the
de te c tion using the Allowe dT e lne t parame te r.

Met hod configurat ion

It is re c omme nde d to apply this me thod for all IP addre sse s. T he right plac e for traffic monitoring is the c e ntral switc h and the Inte rne t c onne c tion line . By se tting the
Ignore S cans option to value yes, it is possible to de te c t de vic e s that are infe c te d with some form of malware (e . g. botne t Chuc k Norris) and whic h invade othe r ne twork
de vic e s suc h as route rs, IP c ame ras, e tc .

Met hod paramet ers

T e lne tT hre shold: T hre shold of a minimal numbe r of the c onne c tions using the T e lne t se rvic e (T CP/23).
 Ignore S cans: Omission of the traffic re c ognize d as the T CP port 23 sc an.
Allowe dT e lne t: De finition of the IP addre sse s that are allowe d to be ac c e sse d using the T e lne t se rvic e .
UploadT hre shold: Minimal amount of data uploade d by a single de vic e .
DownloadT hre shold: Minimal amount of data downloade d by a single de vic e .

Assigned filt er

T he filte r is use d for re stric ting sourc e or de stination IP addre sse s.

Int erpret at ion of result s

T his me thod de te c ts de vic e s using or atte mpting to use the T e lne t se rvic e (de pe nding on c onfiguration). T he me thod c an also de te c t spe c ialize d de vic e s that are
infe c te d with some form of malware orie nte d to misuse spe c ialize d ne twork de vic e s.

TOR – TOR t raffic

Note

T his patte rn is available in all ve rsions, e xc e pt the Lite and IS P ve rsions.

Met hod descript ion

T he me thod de signe d for de te c tion of usage of the T or anonymity protoc ol. T he me thod c onfiguration allows to se t the minimum numbe r of c onc urre ntly starte d
c onne c tions (the Concurre ntS tart parame te r) and the minimal duration of the longstanding c onne c tion (the LongConne ction parame te r). It is possible to limit the false
positive s by se tting the filte r that de fine s the loc al ne twork se gme nt (the LANFilte r parame te r) and the minimal probability of the e ve nt to be re porte d (the
MinimalProbability parame te r).

Met hod configurat ion

It is re c omme nde d to apply this me thod for c lie nt stations of the monitore d ne twork. T he right plac e for traffic monitoring is the Inte rne t c onne c tion line .

Met hod paramet ers

LANFilte r: Name of the filte r that de fine s the IP addre sse s of the de vic e s in the monitore d ne twork.
Concurre ntS tart: T hre shold of a minimal numbe r of c onc urre ntly e stablishe d c onne c tions.
LongConne ction: Minimal duration of c ontinuous long c onne c tions (in se c onds).
MinimalProbability: T hre shold of minimal probability whic h has to be assigne d to the e ve nt.

Assigned filt er

T he filte r is use d for re stric ting sourc e IP addre sse s.

Int erpret at ion of result s

T his me thod de te c ts the c lie nt’s stations that are using the T or protoc ol while the y are browsing the Inte rne t.

UPLOAD – Dat a Upload Anomaly

Note

T his patte rn is available in all ve rsions, e xc e pt the Lite and IS P ve rsions.

Met hod descript ion

T he me thod monitors the amount of transfe rre d data be twe e n the c urre ntly c ommunic ating stations and c he c ks the ratio of data transfe rre d from c ompute rs of the
monitore d ne twork and the data transfe rre d in the opposite dire c tion. Whe n the use r- de fine d ratio or the absolute thre shold is e xc e e de d, the e ve nt is ge ne rate d. T he
Exclude S e rve rs parame te r spe c ifie s the name of the filte r that de fine s IP addre sse s of the se rve rs, whic h should be e xc lude d from de te c tion. T he se rve rs have a
gre ate r upload than the c lie nt’s stations.

T he large data uploads c an be de te c te d in two diffe re nt ways. T he first me thod is base d on statistic s of all traffic be twe e n two de vic e s, so the upload to the se rve r,
whic h is also se nding some othe r data bac k, c annot be de te c te d. T he se c ond me thod is c omparing e ac h re que st to the re le vant re sponse , so the upload is de te c te d
e ve n de spite the c onc urre nt download. Howe ve r, uploading via a large amount of small c onne c tions may not be de te c te d. T he de te c tion mode c an be se t by the
Pairwise parame te r.

Met hod configurat ion

 It is re c omme nde d to apply this me thod for c lie nt’s stations of the monitore d ne twork. T he right plac e for traffic monitoring is the Inte rne t c onne c tion line .

Met hod paramet ers

Exclude IPs: Name of the filte r that de fine s the IP addre sse s whic h are allowe d to upload the data to the m.
Absolute T hre shold: T hre shold for a minimal amount of se nt data by a single de vic e . If the value of the parame te r is e qual to 0, the de te c tion base d on the
absolute thre shold is inac tive .
Re lative T hre shold: T hre shold for a minimal ratio be twe e n the se nt and the re c e ive d data.
MinimalT hre shold: Minimal amount of se nt data to c he c k the se nt- to- re c e ive d data ratio.
Exclude S e rve rs: Name of the filte r that de fine s the IP addre sse s of the de vic e s whic h are allowe d to se nt data.
Pairwise : De te c tion base d on the re que st- re sponse pairs be side s the total statistic s of the se nt and the re c e ive d data.

Assigned filt er

T he filte r is use d for re stric ting sourc e IP addre sse s.

Int erpret at ion of result s

T his me thod re ports the stations from whic h a file was uploade d, whic h may indic ate an atte mpt to se nsitive data the ft.

VOIP – VoIP Traffic

Note

T his patte rn is available in all ve rsions, e xc e pt the Lite and IS P ve rsions.

Met hod descript ion

Me thod for de te c tion of the VoIP traffic using known pairs of port and protoc ol. T he prac tic al applic ability of the me thod is stric tly limite d to a c orporate e nvironme nt
and the se le c te d de vic e s and is re c omme nde d for de te c ting the S IP and the H.323 traffic . T he me thod e nable s de te c ting ne twork de vic e s that ge ne rate standard VoIP
traffic .

Met hod configurat ion

It is re c omme nde d to apply this me thod for e xplic itly se le c te d IP addre sse s of an organization whose traffic struc ture is known or e xpe c te d. T he re c omme nde d plac e
for traffic monitoring is the Inte rne t c onne c tion line .

Met hod paramet ers

T he re are no additional parame te rs for this de te c tion me thod.

Assigned filt er

T he filte r is use d for re stric ting sourc e IP addre sse s.

Int erpret at ion of result s

T his me thod foc use s sole ly on pairs of port and protoc ol. If the me thod is wrongly c onfigure d, it c an produc e a large numbe r of false positive s.

VPN – VPN Traffic

Note

T his patte rn is available in all ve rsions, e xc e pt the Lite and IS P ve rsions.

Met hod descript ion

Me thod for de te c tion of VPN c onne c tions and tunne ls using pairs of port and protoc ol. T he Advance d parame te r allows to ac tivate the advanc e d VPN tunne ls
de te c tion, whic h is base d on the be havioral analysis of the c lie nt's ne twork traffic . Basic de te c tion is re c omme nde d mainly for de te c ting the Mic rosoft PPT P, IKE Ke y
Exc hange or Ope nVPN traffic on standard ports. Advanc e d de te c tion allows de te c tion of ge ne ral VPN traffic to e xte rnal se rve rs. T he LanFilte r parame te r spe c ifie s the
loc al ne twork. Othe r parame te rs (MinimalT ime and MinimalData) de fine the minimal le ngth of c onne c tion with the e xte rnal VPN se rve r and minimal c apac ity of the
transfe rre d data in a five - minute batc h. In the c ase of Mic rosoft PPT , it is possible to se t minimal le ngth of VPN c onne c tion in se c onds and a minimal amount of
transfe rre d data in MiB.
 Met hod configurat ion

It is re c omme nde d to apply this me thod for e xplic itly se le c te d IP addre sse s of an organization whose traffic struc ture is known or e xpe c te d. T he right plac e for traffic
monitoring is the Inte rne t c onne c tion line .

Met hod paramet ers

Advance d: Utilization of VPN traffic de te c tion base d on be havioral analysis.

MinimalData: T hre shold for the minimal amount of transfe rre d data (in MiB).
MinimalT ime : T hre shold for the minimal duration of the VPN c onne c tion.
LANFilte r: Name of the filte r that de fine s the IP addre sse s in the loc al ne twork. T he c ommunic ation be twe e n the de vic e s in the loc al ne twork is ignore d within the
de te c tion.
S tandard: Utilization of the port- base d de te c tion.
Conne ctionLe ngth: T hre shold for the minimal duration of the MS PPT P VPN c onne c tion (in se c onds).
T ransfe rre d: Minimal amount of transfe rre d data using the MS PPT P protoc ol (in byte s).
MS PPT P: De te c tion of usage of the MS PPT P protoc ol.

Assigned filt er

T he filte r is use d for re stric ting sourc e IP addre sse s.

Int erpret at ion of result s

T his me thod allows to de te rmine the de vic e s that are using VPN/tunne ls in your ne twork. Basic de te c tion is foc use d sole ly on pairs of port and protoc ol. If the me thod
is wrongly c onfigure d it c an produc e a large numbe r of false positive s. Advanc e d de te c tion suc c e ssfully de te c ts ge ne ral VPN traffic , by whic h of all stations
c ommunic ate with the e xte rnal ne twork.

WEBSHARE – Web Sharing Traffic

Note

T his patte rn is available in all ve rsions, e xc e pt the IS P ve rsion.

Met hod descript ion

T he WEBS HARE de te c tion me thod allows to ide ntify the ne twork de vic e s, whic h download from we b sharing se rvic e s (e .g. RapidS hare ). T he me thod c an be c onfigure d
to ignore unsuc c e ssful c onne c tions (if the value of Ignore S NGL se t to yes). De tail of the e ve nt c an be e xte nde d by e stimation of downloade d (downloaded to the WAN)
and uploade d (uploaded to the WAN) data from/to the Inte rne t. T his e xte nsion should not be ac tivate d if the data from be hind the proxy se rve r are monitore d. T his
e xte nsion c an be e nable d by se tting the LANFilte r parame te r. If this e xte nsion is e nable d, the de te c tion c an be limite d using the MinimalUp and MinimalDown
parame te rs. T he se parame te rs limit the minimal transfe rre d data in the re spe c tive dire c tion.

Met hod configurat ion

It is re c omme nde d to apply this me thod for all IP addre sse s. T he right plac e for traffic monitoring is the c e ntral switc h and the Inte rne t c onne c tion line .

Met hod paramet ers

Ignore S NGL: Omission of the atte mpts to a file share we bse rve r without re sponse during the de te c tion.
LANFilte r: Name of the filte r that de fine s the IP addre sse s of the de vic e s in the loc al ne twork. It is use d for ide ntific ation of uploading/downloading de vic e s.
MinimalDown: T hre shold for a minimal amount of data downloade d probably from the file share we bse rve r (in MiB). Applie s only if the LANFilte r parame te r is se t.
MinimalUp: T hre shold for a minimal amount of data uploade d probably to the file share we bse rve r (in MiB). Applie s only if the LANFilte r parame te r is se t. T o re port
an e ve nt, only one of the MinimalDown and MinimalUp thre sholds has to be e xc e e de d.

Assigned filt er

T he filte r is use d for re stric ting sourc e IP addre sse s.

Int erpret at ion of result s

Ac c urac y of de te c tion de pe nds on the database of known we b sharing se rvic e s. T he re is also a statistic al distortion in the Eve nt e vide nce . T his distortion is c ause d by
the we b share se rve r IP addre ss use d during transmission, whic h is ofte n diffe re nt from the known gate way addre ss. T he amount of transfe rre d data is, the re fore ,
smalle r than the amount shown in the De tail fie ld.

Common Behavior Patterns for SIP Traffic

 Note

T he following patte rns are available in all ve rsions e xc e pt the Lite and S tandard ve rsions.

S IPFLOOD – S IP Floods
S IPS CAN – S IP S c ans
S IPPROXY – S IP Proxy

SIPFLOOD – SIP Floods

Met hod descript ion

T his de te c tion me thod allows to de te c t de vic e s that are trying to ove rwhe lm the S IP stations in the monitore d ne twork se gme nt using the flood attac k. It is possible to
ac tivate or de ac tivate the de te c tion of re spe c tive type s of attac ks using Re giste rFlood and Invite Flood parame te rs. T he T hre shold parame te r allows to se t the
minimal ratio be twe e n the re le vant re c e ive d and se nt pac ke ts by the vic tim. T he Pe rCalle dParty parame te r allows to se t the minimal c ount of re le vant pac ke ts se nt to a
single S IP addre ss. T he Me ssage Limit parame te r allows to se t the minimal c ount of atte mpts to the vic tim of the attac k.

Met hod configurat ion

It is re c omme nde d to ac tivate this me thod for all IP addre sse s of S IP de vic e s in the monitore d ne twork se gme nt. T he right plac e for monitoring the traffic is the
Inte rne t c onne c tion line . It is ne c e ssary to ac tivate this de te c tion me thod c ombine d with the Data fe e d with ac tivate d S IP proc e ssing.

Met hod paramet ers

Re giste rFlood: Ac tivation of de te c tion of a flood of S IP pac ke ts with Re giste r flag se t.

Invite Flood: Ac tivation of the de te c tion of a flood of S IP pac ke ts with Invite flag se t.
T hre shold: T hre shold for a minimal ratio of the c ount of pac ke ts with Invite (or Re giste r) flag se t to the c ount of re le vant re sponse s.
Pe rCalle dParty: T hre shold for a minimal c ount of pac ke ts with Invite (or Re giste r) flag se t pe r c alle d party.
Me ssage Limit: T hre shold for a minimal total c ount of atte mpts.

Assigned filt er

T he filte r is use d for re stric ting sourc e IP addre sse s (attac k vic tims).

Int erpret at ion of result s

Vic tim of the attac k is shown as the e ve nt sourc e . Eve nt targe ts (attac ke rs or the de vic e s trying to ac c e ss S IP c onne c tion during the attac k) have ge ne rate d a large
amount of Register or Invite re que sts and the vic tim c annot handle the numbe r of re que sts. T he floode d vic tim c annot handle the re al phone c alls, too.

SIPSCAN – SIP Scans

Met hod descript ion

T his de te c tion me thod allows to de te c t de vic e s, that are sc anning the S IP stations in the monitore d ne twork se gme nt. It is possible to ac tivate the de te c tion of some
sc anning type s using the Re giste rS can, OptionsS can or Invite S can parame te r. It is possible to se t the minimal numbe r of ac c e sse s with re le vant S IP flags (Register,
Options, Invite), using the T hre shold parame te r.

Met hod configurat ion

It is re c omme nde d to apply this me thod for all IP addre sse s of S IP de vic e s in the monitore d ne twork se gme nt. T he right plac e for traffic monitoring is the Inte rne t
c onne c tion line . T his de te c tion me thod must be ac tivate d in c ombination with the Data fe e d whic h has the S IP proc e ssing ac tivate d.

Met hod paramet ers

Re giste rS can: De te c tion of S IP de vic e sc ans whic h are using the Re giste r flag.
OptionsS can: De te c tion of S IP de vic e s sc ans whic h are using the Options flag.
Invite S can: De te c tion of S IP de vic e s sc ans whic h are using the Invite flag.
T hre shold: T hre shold of minimal numbe r of ac c e sse s.

Assigned filt er

T he filte r is use d for re stric tion of de stination IP addre sse s.

Int erpret at ion of result s

T he sc anning attac ke r is trying to de te c t S IP PBX’s and gate ways (horizontal, e spe c ially Register and Options sc ans; the information c an be misuse d e .g. for
e ave sdropping) or ac tive S IP addre sse s (ve rtic al, e spe c ially Invite sc ans; the information c an be misuse d for te le phone S PAM).
SIPPROXY – SIP Proxy

Met hod descript ion

T his me thod use s the knowle dge of single S IP URIs to de te c t the S IP proxy se rve rs (IP addre sse s use d for S IP c ommunic ation from distinc t S IP URIs). T he de te c tion
me thod allows to se t up the training pe riod (Close dS e ason parame te r). No e ve nts are ge ne rate d during the training pe riod by this de te c tion me thod. T he se c ond
option is the time pe riod use d for storing the inac tive de vic e s in the c lassifie r (T ime T oDe ath parame te r). If a ne w proxy se rve r appe ars in the monitore d ne twork afte r
this time pe riod, the e ve nt is ge ne rate d.

If the filte r is assigne d, only the de vic e s outside the range of the se IP addre sse s are de te c te d.

Met hod configurat ion

It is re c omme nde d to apply this me thod for all IP addre sse s of S IP de vic e s in the monitore d ne twork se gme nt. T he right plac e for traffic monitoring is the Inte rne t
c onne c tion line . It is ne c e ssary to ac tivate this de te c tion me thod c ombine d with the Data fe e d with ac tivate d S IP proc e ssing.

Met hod paramet ers

Close dS e ason: Numbe r of days inte nde d for training the c lassifie r on the monitore d ne twork. No e ve nts are re porte d during this time .
T ime T oDe ath: Numbe r of days, for whic h is the inac tive S IP gate way (or proxy) store d in the c lassifie r.

Assigned filt er

T he filte r is use d for re stric ting sourc e or de stination IP addre sse s.

Int erpret at ion of result s

T he de vic e indic ate d as the S IP proxy (the e ve nt sourc e ) transmits the S IP traffic for c alle rs with distinc t S IP URIs. T his de vic e c an be de dic ate d to wire tapping of the
forwarde d c ommunic ation (the Man- in- the - middle attac k).

Advanced Network Behavior Patterns

Note

T he following patte rns are available in all ve rsions e xc e pt the Lite ve rsions.

ALIENDEV – Ne w or Alie n De vic e

BROKENS EN – Broke n se nsor
COUNT RY – Be havior Profiling – Country Re putation
DHCPANOM – DHCP Anomaly
DNS ANOMALY – DNS Anomaly
DNS QUERY – DNS Que ry Volume Anomaly
DOS – De nial of S e rvic e Attac k
GEODIS T – Pe e rs ge ographic al distribution anomaly
ICMPANOM – ICMP anomaly
PEERS – Partne rs Communic ation Anomaly
RDPDICT – RDP Attac k
S MT PANOMALY – S MT P Anomaly
S S HDICT – S S H Attac k

ALIENDEV – New or Alien Device

Note

T his patte rn is available in all ve rsions, e xc e pt the Lite and IS P ve rsions.

Met hod descript ion

T his me thod is inte nde d for the de te c tion of a parasite de vic e in the monitore d ne twork. T he re are two ways use d to de te c t parasite de vic e s.

During the c onfiguration of the first one , it is ne c e ssary to se t the filte r whic h e xac tly c orre sponds to the IP addre sse s assigne d to spe c ific ne twork de vic e s (the
KnownS e gme nt parame te r) and the filte r (the LANFilte r parame te r) whic h c orre sponds to the whole use d ne twork se gme nt (inc luding addre sse s that c an be assigne d
by the DHCP se rve r). If the KnownS e gme nt parame te r is e mpty, this way of de te c tion is not use d.

T he othe r way of de te c tion is to use simple mac hine le arning me thods. It is ne c e ssary to se t the LANFilte r parame te r that de fine s the whole ne twork se gme nt (inc luding
the gaps). T he Close dS e ason parame te r de te rmine s how long should the me thod stay in the le arning phase (during whic h the e ve nts are not ge ne rate d). If a ne w de vic e
 oc c urs afte r the le arning phase , the e ve nt is ge ne rate d. T he de vic e is re move d from the c lassifie r afte r T ime T oDe ath days of inac tivity.

T he se c ond way of de te c tion is also applic able to the MAC addre sse s that appe ar on the loc al ne twork. Configuration of the de te c tion base d on the MAC addre ss is
se parate d from a c onfiguration base d on the IP addre ss, but the Close dS e asonMAC and T ime T oDe athMAC parame te rs are applic able in the same way. T he de te c tion is
pe rforme d only ove r the flows, whose sourc e IP addre sse s fit into the filte r assigne d to the de te c tion me thod. It is ne c e ssary to re alize that the MAC addre sse s are
available only for the de vic e s in the subne t whic h are limite d by the c lose st route r. T he automatic c onfiguration link- loc al IPv6 addre ss with e mbe dde d MAC addre ss is
use d as an e ve nt sourc e . Eac h IP addre ss, that was assigne d to the de vic e with the give n MAC addre ss in the proc e sse d five - minute batc h is displaye d as an e ve nt
targe t (the se addre sse s are limite d by the filte r assigne d to the de te c tion me thod).

Met hod configurat ion

It is re c omme nde d to apply this me thod ne twork- wide for all traffic on the ne twork. T he right plac e for traffic monitoring is the c e ntral switc h.

Met hod paramet ers

LANFilte r: Name of the filte r that de fine s the IP addre sse s use d for de vic e s inside the monitore d ne twork.
Close dS e ason: Numbe r of days de dic ate d only for the training of the c lassifie r base d on IP addre sse s of the de vic e s. No e ve nts are ge ne rate d during this time . If
the value of the parame te r e quals to 0, the de te c tion whic h use s the automatic c lassifie r is disable d.
T ime T oDe ath: Numbe r of days during whic h the inac tive IP addre ss is store d in the list of the c lassifie r.
KnownS e gme nt: Name of the filte r that de fine s only the IP addre sse s of the ac tive de vic e s in the monitore d ne twork.
Close dS e asonMAC: Numbe r of days de dic ate d only for the training of the c lassifie r base d on the MAC addre sse s of the de vic e s. No e ve nts are ge ne rate d during
this time . If the value of the parame te r e quals to 0, the de te c tion whic h use s the automatic c lassifie r is disable d.
T ime T oDe athMAC: Numbe r of days during whic h the inac tive MAC addre ss is store d in the list of the c lassifie r.

Assigned filt er

T he filte r is use d for re stric tion of the sourc e IP addre sse s.

Int erpret at ion of result s

T his me thod is able to de te c t unknown (or forgotte n) de vic e s that are c onne c te d to the monitore d ne twork.

BROKENSEN – Broken sensor

Note

T his patte rn is available in all ve rsions, e xc e pt the IS P, Lite and S tandard ve rsions.

Met hod descript ion

T his me thod is inte nde d to c ontrol ac tive se nsors that are se nding the me asure d data in re gular time pe riods. T he me thod works on mac hine le arning princ iple s. T he
c lassifie r of the se nsor is in a le arning state as long as spe c ifie d by the Le arnCycle s parame te r. T he minimum c ove rage of training data whic h has to be satisfie d by a
c lassifie r is de fine d by the MinimalCove rage parame te r. T he tole ranc e use d to c ontrol individual variable s is de fine d by the Pe riodT ole rance and T rafficT ole rance
parame te rs.

Met hod configurat ion

It is re c omme nde d to apply this me thod only for IP addre sse s that be long to se nsors. All non- se nsors IP addre sse s in the c ontrolle d range would c ause a high amount of
false positive s. T he right plac e for traffic monitoring is the c e ntral switc h.

Met hod paramet ers

Ignore S horte rPe riods: Omission of e ve nts c ause d by se nsor transmission afte r shorte r than traine d pe riod.
Pe riodT ole rance : T ole rate d de viation from traine d c lassifie r for the time pe riod (in pe rc e nts).
T rafficT ole rance : T ole rate d de viation from traine d c lassifie r for the transfe rre d data (in pe rc e nts). It the value of the parame te r e quals to 0, the de te c tion of the
transfe rre d data de viation is inac tive .
Conce ptDriftT hr: Numbe r of c onse que nt e ve nts to de le te the c lassifie r for the give n de vic e and train a ne w one . If the value of the parame te r e quals to 0, the
de te c tion of the c onc e pt drift is inac tive .
MinimalCove rage : T hre shold for a minimal amount of sample s that are c ove re d by the c lassifie r for the give n de vic e to switc h the c lassifie r to the de te c tion
mode (in pe rc e nts).
Pe rHourEnough: Enable s the c lassifie r to switc h to the de te c tion mode e ve n if the transmission numbe r pe r hour is the only suc c e ssfully traine d me tric .
Le arnCycle s: Numbe r of training c yc le s of data c olle c tion for the re spe c tive de vic e .
Re portImme diate ly: Re port of anomalie s, imme diate ly or in hourly summary.

Assigned filt er

T he filte r is use d for re stric tion of sourc e IP addre sse s.

Int erpret at ion of result s

 T his me thod ale rts to the wrong be havior of a se nsor (base d on transmission pe riod and byte s pe r pac ke t or transmissions pe r hour). It is ne c e ssary to c onside r how
large and ofte n de viation from standard be havior c an be c ause d by the de fe c tive se nsor.

COUNTRY – Behavior Profiling – Count ry Reput at ion

Note

T his patte rn is available in all ve rsions, e xc e pt the IS P and Lite ve rsions.

Met hod descript ion

T his me thod allows to de te c t above - ave rage data transfe rs be twe e n the monitore d de vic e s and a re spe c tive c ountry. It store s the numbe r of flows and the amount of
transfe rre d data be twe e n the c ountry and monitore d de vic e s. T he traffic statistic s are divide d ac c ording to whe the r the c ommunic ation was initialize d by an IP
addre ss from in or out of the monitore d ne twork (re ply or re que st).

T his me thod also allows de te c tion of e xc e ssive data transfe rs be twe e n the de vic e and the re spe c tive c ountry. Amount of se nt/re c e ive d data or the ratio be twe e n
upload and download is monitore d during the de te c tion. All value s are c ompare d to the ave rage of othe r de vic e s in the monitore d ne twork that are c ommunic ating with
the re spe c tive c ountry.

Only the IP addre sse s that have se nt to the re spe c tive c ountry more data than is de fine d by the MinimalT ransfe rre dU parame te r, or downloade d more data than is
de fine d by the MinimalT ransfe rre dD parame te r, are inc lude d in the de te c tion. T he e ve nt is ge ne rate d if the traffic is bigge r than the n- multilple of the ne twork ave rage ,
whe re "n" is de fine d by the MinQuota parame te r. T he e ve nt c an also be ge ne rate d if the upload/download rate of the de vic e is bigge r than m- multiple of the ne twork
ave rage , whe re m is the value of the RatioQuota parame te r. If this parame te r is e qual to 0, the c omparison rate is not applie d.

Met hod configurat ion

It is re c omme nde d to apply this me thod for the IP addre sse s of the re spe c tive organization. T he right plac e for traffic monitoring is the c e ntral switc h or the Inte rne t
c onne c tion line , but not both plac e s at the same time .

Met hod paramet ers

MinimalT ransfe rDataU: T hre shold for minimal data amount se nt by a single IP addre ss to one c ountry (in MiB).
MinimalT ransfe rDataD: T hre shold for minimal data amount re c e ive d by a single IP addre ss from one c ountry (in MiB).
MinQuota: Minimal ratio be twe e n the re c e ive d or se nt data by a single IP addre ss and the re le vant ave rage value of the whole monitore d ne twork.
RatioQuota: T hre shold of the ratio be twe e n the ratio of the se nt and re c e ive d data of the single IP addre ss and the ave rage value of the whole monitore d ne twork.
Exclude Countrie s: Communic ation with the se le c te d c ountrie s is ignore d during applic ation of this de te c tion me thod.

Assigned filt er

T he filte r is use d for re stric tion of the sourc e IP addre sse s.

Int erpret at ion of result s

Re sults of this me thod c an be use d to ide ntify IP addre sse s whic h c ommunic ate with the pote ntially dange rous de stinations.

DHCPANOM – DHCP Anomaly

Note

T his patte rn is available in all ve rsions, e xc e pt the IS P ve rsion.

Met hod descript ion

De te c tion me thod ide ntifie s suspic ious c ommunic ation in the DHCP traffic . T he me thod is able to highlight the inc re ase d DHCP ne twork traffic . It monitors the long-
te rm be havior of a ne twork node and c ompare s the c urre nt data transfe r with statistic s of the node and also global statistic s of the ne twork. Additionally, it c an de te c t
fake DHCP se rve rs by obse rving the UDP traffic from se rve rs (port 67) towards c lie nts (port 68) from addre sse s that are not marke d as le gitimate DHCP se rve rs by a
filte r.

Using the T ime Window parame te r, you c an se t the time window (in hours) for c olle c ting and proc e ssing of the long- te rm statistic s. T he DHCPS e rve rs filte r de fine s the
DHCP se rve rs that are use d in the ne twork. T his filte r is ne c e ssary for prope r de te c tion of bogus DHCP se rve rs. T he DHCPT hre shold parame te r spe c ifie s the maximum
allowe d inc re ase of obse rve d DHCP traffic . T he T rafficS ize T hre shold parame te r spe c ifie s the minimal amount of the DHCP traffic for an individual IP addre ss, whic h
c an alre ady be c onside re d a flood attac k. De te c tion of the fake DHCP se rve rs c an be e nable d by the Fake DHCPDe tEnable d parame te r. It is possible to e xc lude
c ommunic ation of DHCP se rve rs from de te c tion of anomalously inc re ase d DHCP traffic (se rve rs de fine d by the DHCPS e rve rs filte r).

Met hod configurat ion

It is re c omme nde d to apply this me thod ne twork- wide for all traffic of the ne twork re gardle ss of IP addre sse s and additionally se t a filte r de fining the DHCP se rve rs.
 T he right plac e for traffic monitoring is the c e ntral switc h.

Met hod paramet ers

DHCPS e rve rs: Name of the filte r that de fine s IP addre sse s of the DHCP se rve rs use d in the monitore d ne twork.
Fake DHCPDe tEnable d: Ac tivation of de te c tion of the oc c urre nc e of the fake DHCP se rve rs.
T ime Window: Numbe r of hours (the le ngth of the sliding time window) for whic h are store d the statistic s of the DHCP traffic .
DhcpT hre shold: T hre shold for an inc re ase of the DHCP traffic (in pe rc e nts). It is use d for c omparison to the pre vious statistic s of the give n IP addre ss and to the
ne twork ave rage .
T rafficS ize T hre shold: Minimal amount of DHCP traffic (in KiB).
Exclude DhcpS e rve rs: Omission of the outgoing traffic from the DHCP se rve rs during the de te c tion of inc re ase d DHCP traffic .

Assigned filt er

T he filte r is use d for re stric tion of the sourc e or de stination IP addre sse s.

Int erpret at ion of result s

T he me thod is able to de te c t flood attac ks in the DHCP traffic and suspic ious inc re ase in the volume of c ommunic ation. A typic al e xample is the DHCP disc ove r
flooding whic h aims to e xhaust re sourc e s of the DHCP se rve r. De te c tion of the fake DHCP se rve r c an indic ate atte mpte d man- in- the - middle attac k or inc orre c t
c onfiguration of a ne twork de vic e .

DNSANOMALY – DNS Anomaly

Met hod descript ion

Me thod for de te c tion of suspic ious c ommunic ation in the DNS traffic . T he me thod c an notify about the UDP traffic gre ate r than 576 B (this follows from DNS se rvic e
standard) or large data transfe rs on T CP port 53. UDP pac ke t size c ontrol de fine d in RFC 1035 c an be disable d if you se t Ignore RFC1035 parame te r to yes (de fault value
is no). S e nsitivity in the de te c tion of large data transfe rs c an be adjuste d in the T CPT ransfe rLimit option.

T his me thod is e xte nde d by de te c tion of usage of the DNS se rve rs that are not allowe d in the monitore d ne twork. T his e xte nsion is ac tivate d by the c hoic e of the filte r
DNS S e rve rs that de fine s IP addre sse s of the allowe d DNS se rve rs.

Ne xt e xte nsion is base d on a simple mode l of use d DNS se rve rs. T he Le arnCycle s parame te r de fine s how long should the mode l be traine d. T he MinimalRatio parame te r
de fine s the numbe r of c onne c tions that the DNS se rve r must have for its c ommunic ation to be c onside re d usual. It is possible to e xc lude the DNS se rve rs in the
monitore d ne twork from the de te c tion by se tting the S e rve rsT oExclude parame te r.

Met hod configurat ion

It is re c omme nde d to apply this me thod ne twork- wide for all traffic on the ne twork re gardle ss of IP addre sse s. T he right plac e for traffic monitoring is the Inte rne t
c onne c tion line .

Met hod paramet ers

WithoutRe sponse : Re port of the c ommunic ation to unauthorize d or unusual DNS se rve rs (e ve n if the re is no re ply).
Ignore RFC1035: De ac tivation of the de te c tion of violation of the pac ke t size de fine d by the RFC 1035.
T CPT ransfe rLimit: T hre shold of a minimal amount of data transfe rre d by the DNS se rvic e using the T CP protoc ol.
Enable dT CP: Name of the filte r that de fine s the IP addre sse s of the de vic e s that are allowe d to transfe r data by the DNS se rvic e using T CP (e .g. DNS se rve rs for
zone transfe rs).
DNS S e rve rs: Name of the filte r that de fine s the IP addre sse s of the DNS se rve rs, whic h c an be use d in the monitore d ne twork.
Le arnCycle s: Numbe r of the 5- minute s c yc le s inte nde d for training of the c lassifie r. No e ve nt is re porte d during this time pe riod. If the value of this parame te r
e quals 0, the de te c tion of usage of unusual DNS se rve rs is inac tive .
MinimalRatio: Minimal ratio of the numbe r of usage s of the DNS se rve r by the re spe c tive IP addre ss to c onside r this se rve r to be c ommonly use d (in pe rc e nts).
S e rve rsT oExclude : Name of the filte r that de fine s the IP addre sse s of the DNS se rve rs that are ignore d within the c lassifie r.

Assigned filt er

T he filte r is use d for re stric tion of the sourc e IP addre sse s (for de te c tion of usage of unusual and re stric te d DNS se rve rs), sourc e or de stination IP addre sse s (large
UDP pac ke ts and de te c tion of DNS T CP transfe r).

Int erpret at ion of result s

T his me thod is c apable of de te c ting abuse of the DNS se rvic e for othe r unde sirable ac tivitie s, whic h typic ally inc lude tunne lle d traffic . A sudde n c hange of usage of
DNS se rve rs c ould indic ate a malware infe c tion.

DNSQUERY – DNS Query Volume Anomaly

Note

T his patte rn is available in all ve rsions, e xc e pt the Lite ve rsion.

 Met hod descript ion

Me thod for de te c tion of an inc re ase d numbe r of DNS que rie s se nt by one station. T he numbe r of DNS que rie s (one pac ke t is c onside re d as one DNS que ry) is c ounte d
for last hour. T he e ve nt is re porte d in c ase that the numbe r is n- time s gre ate r than the ave rage of the othe r stations, whe re n is de fine d by the Multiplicator parame te r.
T he ave rage is c alc ulate d only from stations that se nt more than MinimalQue ryLimit que rie s. DNS se rve rs c an be e xc lude d from this de te c tion (value of the Excude DNS
parame te r is se t to yes, the de fault value is no).

Met hod configurat ion

It is re c omme nde d to apply this me thod ne twork- wide for all traffic on the ne twork re gardle ss of IP addre sse s. T he right plac e for traffic monitoring is the c e ntral
switc h.

Met hod paramet ers

MinimalQue ryLimit: T hre shold for a minimal c ount of DNS que rie s se nt by a single de vic e to inc lude the de vic e into the de te c tion.
Multiplicator: Coe ffic ie nt inte nde d for c omputing the dynamic thre shold. T he thre shold is e valuate d as a multiplic ation of this c oe ffic ie nt and the ne twork
ave rage .
Exclude DNS : Name of the filte r that de fine s the IP addre sse s whic h are allowe d to se nd an inc re ase d numbe r of DNS que rie s.

Assigned filt er

T he filte r is use d for re stric tion of sourc e IP addre sse s.

Int erpret at ion of result s

T his me thod re liably ale rts to an inc re ase d numbe r of the DNS que rie s, whic h c an indic ate the viral infe c tion of the station ide ntifie d as the e ve nt sourc e .

DOS – Denial of Service At t ack

Met hod descript ion

Me thod for de te c tion of the De nial- of- S e rvic e or Distribute d- De nial- of- S e rvic e attac ks. T his me thod is base d on the e valuation of the ratio of inc oming and outgoing
pac ke ts for e ac h de vic e in the monitore d ne twork. An e ve nt is ge ne rate d whe n the data e xc e e d a boundary, whic h is de fine d base d on the historic al data. Whe n the
e ve nt is ge ne rate d, the sourc e IP addre ss is the addre ss of the attac k vic tim, attac ke rs are liste d as e ve nt targe ts.

T his me thod c an be c onfigure d using the WindowLe ngth parame te r, whic h de fine s the maximal age of the data, that c ould be use d for the c lassific ation, the T hre shold
parame te r, whic h de fine s the tole ranc e to an inc re ase of the ratio (the tole ranc e is dire c tly proportional to the value of the parame te r), the MinimalIncoming
parame te r, whic h de fine s minimal numbe r of inc oming pac ke ts, the Absolute T hre shold parame te r, whic h de fine s minimal ratio and the Attacke rsT hre shold parame te r,
that de fine s the minimal numbe r of attac ke rs involve d in the attac k.

Met hod configurat ion

It is re c omme nde d to apply this me thod ne twork- wide for all traffic on the ne twork re gardle ss of IP addre sse s. T he right plac e for traffic monitoring is the Inte rne t
c onne c tion line or the c e ntral switc h (for large organizations with a vast ne twork).

Met hod paramet ers

Attacke rsT hre shold: Minimal numbe r of c onc urre ntly attac king de vic e s.
T hre shold: T hre shold of a minimal inc re ase (the inc re me nt of standard de viations) of the ratio be twe e n re c e ive d and se nt pac ke ts (for the attac k vic tim).
Absolute T hre shold: T hre shold of the minimal ratio of the re c e ive d and se nt pac ke ts (for the attac k vic tim).
MinimalIncoming: T hre shold of minimal numbe r of inc oming pac ke ts (for the attac k vic tim).
WindowLe ngth: Numbe r of hours (le ngth of the sliding time window) to store the statistic s of inc oming and outgoing pac ke ts for the de vic e s in the monitore d
ne twork.
MaxBpp: Maximal byte s pe r pac ke t to c onside r the c onne c tion as a pote ntial attac k.
S YNPacke ts: Minimal numbe r of flows, whic h c ontain only the S YN pac ke ts, to be c onside re d a DoS attac k (simplifie d de te c tion, inac tive if 0).
F2WT hre shold: Minimal numbe r of c onne c tions that have be e n e nde d by one of the c ommunic ation partne rs. Use d for de te c tion of the Fin2Wait DoS attac ks, this
de te c tion is inac tive if the parame te r e quals 0.

Assigned filt er

T he filte r is use d for re stric tion of the sourc e IP addre sse s (vic tims of the attac k).

Int erpret at ion of result s

T his me thod re liably ale rts to the DoS /DDoS attac ks of the spe c ifie d minimum range .

GEODIST – Peers geographical dist ribut ion anomaly

Met hod descript ion

 T his de te c tion me thod se rve s to finding the anomalie s in the ge ographic al distribution of c ommunic ation partne rs. T he distribution is e xpre sse d as an e ntropy. T he
e ve nt is ge ne rate d if the c urre nt e ntropy e xc e e ds the ave rage for the re spe c tive time window and the multiple of the standard de viation. T he de te c tion me thod take s
into ac c ount only the c ommunic ation partne rs, to whic h at le ast the data give n by a parame te r have be e n se nt.

Met hod configurat ion

It is re c omme nde d to apply this me thod only for IP addre sse s of c lie nts in your own ne twork. T he right plac e for traffic monitoring is the Inte rne t c onne c tion line .

Met hod paramet ers

MinimalT ransfe r: Minimal amount of se nt data for 5 minute s to one c ommunic ation pe e r.
WindowLe ngth: Le ngth of moving time window in hours.
Incre ase : Multiple of the standard de viation adde d to the ave rage e ntropy to c ompute the thre shold value .
Exclude Countrie s: S e le c tion of ignore d c ountrie s.

Assigned filt er

T he filte r is use d for re stric ting sourc e IP addre sse s.

Int erpret at ion of t he result s

T his de te c tion me thod highlights the c hange of the ge ographic al distribution of c ommunic ation partne rs. T his may indic ate a malware infe c tion or a pre se nc e of a
botne t.

ICMPANOM – ICMP anomaly

Met hod descript ion

T his de te c tion me thod ide ntifie s suspic ious c ommunic ation in ICMP traffic . T he me thod re ports an inc re ase d numbe r of the ICMP type 3 me ssage s, whic h c ould signal
the spre ad of a worm. It monitors the long- te rm be havior of a node in the ne twork and c ompare s the c urre nt obse rvation with statistic s of the node and also global
statistic s of the ne twork. Additionally, it c an de te c t ICMP sc ans, ICMP smurf, ping flood attac ks and e xc e ssive payload of ICMP pac ke ts.

T he T ime Window parame te r spe c ifie s the time window (in hours) for c olle c ting and proc e ssing long- te rm statistic s. Whe n T ime Window is se t to 0, de te c tion of the
ICMP type 3 me ssage anomalie s is disable d. T he ICMPT hre shold parame te r spe c ifie s the maximum allowe d inc re ase of obse rve d ICMP type 3 me ssage s and the
T ype 3MsgT hre shold parame te r is use d to se t the lowe r bound of the ICMP type 3 me ssage s for a single IP addre ss (minimal numbe r of me ssage s that c ould be
c onside re d anomalous traffic ). S e tting the ICMPS murf and ICMPS can parame te r to 1 will e nable the de te c tion of ICMP smurf attac ks and ICMP sc ans, re spe c tive ly. T he
part of the de te c tion me thod whic h foc use s on the ICMP sc ans c an be limite d by the minimal numbe r of sc anne d de vic e s, too (the S canne dDe vice s parame te r).

T he ICMP e c ho re que st flood de te c tion is limite d by the PingFloodT hre shold parame te r. Its value de fine s a minimal numbe r of se nt pac ke ts of the e c ho re que st. If the
value e quals 0, the e c ho re que st flood de te c tion is not pe rforme d.

T he e xc e ssive payload of ICMP pac ke ts de te c tion is limite d by the MinimalPacke ts and MinimalPayload parame te rs that c orre spond to a minimal numbe r of the
re spe c tive ICMP type pac ke ts and the ir minimal ave rage payload. If the MinimalPayload parame te r e quals 0, the e xc e ssive payload of the ICMP pac ke ts de te c tion is not
pe rforme d.

Met hod configurat ion

It is re c omme nde d to apply this me thod for all IP addre sse s. T he right plac e for traffic monitoring is the c e ntral switc h and the Inte rne t c onne c tion line .

Met hod paramet ers

T ime Window:Numbe r of hours (the le ngth of the moving time window) for whic h the statistic s of the ICMP traffic will be store d. If the value of the parame te r
e quals to 0, the de te c tion of the volume tric anomalie s in ICMP traffic is inac tive .
ICMPT hre shold: T hre shold of inc re ase of the numbe r of the ICMP type 3 me ssage s (in pe rc e nts). It is use d for c omparison to the pre vious statistic s and to the
ne twork ave rage .
T ype 3MsgT hre shold: T hre shold of the minimal numbe r of the ICMP type 3 me ssage s.
ICMPS murf: Ac tivation of the ICMP S murf attac ks de te c tion (the amplific ation DoS attac ks using ICMP me ssage s).
ICMPS can: Ac tivation of de te c tion of the horizontal ICMP sc ans.
S canne dDe vice s: T hre shold of the minimal numbe r of sc anne d de vic e s.
PingFloodT hre shold: T hre shold of the numbe r of the ICMP e c ho re que st me ssage s. If the value of the parame te r e quals to 0, the ICMP e c ho re que st flood
de te c tion is inac tive .
MinimalPacke ts: T hre shold of the minimal numbe r of the ICMP type pac ke ts use d for the de te c tion of high transfe rs via the ICMP protoc ol.
MinimalPayload: T hre shold of the minimal byte s pe r pac ke t numbe r use d for the de te c tion of high transfe rs via the ICMP protoc ol. If the value of the parame te r
e quals to 0, this part of de te c tion is inac tive .

Assigned filt er

T he filte r is use d for re stric tion of the sourc e or de stination IP addre sse s.

Int erpret at ion of result s

T he me thod is able to de te c t the inc re ase of ICMP type 3 me ssage s (Unre ac hable ). T his c ould happe n during the spre ad of a worm, e spe c ially in the c ase whe n the UDP
protoc ol is use d and whe n the hosts with c lose d ports se nd bac k ICMP Port Unre ac hable me ssage s. T he ICMP sc ans are use d to ide ntify live hosts in the ne twork, the y
c an also be use d by malware . T he aim of ICMP smurf attac k is to flood the ne twork and e spe c ially c onne c tion link to the vic tim with a large numbe r of ICMP Ec ho re plie s.
PEERS – Part ners Communicat ion Anomaly

Note

T his patte rn is available in all ve rsions, e xc e pt the Lite and IS P ve rsions.

Met hod descript ion

De te c tion me thod re ve als an inc re ase d numbe r of unique c ommunic ation partne rs. A moving window shows re le vant statistic s. T he le ngth of the window in hours c an be
se t by the WindowLe ngth parame te r.

De te c tion is limite d only to c onne c tions with more transfe rre d pac ke ts than de fine d by the Packe tsMinCount parame te r. De te c tion is base d only on re que sts se nt by
the monitore d de vic e s. It is possible to ac tivate the omission of re que sts with no re sponse by se tting the Ignore S NGL parame te r. T he IP addre sse s de fine d by the
Exclude S e rve rs filte r are e xc lude d from de te c tion. T he de vic e s with le ss unique c ommunic ation partne rs than de fine d by the Partne rsMinCount parame te r are
e xc lude d as we ll.

T he ave rage and standard de viation of c ommunic ation partne rs statistic s are c alc ulate d for the sliding window during the de te c tion. If the c urre nt numbe r of unique
c ommunic ation partne rs is highe r than the sum of ave rage and the standard de viation, the n the inc re ase rate is c alc ulate d. T he e ve nt is re porte d if the inc re ase rate is
highe r than the value of the T hre shold parame te r.

Met hod configurat ion

It is re c omme nde d to apply this me thod only for IP addre sse s from the monitore d ne twork.

Met hod paramet ers

WindowLe ngth: Numbe r of hours (the le ngth of the moving time window) to store the statistic s of the c ommunic ation pe e rs for single IP addre sse s in the
monitore d ne twork.
T hre shold: T hre shold of minimal inc re ase of the numbe r of c ommunic ation pe e rs c ompare d to the moving window ave rage .
Exclude S e rve rs: Name of the filte r that spe c ifie s IP addre sse s whose statistic s are not e valuate d.
Partne rsMinCount: T hre shold of the minimal numbe r of c ommunic ation pe e rs for a single de vic e .
Packe tsMinCount: T hre shold of the minimal numbe r of pac ke ts pe r flow.
Ignore S NGL: Omission of the re que sts without re sponse s during the de te c tion.

Assigned filt er

T he filte r is use d for re stric tion of the sourc e IP addre sse s.

Int erpret at ion of result s

T his me thod ale rts to an inc re ase d numbe r of c ommunic ation partne rs for c e rtain IP addre ss.

RDPDICT – RDP At t ack

Met hod descript ion

T his me thod is use d for de te c tion of atte mpts to gue ss a use r name or password to the Re mote De sktop se rvic e (T CP/3389). T he me thod builds a pe rsiste nt tre e of
attac ke rs and vic tim. In c ase of e xc e e ding of limit (20 atte mpts from a single IP addre ss or value of the AttackAtte mpts option) for a pair of attac ke r/vic tim, an e ve nt is
re porte d. T he data in the tre e are store d for the pe riod de fine d by the T ime Window parame te r. T his me thod c an be use d to de te c t a distribute d attac k, too. T he re has
to be at le ast as many atte mpts by a single attac ke r on a single vic tim, as what is de fine d by multiplic ation of the PartOfAttack and AttackAtte mpts parame te rs. T he
de te c tion c an be improve d by spe c ifying the minimal numbe r of targe ts of the attac k using the MinT arge ts parame te r. If ne e de d, it is possible to se t the list of unusual
ports on whic h the RDP se rvic e is provide d be side the standard T CP/3389 (the Obsfure Ports parame te r). Most (not all) of the unsuc c e ssful RDP c onne c tions have the
T CP RS T flag ac tivate d. T he Re se tFlag parame te r e nable s to limit the de te c tion only to the se c onne c tions.

With this me thod, it is possible to promptly de te c t the ongoing attac k and bloc k the attac ke r be fore he c an gue ss the password. If the re is a gre ate r de lay be twe e n the
attac ke r’s ac tivitie s (more than 30 minute s or value of the AttackHole option), the attac k from a single IP addre ss c an be inte rpre te d as se ve ral se parate attac ks.

Met hod configurat ion

It is re c omme nde d to apply this me thod for all IP addre sse s and monitor not only the attac ks against your own se rve rs but also the attac ks from your own ne twork to the
Inte rne t. T he right plac e for traffic monitoring is the c e ntral switc h and the Inte rne t c onne c tion lin

Met hod paramet ers

AttackAtte mpts: Minimal numbe r of atte mpts to login from one attac ke r on the RDP se rvic e .
AttackHole : If the re is no atte mpt to log in during this time , the attac k is marke d as finishe d.
MinT arge ts: Minimal c ount of targe ts of the attac k to ge ne rate the e ve nt.
Obscure Ports: Comma- se parate d list of othe r port numbe rs than 3389, on whic h the RDP se rvic e is provide d in the monitore d ne twork.
PartOfAttack: If the re spe c tive addre ss is alre ady a targe t of some of the de te c te d attac ks, the attac k from a diffe re nt attac ke r is de te c te d afte r a smalle r
 numbe r of atte mpts to log in than state d by this ratio.
T ime Window: S tatistic s of atte mpts are save d for the re spe c tive time (unle ss the attac k is de te c te d).
Re se tFlag: Evaluation of the flows with only the T CP RES ET flag se t within the de te c tion.

Assigned filt er

T he filte r is use d for re stric tion of sourc e or de stination IP addre sse s.

Int erpret at ion of result s

T he re sults of this me thod are re lative ly straightforward, the me thod de te c ts an attac k on the RDP se rvic e .

SMTPANOMALY – SMTP Anomaly

Met hod descript ion

De te c tion me thod base d on the assumption that in the c orporate e nvironme nt, e mails should be se nt only in a de fine d way. T he me thod de te c ts se nding or atte mpts to
se nd e mails through othe r than e xplic itly de fine d mail se rve rs.

Additionally, the S PAMCounte r parame te r c an ac tivate the de te c tion of an inc re ase d numbe r of se nt e mails from one station. T he inc re ase d numbe r is spe c ifie d by the
Multiplicator parame te r, whic h de fine s how many time s the ave rage numbe r of e mails se nt to othe r stations. T he ave rage is c ompute d only from stations whic h se nt
more than MinimalMailLimit me ssage s in one hour. T he me thod foc use d on the T CP/25 (S MT P), T CP/465 (S e c ure d- S MT P) and T CP/587 (Me ssage S ubmission se rvic e )
traffic . Base d on the numbe r of flows and re sponse s from the e mail se rve rs, the me thod e stimate s the numbe r of e mails and whe the r the e mails we re ac tually se nt. T his
information is the n available in the de tail of the ge ne rate d e ve nt. Eve nt targe ts re pre se nt all mail se rve rs via whic h atte mpts to se nd e mail we re made .

T he S e rve rsFilte r option ide ntifie s le gitimate S MT P se rve rs via whic h you c an se nd mail. T he S trictMode option, with its value se t to “stric t”, me ans that IP addre sse s
assigne d to the me thod by the filte r have to be the sourc e s of the e ve nt. T he Exclude MailS e rve rs option, with its value se t to “e xc lude ”, me ans that IP addre sse s from
the S e rve rsFilte r list are e xc lude d from de te c tion. T he Ignore S e cure dS MT P option allows to ignore the se c ure d S MT P traffic (port T CP 465). T he Ignore S cans option,
with its value se t to “ignore ”, allows to ignore too small transmission, that c an’t be e mail traffic . T he Ignore T CP587 option allows to ignore Me ssage S ubmission se rvic e
(port T CP 587).

Met hod configurat ion

It is re c omme nde d to apply this me thod for IP addre sse s of the organization. T he right plac e for traffic monitoring is the c e ntral switc h and the Inte rne t c onne c tion
line .

Met hod paramet ers

S e rve rsFilte r: Name of the filte r that de fine s the IP addre sse s of the e mail se rve rs whic h are allowe d to be use d in the monitore d ne twork.
S trictMode : Omission of the e mail traffic c oming from outside of the ne twork de fine d by the assigne d filte r.
Exclude MailS e rve rs: Omission of the outgoing traffic from IP addre sse s de fine d by the S e rve rsFilte r parame te r during the de te c tion.
Ignore S e cure dS MT P: Omission of the traffic of the S e c ure d S MT P se rvic e (T CP/993) during the de te c tion.
Ignore T CP587: Omission of the traffic of the Me ssage S ubmission se rvic e (T CP/587) during the de te c tion.
Ignore S cans: Omission of the traffic re c ognize d as a port sc anning during the de te c tion.
S PAMCounte r: Ac tivation of the de te c tion of an inc re ase d numbe r of se nt e mails.
MinimalMailLimit: T hre shold of a minimal numbe r of e mails se nt by a single de vic e .
Multiplicator: Coe ffic ie nt use d for c omputing the dynamic thre shold for e mail se nt by single de vic e s. T he thre shold is c ompute d as a multiplic ation of the
c oe ffic ie nt and the ne twork ave rage .
Ignore S YNflows: Omission of the flows with only the T CP S YN flag. It is re c omme nde d to apply this c hoic e if and only if the re are flow data with c orre c tly assigne d
T CP flags.

Assigned filt er

T he filte r is use d for re stric tion of the sourc e IP addre sse s (ac c ording to the S trictMode parame te r, in the profile r part of the de te c tion).

Int erpret at ion of result s

T his me thod not only de te c ts atte mpts of spamming but also may he lp to ide ntify de vic e s infe c te d by spyware . T he me thod may also he lp to de te c t e mploye e s that use
othe r than c orporate mail se rve rs, whic h may be c ause d inte ntionally or by a wrong c onfiguration.

SSHDICT – SSH At t ack

Met hod descript ion

T his me thod is use d for de te c tion of atte mpts to gue ss a use r name , password or a login by forge d c e rtific ate for S S H se rvic e (T CP/22). T he me thod builds a
pe rsiste nt tre e of attac ke rs and vic tims and in c ase of the e xc e e ding limit value s (20 atte mpts from a single IP addre ss or value of the AttackAtte mpts option) for a pair
of attac ke r/vic tim, an e ve nt is re porte d. T he me thod is also c apable to de te c t a suc c e ssful attac k base d on an abrupt c hange of statistic al prope rtie s of the traffic
and e nd of the attac k. With this me thod, it is possible to promptly de te c t the ongoing attac k and bloc k the attac ke r be fore he c an re ve al the password. If the re is a
gre ate r de lay be twe e n the attac ke r’s ac tivitie s (more than 30 minute s or value of the AttackHole option), the attac k from a single IP addre ss c an be inte rpre te d as
se ve ral diffe re nt attac ks.

Met hod configurat ion

 It is re c omme nde d to apply this me thod for all IP addre sse s and monitor not only attac ks against your own se rve rs, but also the attac ks from your own ne twork to the
Inte rne t. T he right plac e for traffic monitoring is the c e ntral switc h and the Inte rne t c onne c tion line .

Met hod paramet ers

AttackAtte mpts: Minimal numbe r of atte mpts to login from one attac ke r on the S S H se rvic e .
AttackHole : In c ase of lac k of login atte mpts during the time spe c ifie d by this parame te r, the attac k is marke d as finishe d.
MinT arge ts: Minimal numbe r of targe ts of the attac k to ge ne rate the e ve nt.
Obscure Ports: Comma- se parate d list of the port numbe rs othe r than 22, on whic h the S S H se rvic e is provide d in the monitore d ne twork.
MaxPacke ts: Maximal numbe r of pac ke ts pe r login atte mpt that are take n into ac c ount during the de te c tion. T he ze ro value me ans that the parame te r will not
apply. T he omission of the flows with a highe r numbe r of pac ke ts lowe rs the false positive rate , but it make s the suc c e ss de te rmination more inac c urate .
Exclude Unsucce ssful: Unsuc c e ssful attac ks are not re porte d.
PartOfAttack: If the re spe c tive addre ss is alre ady a targe t of some of the de te c te d attac ks, the attac k from a diffe re nt attac ke r is de te c te d afte r a smalle r
numbe r of atte mpts to login than state d by this ratio.
S uccAttack: Minimal numbe r of unsuc c e ssful atte mpts that happe n be fore the suc c e ssful atte mpt, that will be c onside re d an attac k.
T ime Window: Atte mpt statistic s are save d for re spe c tive time (unle ss the attac k is de te c te d).

Assigned filt er

T he filte r is use d for re stric tion of sourc e or de stination IP addre sse s.

Int erpret at ion of result s

T he re sults of this me thod are re lative ly straightforward, the me thod de te c ts an attac k on the S S H se rvic e . T he me thod may produc e false positive s whe n e valuating
ac tivitie s of some surve illanc e syste ms whic h use the S S H protoc ol.

Derived Behavior Patterns

Note

T his patte rn is available in all ve rsions, e xc e pt the Lite and IS P ve rsions.

DNS REVERS E – DNS Re ve rse Re c ords Missing

DNSREVERSE – DNS Reverse Records Missing

Note

T his me thod is de pre c ate d. It will be de le te d in ve rsion 11.0.

Met hod descript ion

T his me thod de te c ts ne twork de vic e s without a re ve rse DNS re c ord. Re ve rse DNS re c ord is a standard me ans of c onfiguration, whic h allows to c onve rt an IP addre ss to
a DNS name . It is also possible to de te rmine the minimum amount of data that has to be se nt by the de vic e daily to be inc lude d in de te c tion (MinimalT ransfe r). T he
de te c tion is pe rforme d e ve ry day at midnight.

Met hod configurat ion

It is re c omme nde d to apply the me thod for all the IP addre sse s de pe nding on the DNS c onfiguration polic y of the organization. T he right plac e for traffic monitoring is
the c e ntral switc h and the Inte rne t c onne c tion line .

Met hod paramet ers

MinimalT ransfe r: T hre shold of a minimal amount of data transfe rre d by a single de vic e for the last 24 hours (in MiB).

Assigned filt er

T he filte r is use d for re stric tion of the sourc e IP addre sse s.

Int erpret at ion of result s

T his me thod c an de te c t c onfiguration proble ms and also ale rt to ne w or unauthorize d de vic e s in the ne twork.
Anomaly Detection System

Note

T his patte rn is available in all ve rsions, e xc e pt the Lite ve rsion.

Basic Princ iple s of Anomaly De te c tion

Basic Principles of Anomaly Det ect ion

Met hod descript ion

Automatic anomaly de te c tion syste m provide d by the Flowmon ADS applic ation works on the princ iple s of pre dic tion that is base d on short- time historic al data. T he
statistic s de sc ribing the ne twork be havior are pre dic te d for the whole ne twork. In c ase the outlie r be twe e n the pre dic te d and the c urre nt value oc c urs, the de vic e
whic h c an be re sponsible is ide ntifie d and the e ve nt is ge ne rate d.

T he de tail of the e ve nt always c ontains the pre dic te d value of the re le vant statistic : its c urre nt value , its c urre nt value c ompute d only for the re sponsible de vic e and
the pe rc e ntual inc re ase for this de vic e sinc e the last batc h of the flow data.

T he automatic anomaly de te c tion syste m is e valuating the se statistic s:

T ransfe rre d data

T ransfe rre d pac ke ts
Establishe d c onne c tions
Communic ation pe e rs
De vic e s c onne c te d to the monitore d ne twork
Numbe r of re que sts
Numbe r of re plie s
Numbe r of unsuc c e ssful re que sts
Amount of the T CP traffic
Amount of the UDP traffic
Amount of traffic ove r othe r protoc ols
T otal c ount of se rvic e s
Numbe r of provide d se rvic e s
Numbe r of use d se rvic e s
T he ratio be twe e n the unsuc c e ssful c onne c tions and the whole traffic

T he ANOMALY me thod that is use d for automatic anomaly de te c tion has to have assigne d the filte r, whic h de fine s the monitore d se gme nt. T wo parame te rs de fining the
se nsitivity of the c lassifie r c an be se t.

T he first parame te r is the le ngth of the moving window (WindowLe ngthNe t). T his de fine s the maximal age of data use d for the c urre nt value pre dic tion. It applie s that
the longe r pe riod is use d, the le ss adaptable is the c lassifie r in ge ne ral (the re fore more se nsitive ).

T he se c ond parame te r is the thre shold value for e ve nt de te c tion (Ne tworkT hre shold). T his value de fine s how muc h bigge r the c urre nt value must be than the pre dic te d
value to ge ne rate the e ve nt. E.g. if the pre dic te d value is 100, and the value of this parame te r is 2, the n the c urre nt value has to be bigge r than 300 (= 100 + (2 × 100)) to
ge ne rate the e ve nt. T his parame te r c an be se t to two de c imal plac e s. T he lowe r is the re spe c tive value , the highe r is the se nsitivity of the c lassifie r.

T he MinimalPart parame te r c an be use d for improving the e ve nt sourc e ide ntific ation. T his parame te r de fine s minimal part of whole traffic re le vant to a single de vic e
and to the e xc e e de d me asure . If the de vic e e xc e e ds this thre shold, it gains highe r value (the de vic e s unde r the thre shold ge t the value "1").

Met hod paramet ers

WindowLe ngthNe t: Numbe r of hours (the le ngth of the moving time window) to c olle c t the statistic s for monitore d traffic .
Ne tworkT hre shold: T he c oe ffic ie nt inte nde d for c omputing of the dynamic thre shold. T he thre shold is e valuate d as a sum of pre dic te d value and the
multiplic ation of this value and the c oe ffic ie nt. T he c omputation of the pre dic te d value is base d on the store d statistic s.
MinimalPart: T hre shold of the minimal ratio be twe e n one de vic e and the total traffic to be ide ntifie d as an e ve nt sourc e .
S trictMode : S tric t filte ring during the re ve rse trac ing of the flows, that c an be attac he d to the e mail re ports. In c ase the re are some e mail re ports with e mpty
flow list, this option should be turne d off.
Ignore Inte rnal: If the parame te r is se t to yes, the statistic s for a de te c tion me thod are base d only on the c ommunic ation with one IP addre ss in the assigne d filte r
(the sourc e , or the de stination IP).

General System Procedures

T he se proc e dure s c onsist of the following ite m:

S YS CHECK – Data Inc onsiste nc y

SYSCHECK – Dat a Inconsist ency

Met hod descript ion

T he me thod c ontrols the input data c onsiste nc y and e ffic ie nc y of c urre nt Flowmon ADS applic ation se ttings.
 Met hod configurat ion

It is possible to c onfigure the thre shold ratio for e ac h individual me tric (e .g. amount of unpaire d flows) and turn on or off the de te c tion of wrong ac tive time out se ttings
on the flow e xporte r. De te c tion of duplic ate pac ke ts in the monitore d ne twork c an also be c onfigure d.

Met hod paramet ers

MinS ingle : Amount of unpaire d flows in the proc e sse d sample of traffic to show the warning (if 0, the c ontrol is not pe rforme d).
MinBroadcast: Amount of broadc ast and multic ast traffic in the proc e sse d sample to show the warning (if 0, the c ontrol is not pe rforme d).
MaxDe cre ase : Maximal value , whic h c an de c re ase the c urre nt amount of transfe rre d data re lative to the minimal of the fore going 4 hours (if 0, the c ontrol is not
pe rforme d).
De te ctT ime out: Ac tivation of the c ontrol of the ac tive time out diffe re nt than the standard 300 se c onds (5- se c ond tole ranc e ).
Duplicate s: Ac tivation of the c ontrol of the duplic ate pac ke ts in flows (it is re c omme nde d to turn this c ontrol off if the ac tive sampling of the c olle c tor is
e nable d).
Core Count: Ac tivation of the c ontrol of the ine ffe c tive se ttings of CPU c ore c ount allowe d to be use d by Flowmon ADS applic ation.
MaxPe rBatch: Amount of the e ve nts ge ne rate d by a single instanc e of the de te c tion me thod pe r one proc e sse d batc h to show the warning (if 0, the c ontrol is not
pe rforme d).
MaxPe rHour: Amount of the e ve nts ge ne rate d by a single instanc e of the de te c tion me thod pe r one hour to show the warning (if 0, the c ontrol is not pe rforme d).
De activate OnFlood: Multiple of the MaxPe rBatch parame te r – if e xc e e de d, the instanc e of the de te c tion me thod is de ac tivate d. If 0, the de te c tion me thod is not
de ac tivate d.
MinDe lta: Minimal diffe re nc e be twe e n time stamps. T he de te c tion is pe rforme d on the time stamps of the first and the last flow of the batc h, on the time stamp of
the last flow and the time stamp of the batc h itse lf. If 0, the time stamp c he c k is not pe rforme d.

Int erpret at ion of result s

T his me thod ge ne rate s simple warnings. T he se warnings c an be inte rpre te d as spe c ific proble ms with flow e xporte rs (e .g. wrong c onfiguration, inc omple te data).

User Interface

T he Flowmon ADS module inc lude s a c omple te we b use r inte rfac e base d on JavaS c ript and AJAX te c hnology. For basic c ontrol and ac c e ssing of various parts of the
applic ation se rve s the main me nu on the le ft side . T he uppe r part displays the status and information bar, the re st of the window are a se rve s as the use r workspac e .
Anothe r me ans of managing the applic ation is a c onte xt me nu, whic h is available afte r c lic king the arrow that appe ars afte r hove ring ove r spe c ific obje c ts.

T ips for the day are shown afte r a suc c e ssful use r login. Afte r logging in the applic ation, a we lc ome sc re e n is displaye d. T he re you may find important information about
what should be done be fore you start using the applic ation.

Basic Controls

T he basic c ontrols c onsist of the following option:

Main Applic ation Me nu

S tatus and Information Bar
Conte xt Me nu

Main Applicat ion Menu

T he main applic ation me nu is a basic guide post to all pe rspe c tive s and fe ature s available in the applic ation. Re late d func tions and vie ws are brought toge the r in joint
groups. T he main applic ation me nu c ontains the following ite ms:

Dashboard

T his part of the GUI c ontains an ove rvie w of c urre nt ne twork status, it c onsists of two main parts:

Ove rvie w: Chart of the le gitimate and unde sirable traffic .

Eve nts: Ove rvie w of the most important and of the late st e ve nts, a summary of all re c ognize d e ve nts.

Event s

In this se c tion, it is possible to vie w various vie ws on e ve nts:

S imple list: S imple list of e ve nts whic h e nable s advanc e d se arc hing and filte ring of e ve nts.

By hosts: A vie w of e ve nts groupe d by IP addre sse s, whic h are re late d to the e ve nts.

Aggre gate d vie w: Aggre gate d vie w brings toge the r e ve nts of the same type that took plac e on individual de vic e s, into c ontinuous bloc ks, whic h are the n
graphic ally displaye d on the time line .

Report s

A se t of HT ML or PDF re ports (re ports on re que st) that summarize all information about individual IP addre sse s available in the plug- in.

Cre ate re port: Ge ne rating re ports that are base d on a give n te mplate and time window.

Re ports: Configuring te mplate s use d for ge ne rating re ports.

 Chapte rs: Configuring c hapte rs of re ports.

Re port sche duling: S c he duling of automatic ge ne rating and se nding re ports via e mail.

Set t ings

Contains func tions use d to c onfigure and manage the applic ation. S e c tion is c ate gorize d into tabs by importanc e . Proc e ssing, the most c ommonly use d tab, is
followe d by S yste m se ttings and Mainte nanc e .

Configuration and manage me nt of the applic ation is de sc ribe d in the Installation and c onfiguration c hapte r. In this c hapte r, we are not de aling with func tions of the
S e ttings se c tion.

Logs

T his se c tion c ontains a list of ac tions that we re pe rforme d by use rs of the applic ation. It is possible to filte r the se ac tions ac c ording to the ir type or de tail.

About

T his c hapte r inc lude s brie f information about the applic ation and its ve rsion, information about the total numbe r of proc e sse d flows, lic e nse information. It also offe rs
ac c e ss to use r doc ume ntation, information about skippe d me thods and batc he s during the data proc e ssing.

T he c urre ntly se le c te d me nu ite m is always highlighte d. T he main applic ation me nu c an be c ollapse d and thus inc re ase the are of workspac e the available to the use r.
T o c ollapse or e nlarge the applic ation me nu it is possible to use the ic on of thre e paralle l line s in the top right c orne r of the me nu. Moving be twe e n the individual
subsubse c tions within one se c tion c an be done using the tabs in the use r workspac e .

St at us and Informat ion Bar

S tatus and information bar informs the use r about se le c te d basic information about the applic ation. It also inc lude s basic se ttings of its use r inte rfac e . T he following
ite ms are liste d from le ft to right:

Drop-down me nu: S witc hing be twe e n individual module s that are available on the Flowmon platform.

Data fe e ds proble m indicator: S tatus ic on has a gre e n c olor whe n e ve rything works c orre c tly. If the re are some warnings or e rrors, it c hange s its c olor to orange
or re d. T he numbe r inside the status ic on indic ate s the numbe r of unre ad me ssage s. Clic k the ic on to ope n a pop- up window whic h inc lude s all me ssage s, the ir
time and se ve rity. Use rs of the admin group c an de le te the se me ssage s.

Language switch: An imme diate switc h of the applic ation to the language se le c te d by positioning the language switc h (available English, Japane se , Cze c h,
Ge rman, Fre nc h and S panish).

He lp: Contains a link to the Use r guide and it also allows to se nd a Feedback or Bug report to the Flowmon Ne tworks c ompany.

Logge d-in use r: Name of the c urre ntly logge d use r.

Use r S e ttings: Allows to c hange the c re de ntials of the use r and its profile information. It is also possible to se t the basic pre fe re nc e s of the use r inte rfac e and
name re solving.

Logout: Logs out the c urre ntly logge d use r.

Cont ext Menu

T he c onte xt me nu is a me ans of fast c ontrol of the applic ation. Conte xt me nu brings toge the r all the ac tions that c an be pe rforme d with the re spe c tive use r inte rfac e
e le me nt.

Cont ext menu for an IP address

One of the most fre que ntly use d c onte xt me nus is an IP addre ss me nu. It c an be ac tivate d by c lic king the arrow that appe ars afte r hove ring ove r the IP addre ss (i. e . in
Eve nts se c tion). It inc lude s the following ite ms:

IP addres s co nt ext menu

Copy t o clipboard

Copie s the c onte nt of the e le me nt (in this c ase it is an IP addre ss) to the c lipboard.
General informat ion

Information about the translation of IP addre ss to the DNS name , obtaining the WHOIS information and displaying c ustom information about IP addre ss (if spe c ifie d –
se e Configuring filte rs). T he data are displaye d in a moving window.

Note

T he Lite ve rsion doe sn't inc lude displaying c ustom information about IP addre ss.

Browse IDS Event s

IDS e ve nts browse r. More info c an be obtaine d in the se c tion IDS Browse r.

Add t o filt er

It is possible to add the IP addre ss to the e xisting filte r. T his ac tion ope ns a modal window, whe re the use r of the applic ation c an c hoose the filte r whe re the IP addre ss
should be adde d. T he c orre sponding domain name for the IP addre ss is inse rte d as a note (if pre se nt).

Show filt ers for t his IP

S hows a list of all de fine d filte rs whic h c ontain the IP addre ss that ac tivate d the c onte xt me nu.

Relat ed event s

Vie w of e ve nts assoc iate d with the IP addre ss, the transition to the pe rspe c tive of the Eve nts → By hosts vie w.

Aggregat ed event s

Vie w of aggre gate d e ve nts on a time line assoc iate d with the IP addre ss, the transition to the Eve nts → Aggre gate d vie w.

IP Tools

Common diagnostic IP tools that inc lude :

Ping: Che c ks availability of the se le c te d IP addre sse s.

T race route : Compute r ne twork tool for me asuring the route path and transit time s of pac ke ts ac ross an Inte rne t Protoc ol (IP) ne twork.
LDAP: Displays information about the se le c te d IP addre ss obtaine d from the LDAP database (its c onfiguration in the ADS module is de sc ribe d in the Que rying
LDAP S e ttings se c tion).
Information from e PO: Displays information about the se le c te d IP addre ss obtaine d from the Mc Afe e e Polic y Orc he strator database (its c onfiguration in the ADS
module is de sc ribe d in the e Polic y Orc he strator Conne c tion S e ttings se c tion).

Ext ernal IP queries

Allows to display additional information about IP addre sse s using the use r- de fine d e xte rnal inte rne t se rvic e s (the ir de finition is de sc ribe d in the Exte rnal que rie s
se c tion).

Ext ernal host name services

Allows, similarly like the pre vious option, to display additional information about hostname s using the use r- de fine d e xte rnal inte rne t se rvic e s (the ir de finition is also
de sc ribe d in the Exte rnal que rie s se c tion).

Event cont ext menu

Anothe r use ful me nu is the c onte xt me nu for an e ve nt. It c an be ac tivate d by c lic king on the thre e dots ic on at the e nd of a row with an e ve nt. It c onsists of the following
ite ms:

Event det ail

 S hows e ve nt- re late d information (c ate gorization, note s).

Event evidence

De taile d vie w of e ve nts inc luding all data flows from whic h the e ve nt has be e n ge ne rate d (se e the Eve n e vide nc e c hapte r).

Manage event cat egories

Classific ation of e ve nts as pe r use r- de fine d c ate gorie s.

Relat ed IDS event s

S hows IDS e ve nts re late d to sourc e or targe t IP addre sse s.

Visualize event

A vie w of the e ve nts through an inte rac tive c hart base d on the flow data c ause d by the e ve nt.

Note

T his option is available in all ve rsions, e xc e pt the Lite ve rsion.

Mark as a false posit ive

Marks the e ve nt as a false alarm. T he e ve nt will no longe r be re porte d. For furthe r information se e the False Positive s se c tion.

Report as a false posit ive

It is possible to se nd an e mail about a false positive e ve nt to the Flowmon Ne tworks c ompany. T he e mail would c onsist of e ve nt de tails data, flow e ntrie s that are
re late d to the e ve nt, applic ation mode l and ve rsion and of the c ustome r's name . T he data will be use d to improve de te c tion me thods. T he data will be proc e sse d in
ac c ordanc e with the law on pe rsonal data prote c tion. We re c omme nd to add a c omme nt de sc ribing what's wrong with the de te c te d e ve nt.

Cont ext menu of an even t ype

T he ne xt me nu is the c onte xt me nu for an e ve nt type . It c an be ac tivate d by c lic king on the arrow ic on ne xt to the name of an e ve nt type . You c an find it for e xample in the
Eve nts → S imple list se c tion. It c onsists of the following ite ms:

Co nt ext menu o f an event t ype

Display event s of t his t ype

A vie w of all e ve nts of the same type , transition to the S imple list vie w.

Ot her t ypes of t he cont ext menus

T he re are othe r c onte xt me nus available for the spe c ific parts of the GUI. T he re are also c onte xt me nus for the MAC addre sse s and for the graph on the Dashboard.
Both of the m offe rs options that are mostly c ove re d in the pre vious se c tions.

Dashboard

T he dashboard is a basic inte rfac e e le me nt that is displaye d to the use r right afte r logging into the applic ation. T he dashboard provide s an ove rall pic ture of what is
happe ning on the ne twork. S e arc hing a spe c ific e ve nt by give n ID or spe c ific FT R traffic re c ord is provide d by c lic king on the Choose e ve nts by ID button whic h is
loc ate d in the top right c orne r of the page . T he de fault vie w shows e ve nts for the last 24 hours with the possibility of adjusting the vie w by c hanging the c orre sponding
se arc h c rite ria (Date , Pe rspe ctive s, Data fe e ds, S ource IPs, Eve nt type s, Prioritie s, Filte rs). T he re le vant se arc h c rite ria are available ac c ording to the c urre ntly vie we d
part of a dashboard (Analysis, Widge ts).

Analysis

It is possible to filte r ac c ording to the following c rite ria:

Date : T he re le vant pe riod for displaying the information in the Analysis, the pe riod c an be spe c ifie d dire c tly or c an be c hose n from an assoc iate d c ale ndar
(Custom time inte rval).
Re fre sh button: Automatic ally re fre she s data e ve ry 5 minute s.
Pe rspe ctive : T he e ve nts are displaye d ac c ording to the se le c te d priority.
Data fe e d: Allows to display only e ve nts that we re de te c te d by inspe c ting the flows from the spe c ifie d data fe e d.
 S ource IP: Displays e ve nts only for the IP addre sse s spe c ifie d in this fie ld. It is possible to e nte r IP addre sse s in the following formats:
S ingle IP addre ss, for the IP ve rsion 4 and 6 (e .g. 192.168.2.1, 2001:db8::be e f) or a c omma- se parate d list of single IP addre sse s
Ne twork addre ss or mask, for the IP ve rsion 4 and 6 (e .g. 192.168.1.0/24, fc 00::/7)
Range of IP addre sse s, for the IP ve rsion 4 and 6 (e .g. 10.0.1.2- 10.0.1.10, fe 80::- fe 80::ffff)
Wildcards notation of IPv4 addre sse s (e nume ration, range , all), only single wildc ard c an be use d in one IP addre ss. Example s:
192.168.{1,3,20}.1: IP addre sse s 192.168.1.1, 192.168.3.1 and 192.168.20.1
10.[1-3].0.0: IP addre sse s 10.1.0.0, 10.2.0.0 and 10.3.0.0
172.16.*.1: S ame as 172.16.[0- 255].0

Analys is f ilt er bar

Widget s

It is possible to filte r ac c ording to the following c rite ria:

Date : T he re le vant pe riod for displaying the information in the Widge ts, the pe riod c an be spe c ifie d dire c tly or c an be c hose n from an assoc iate d c ale ndar
(Custom time inte rval).
Re fre sh button: Automatic ally re fre she s data e ve ry 5 minute s.
S ource IP: Displays e ve nts only for the IP addre sse s spe c ifie d in this fie ld. It is possible to e nte r IP addre sse s in the following formats:
S ingle IP addre ss, for the IP ve rsion 4 and 6 (e .g. 192.168.2.1, 2001:db8::be e f) or c omma se parate d list of single IP addre sse s
Ne twork addre ss or mask, for the IP ve rsion 4 and 6 (e .g. 192.168.1.0/24, fc 00::/7)
Range of IP addre sse s, for the IP ve rsion 4 and 6 (e .g. 10.0.1.2- 10.0.1.10, fe 80::- fe 80::ffff)
Wildcards notation of IPv4 addre sse s (e nume ration, range , all), only single wildc ard c an be use d in one IP addre ss. Example s:
192.168.{1,3,20}.1: IP addre sse s 192.168.1.1, 192.168.3.1 and 192.168.20.1
10.[1-3].0.0: IP addre sse s 10.1.0.0, 10.2.0.0 and 10.3.0.0
172.16.*.1: S ame as 172.16.[0- 255].0
More filte rs:
Me thods: Displays only spe c ifie d e ve nts in the Widge ts.
Filte rs: It is possible to spe c ify the sourc e s of e ve nts by c hoosing a de fine d filte r.
Data fe e ds: Allows to display only e ve nts that we re de te c te d by inspe c ting the flows from the spe c ifie d data fe e d.

Widget s f ilt er bar

Analysis

T he Analysis tab c onsists of two c harts. T he Flows c hart displays the numbe r of flows pe r se c ond in a spe c ifie d time inte rval.On the right side of this c hart, the re is an
indic ator of flow proc e ssing status. T he Eve nts c hart is a stac ke d c olumn c hart that visualize s the c ount of e ve nts ac c ording to the ir type or priority. It is possible to
switc h be twe e n the se two type s of displaying with buttons in the top right c orne r of the c hart.

T he displaye d data may be filte re d using c he c kboxe s on the right side ne xt to the c hart. T his vie w c an be e xte nde d by c lic king on the button. It is possible to filte r
displaye d e ve nts ac c ording to the ir priority or e ve nt type base d on the vie w that is c urre ntly ac tive . Data c an be also filte re d by the time inte rval, the pe rspe c tive , the
sourc e IP addre ss and the data fe e d. T his part of the use r inte rfac e also c ontains a summary of all e ve nts that we re ge ne rate d and the ir c ount for e ac h e ve nt type .

Das hbo ard chart s

T he re is also a button with the ic on of arrows in the c irc le in the uppe r part of the dashboard (ne xt to the Date selection). T his button ac tivate s the fe ature that allows to
re fre sh data in the c hart e ve ry five minute s.

It is possible to c hoose a shorte r time pe riod dire c tly in the c hart, too. T he available information are displaye d for the se le c te d inte rval. You c an ope n the c onte xt me nu
of the c hart ove r the se le c te d inte rval to display this data in othe r vie ws (Aggre gate d vie w, S imple list, By hosts and Dashboard e ve nts) or to zoom in, zoom out or to
re se t the zoom to ge t the original time pe riod. T his is all possible using the following buttons:

You c an also shift the se le c te d inte rval using arrows in the right lowe r c orne r of the c hart and switc h the sc ale of the ve rtic al axis (line ar, logarithmic ) in the le ft uppe r
c orne r of the c hart.

Eve nts by priority

Eve nts in the se c tion Eve nts by priority c an be filte re d as pe r the se ttings in the Eve nts c hart. On the right side of the table , the re is a sparkline that visualize s tre nd
analysis for e ac h me thod by c omparing the se le c te d and pre vious time range . T his tre nd is also shown in pe rc e ntage s on the far right side of the table .

Event s by prio rit y

Eac h me thod row c an be e xpande d in orde r to display more de taile d information. T he numbe r of IP addre sse s displaye d is limite d to the 10 most important re c ords. It is
also possible to show more re c ords.

T he IP addre ss row c ontains:

S ourc e IP addre ss
S ourc e IP filte rs
Eve nts c ount
Re late d e ve nts

Ac tions are available in the c onte xt me nu.

Event ro ws

Eac h IP addre ss row c an be e xpande d in orde r to display a graph, whic h c apture s the de te c te d ac tivity of a partic ular IP addre ss in the se le c te d time pe riod. Unde r the
graph, the re is a list of e ve nts. T he numbe r of displaye d e ve nts is limite d to the 10 most important re c ords. It is also possible to show more re c ords.

Eve nt row c ontains:

Eve nt ID - allows to ope n e ve nt de tail in a ne w browse r tab

T ime stamp
De tail
T arge ts
Data fe e d
Comme nts

Ac tions are available in the c onte xt me nu.

 Det ailed view o f event s

Widget s

T he Widge ts tab provide s widge ts with some use ful statistic s whic h are re late d to e ve nts that we re pre viously ge ne rate d. T he re are five pre built widge ts at the tab in
ove rall:

Top 10 event s by priorit y

T he widge t shows the 10 most important e ve nts for the c hose n pe rspe c tive .