FlowMon ADS Enterprise 7.02.

00
User Guide
April 30, 2015
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Contents
1 Introduction 6
1.1 Features and capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3 Selected detection methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4 Basics of application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2 Installation and configuration 11

2.1 Installing on probe/collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 Quick configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3 Detailed configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.3.1 Data storage settings (General settings\Storage settings) . . . . . . . . . . . . . 12
2.3.2 Application settings of the plug-in (General settings\Application settings) . . . . 13
2.3.3 Configuration (General settings\Configuration) . . . . . . . . . . . . . . . . . . . 13
2.3.4 Displaying configuration changes (General settings\Configuration changes) . . 15
2.3.5 User Permissions (General settings\User Permissions) . . . . . . . . . . . . . . . 15
2.3.6 Service names assignment (General settings\Named services) . . . . . . . . . . 17
2.3.7 Using own services to querying IP addresses (General Settings\External IP ser-
vices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.3.8 User interface configuration (General settings\User Preferences) . . . . . . . . . 18
2.3.9 Configuration of NetFlow Data sources (Traffic processing\NetFlow sources) . . 18
2.3.10 Configuring filters (Traffic processing\Filters) . . . . . . . . . . . . . . . . . . . . . 20
2.3.11 Configuration of detection methods (Traffic processing\Methods) . . . . . . . . 22
2.3.12 Aggregation of events (Traffic processing\Aggregation of events) . . . . . . . . . 23
2.3.13 Configuration of perspectives (Traffic processing\Perspectives) . . . . . . . . . . 23
2.3.14 Configuration of categories of events (Traffic processing\Event categories) . . . 24
2.3.15 Configuration of false positives (Traffic processing\False positives) . . . . . . . . 24
2.3.16 Configuration of event reporting (Traffic processing\Event reporting) . . . . . . 26

3 Detection methods 28
3.1 Introduction to detection methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.1.1 Common configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.1.2 Common features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.1.3 NetFlow sources and assigned filters . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.2 Common network behavior patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.2.1 ALIENDEV – New or alien device . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.2.2 BITTORRENT – BitTorrent traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.2.3 BLACKLIST – Communication with blacklisted hosts . . . . . . . . . . . . . . . . . 33

www.invea.com 2 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

3.2.4 COUNTRY – Behavior profiling – country reputation . . . . . . . . . . . . . . . . . 34

3.2.5 DHCPANOM – DHCP anomaly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.2.6 DIRINET – Direct internet communication . . . . . . . . . . . . . . . . . . . . . . 35
3.2.7 DIVCOM – Target hosts/ports anomaly . . . . . . . . . . . . . . . . . . . . . . . . 36
3.2.8 DNSANOMALY – DNS anomaly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.2.9 REFLECTDOS – Amplificated DoS attack . . . . . . . . . . . . . . . . . . . . . . . . 37
3.2.10 DOS – Denial of service attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.2.11 HIGHTRANSF – High volume of transferred data . . . . . . . . . . . . . . . . . . . 38
3.2.12 HONEYPOT – Honeypot traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.2.13 HTTPDICT – Web form attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.2.14 ICGUARD – Internet connection utilization anomaly . . . . . . . . . . . . . . . . . 40
3.2.15 ICMPANOM – ICMP anomaly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.2.16 IPV6TUNNEL – IPv6 tunneled traffic . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.2.17 INSTMSG – Instant messaging traffic . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.2.18 L3ANOMALY – L3 network anomaly . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.2.19 LATENCY – Network latency anomaly . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.2.20 MULTICAST – Multicast traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.2.21 OUTSPAM – SMTP anomaly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.2.22 PEERS – Partners communication anomaly . . . . . . . . . . . . . . . . . . . . . . 45
3.2.23 SCANS – Port scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.2.24 SRVNA – Service not available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.2.25 TEAMVIEWER – TeamViewer traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.2.26 TELNET – Telnet anomaly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.2.27 TOR – TOR traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.2.28 UPLOAD – Data upload anomaly . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.2.29 VOIP – VoIP traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.2.30 VPN – VPN traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.2.31 WEBSHARE – Web sharing traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.3 Common behavior patterns for SIP traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.3.1 SIPFLOOD – SIP floods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.3.2 SIPSCAN – SIP scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.3.3 SIPPROXY – SIP proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.4 Advanced network behavior patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.4.1 BROKENSEN – Broken sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.4.2 DNSQUERY – DNS query volume anomaly . . . . . . . . . . . . . . . . . . . . . . 54
3.4.3 RDPDICT – RDP attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.4.4 SSHDICT – SSH attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.5 Derived behavior patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.5.1 DNSREVERSE – DNS reverse records missing . . . . . . . . . . . . . . . . . . . . . 56

www.invea.com 3 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

3.6 Anomaly detection system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

3.6.1 Basic principles of anomaly detection . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.7 General system procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.7.1 SYSCHECK – Data inconsistency . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.8 High level events, threat detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.8.1 Common configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.9 Threat detections – aggregations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.9.1 ACCESSATTACK – Network access attack . . . . . . . . . . . . . . . . . . . . . . . 59
3.9.2 DATALEAKS – Potential data leaks . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.9.3 DOSATTACK – Denial of service attack . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.9.4 DNSTRAFFIC – DNS traffic anomaly . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.9.5 LARGETRANSFER – Large data transfer . . . . . . . . . . . . . . . . . . . . . . . . 60
3.9.6 MALWARE – Malware infected device . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.9.7 MISCONFIGURED – Misconfigured device . . . . . . . . . . . . . . . . . . . . . . . 61
3.9.8 NETANOMALY – Network anomaly . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.9.9 NETDISCOVERY – Network discovery . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.9.10 PROXYBYPASS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.9.11 SPAMMER – Potential e-mail spammer . . . . . . . . . . . . . . . . . . . . . . . . 62
3.9.12 SNIFFER – Potential network sniffer . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.9.13 SRVOUTAGE – Service outage or misconfiguration . . . . . . . . . . . . . . . . . . 63
3.9.14 UNDESIRED – Usage of undesired applications . . . . . . . . . . . . . . . . . . . 63

4 User interface 64
4.1 Basic controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
4.1.1 Main application menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
4.1.2 Status and information bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.1.3 Context menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
4.1.4 Search criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
4.2 Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
4.2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4.2.2 Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4.3 Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.3.1 Aggregated view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.3.2 Simple list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
4.3.3 By hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
4.3.4 Event details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
4.3.5 Interactive event visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.3.6 Event evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.4 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

www.invea.com 4 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

4.4.1 Chapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
4.4.2 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
4.4.3 Default report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
4.4.4 Scheduling reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

www.invea.com 5 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

1 Introduction
FlowMon ADS is a modern system for detection of anomalies and patterns of undesirable net-
work behavior, which is based on an analysis of data flows in the network (NetFlow). The main
goal of the solution is to increase external and internal security of a computer network. The main
advantage over standard IDS systems lies in orientation on the overall behavior of the device on
a network, which enables to respond to yet unknown or specific threats for which the signature
is not available. Integrated dashboard displays a quick overview of the latest events and overall
statistics of events. This allows for immediate identification of problems or problematic devices in
the network.

User documentation is divided into the following chapters:

• Introduction –the first chapter, which aims to familiarize users with the features and capa-
bilities of the FlowMon ADS plug-in

• Installation and configuration – the second chapter designed for system administrators is
dedicated to the installation and detailed configuration of the plug-in

• Detection methods – the third chapter exactly specifies the features of the application, part
of the chapter describes the best practices and interpretation of results

• User interface – the fourth chapter is intended for ordinary user working with the application

• Contact information – a summary of contacts for the vendor and distributor of the plug-in

1.1 Features and capabilities

• Plug-in for FlowMon solution, easy to install on probe/collector

• Support for NetFlow v5/v9 and for IPv4 and IPv6

• Implementation of Bidirectional flows standard (RFC 5103)

• Building long-term behavioral profiles of devices on the network in terms of provided and
used services, traffic volumes and communication partners

• Predefined set of rules for detection of undesirable behavior patterns – operational issues,
attacks, unwanted services

www.invea.com 6 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

• Predefined set of rules for detecting network anomalies such as behavior change of devices
on the network, discovering new network services, etc.

• A comprehensive dashboard with a direct indication of problems in the network

• Interactive visualization of events and relevant context in the form of directed graphs

• Complex filtering options and event prioritization linked to reporting and alerts

• Integration of tools for obtaining additional information (DNS, WHOIS)

• Support for adding custom information about IP addresses (name, role, username. . . )

• Automated outputs via e-mail

1.2 Limitations
Application is designed for following environment:

• Data flow up to 5000 flows per second

• Behavior profiling for 10000 unique IP addresses

• General anomaly detection system based on change of behavior for 2500 unique IP addresses

• In case of deploying the application in an environment which does not fulfill the requirements
please contact the application vendor

1.3 Selected detection methods

Detection of network anomalies:

• Anomaly detection system based on changes in the behavior profile

• Detection of heterogenous communication

• Detection of transmission of large volumes of data in the network

www.invea.com 7 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

• Detection of service unavailability

• Detection of parasite device

Detection of remote management:

• Detection of Telnet protocol

• Detection of sharing desktop using TeamViewer

Detection of attacks:

• Detection of dictionary attacks on SSH services

• Denial of Service type attacks

• Detection of TCP scans

• Detection of outbound SPAM

Error checking at the configuration level:

• Detection of IP addresses without reverse DNS records

• Detection of delays on the network

Usage of unwanted services:

• Detection of Instant Messaging (ICQ, Jabber, MS Messenger, Google Talk, ...)

• Detection of BitTorrent P2P network

• Detection of different Voice-over-IP protocols

• Detection of different VPN connections and tunnels

• Detection of direct communication into the internet

www.invea.com 8 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

1.4 Basics of application

FlowMon ADS is available as a standard plug-in for the FlowMon probe/collector. It is a web
application that uses modern scripting technology (Java Script and A JAX) and displays data through
Adobe Flash. The application is optimized for Firefox 31 and later, among the other supported
browsers are the latest versions of:

• Internet Explorer

• Opera

• Google Chrome

• Safari

User interface is divided into three main parts. In the upper part of the application is the status
and information bar, on the left shows the application main menu, which you can hide if neces-
sary. The remaining area of the user interface is the user’s desktop, where you see the information
and functionality combined under the currently selected item in the main application menu.

Another means of controlling the application is a context menu available by right clicking on
relevant object.

www.invea.com 9 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Figure 1: User interface preview

www.invea.com 10 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

2 Installation and configuration

2.1 Installing on probe/collector

FlowMon ADS is a plug-in that can be run on the probe and the collector. Installation on probe/-
collector is carried out through Install/Update function found under Version tab in the Flow-
Mon Configuration Center. More information on installing plug-ins can be found in the FlowMon
probe/collector documentation.

Installation process will automatically apply Common company configuration template con-
figuration template to the application. Common used detection methods and parameters will be
activated by this process. There is also prepared one NetFlow data source for the first monitoring
port on the probe. This NetFlow source must be activated manually. Information about NetFlow
source configuration is described in chapter 2.3.10 Configuration of NetFlow data sources.

The FlowMon ADS application in version 7.0 or higher can be installed only on FlowMon probe/-
collector version 7.01 or higher. The license is since application version 6.0 part of united FlowMon
license. The license has to be loaded using FlowMon Configuration Center. It is recommended to
use the new license type for properly working application. If the application is upgraded from an
older version than 6.0, please ask the INVEA-TECH company for the new license file.

2.2 Quick configuration

The basic configuration of the plug-in consists of three steps:

1. Log into the plug-in –use the credentials used to log into FlowMon Configuration Center to
login. You can change your password and define other users through FlowMon Configura-
tion Center under System tab. More information on the management of user accounts can
be found in the FlowMon probe/collector documentation. The currently logged-in user can be
edited using the button with username in right upper corner.

2. Going through the configuration wizard – the welcome window with the link to configura-
tion wizard is shown after the first login into application (the wizard can be started using the
question mark icon from the Traffic processing agenda as well).

www.invea.com 11 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

The first step of the configuration wizard is applying the configuration template. The template
creates the basic IP range filters ans sets default values to the detection method parameters.
It is possible to extend the LAN filtr based on private IP ranges of the public IP addresses of
the monitored network segment, define specific devices in the network (e.g. DNS servers), set
the size of the monitored network and allow the use of external services (blacklist downloads)
in next steps. All set values are used for relevant detection method parameters.

3. Configuring the NetFlow data sources – in subsection Traffic processing\NetFlow sources

set up particular sources of NetFlow data that will be processed by the application. From the
aspect of data collection the applications works like a collector capable to receive data in the
NetFlow v5/v9 format. For each source:

• Enter a unique Name

• Select the profile and the appropriate channels that should be used as an input.
• Set all data sources you want to use as active

2.3 Detailed configuration

2.3.1 Data storage settings (General settings\Storage settings)

In this section you can modify settings of the data storage.

Parameter Delete data after is used to set deleting old data. It is useful for archiving events
for later analysis. The value Never sets data lifetime to infinity while After default period sets the
default values (event – 183 days).

Number of days for which the data for the overview graph are being stored can be set by Days
to keep overview chart data parameter.

The FlowMon ADS allows to raise the performance using the SuperFast ™ mode. Using this op-
tion is recommended only for huge networks that generates more than 1000 flows per second. The
activation of the SuperFast ™ mode on smaller networks could cause the slowdown of the applica-
tion. It is necessary to limit the maximal amount of memory that can be used by the SuperFast ™
mode, too.

The Filter booster parameter is appropriate to activate if and only if there are some filters with

www.invea.com 12 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

many IP ranges defined in the FlowMon ADS application (e.g. using wildcards). The activation can
cause lack of performance otherwise.

2.3.2 Application settings of the plug-in (General set-

tings\Application settings)

The admin user can lock the traffic processing configuration (e.g. detection methods configu-
ration, filter configuration, . . . ) for non-admin users using the Lock configuration for non-admin
users option.

Access to external services (Internet services) might be allowed or denied using External ser-
vices option. If internet access is denied then geolocation services, whois service or detection
methods depending on external sources are unavailable. For details, see information on the vari-
ous detection methods.

The application uses all available CPUs. Parameter Maximal count of computational threads
allows limiting the number of CPU cores, which application can utilize.

The application allows resolving event source IP address immediately after event detection. This
function enables to determine the identity of the event source associated with a short IP address
using DHCP. IP addresses which should be resolved are defined by Capture source hostname.

Service mail is used for sending notifications in case of exceeding disk quota for ADS plug-in.

2.3.3 Configuration (General settings\Configuration)

In the configuration section, functions for the management of device configuration are available.

All user data can be deleted anytime (Clean-up all data) or you can bring a device into the
factory setting (Reset to factory defaults), which also includes deleting all user data. User data
include all events. Deletion of data or resetting the device to factory defaults requires restarting
the device or restarting the plug-in through FlowMon Configuration Center under the Version
tab. If reset is not performed before midnight, clean-up data settings and reset to factory defaults

www.invea.com 13 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

settings are deleted. More information on managing the plug-in can be found in the FlowMon
probe/collector documentation.

The application stores resolved DNS names for a short time period. It can be deleted using the
Clear DNS cache button.

To simplify the configuration of devices there are pre-defined templates for plug-in settings
available (Apply configuration template). Templates include configuration of NetFlow data filters,
individual detection techniques and perspectives setting. Application of template can be enforced
(Force), which means that the current setting which is in conflict with the selected template is
overwritten. There are currently following templates:

• Common company configuration template – template designed for small and medium-
sized organizations. Filter settings include commonly used private addresses (10.0.0.0/8,
172.16.0.0/12, 192.168.0.0/16). Activated detection methods and their settings correspond to
the typical security needs of small and medium sized organizations. Automatic anomaly de-
tection system is not activated network-wide; it must be activated afterwards on selected
portion of the network. Within the perspective settings the highest priority is given to events
that might indicate an attack or a serious breach of network security.

• Large company configuration template – template designed for large enterprises. Filter
settings include commonly used private addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Ac-
tivated detection methods and their settings correspond to the typical security needs of large
sized organizations. Automatic anomaly detection system is not activated network-wide; it
must be activated afterwards on selected portion of the network. Within the perspective set-
tings the highest priority is given to events that might indicate an attack or a serious breach
of network security.

• Internet service provider trunk template – template designed for large backbone net-
works. Filters are not part of the template. Activated detection methods and their settings
correspond to the typical security needs of ISP networks focused on massive attacks and
anomalies in the network.

It is possible to save current application configuration and restore if needed. Application con-
figuration is not portable between application versions. Configuration backup can be done auto-
matically every midnight, too. The automatically created backup files are deleted except the 14
newest.

www.invea.com 14 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Figure 2: Configuration changes view

2.3.4 Displaying configuration changes (General set-

tings\Configuration changes)

FlowMon ADS allows to display configuration changes, that were done by individual users.
Changes are shown in a tree form and sorted by username and date when the change was made.
The changes could be searched using the search criteria filter.

2.3.5 User Permissions (General settings\User Permissions)

FlowMon ADS application allows admins to limit the data, that can be viewed by some non-
admin users. To limit the events, that can be shown to the given non-admin user, it is possible to
assign the perspective to each of these users. The user can view only the events, that are defined
in the perspective, and the method instance configuration appropriate to these events.

The perspectives can be defined using the simplified interface. It is enough to select the NetFlow
source, the IP address filter and to assign the priorities to the event types. The selected source and
filter is then assigned to each defined priority (the filter is assigned twice to each priority – once as
source filter and once as target filter).

User permissions conclusion

www.invea.com 15 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

• User permissions for non-admin users

– Assigned filters

* User can see only filters assigned to him. He cannot edit them.
* Filter assigned to the user limits the content of displayed report chapters.
– Assigned perspectives

* User can see only perspectives assigned to him. He cannot edit them.
* User can see only the methods (and relevant events) that are defined by the perspec-
tives assigned to him.
* User can see only these e-mail reports, that are connected to perspectives assigned
to him.
* User can see only NetFlow sources connected to priorities in perspectives assigned
to him.
* Perspective assigned to the user limits the content of displayed report chapters.
* User without assigned perspective can see all NetFlow sources (including relevant
events and overview charts).
* User with assigned perspective with some priority defined as independent on Net-
Flow source can see all NetFlow sources (including relevant overview charts, but
events are limited by the perspective).

• Hidden pages for non-admin users

– Traffic processing \NetFlow sources

• Read-only pages for non-admin users

– General settings \Storage settings

– General settings \Application settings
– General settings \Configuration
– General settings \Configuration changes
– General settings \User permissions (Only permissions assigned to him)
– General settings \Named services
– General settings \External IP services
– General settings \User preferences
– Traffic processing \Filters (Only filters assigned to him)
– Traffic processing \Methods (According the perspectives assigned to him)
– Traffic processing \Aggregation of events

www.invea.com 16 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

– Traffic processing \Perspectives (Only perspectives assigned to him)

– Traffic processing \Event categories
– Traffic processing \False positive (and the Mark as false positive dialog menu item)
– Traffic processing \Event reporting

• Viewing the reports by non-admin users

– User can see the report if he can see all of its chapters.
– User can see the chapter, if:
Events by priority The filter and perspective that are set have to have the non-empty
intersubsection with the filters and perspectives assigned to the user
Event matrix The filter and perspective that are set have to have the non-empty inter-
subsection with the filters and perspectives assigned to the user
Overall status The perspective that is set has to have the non-empty intersubsection
with the perspectives assigned to the user.

• Viewing the threats (since FlowMon ADS version 6.06) by non-admin users

– User can see the threats, that consist only from particular events, which can be seen by
the user according to the perspectives assigned to him.
– User can see only the threat methods configuration that are based on at least one de-
tection method, which can be seen by the user according to the perspectives assigned to
him.

• Universal facts

– Admin user can see even non-public reports of other users.

– The change of the perspective has no influence on already existing events.
– The Lock configuration for non-admin users choice is locking only the General set-
tings \User preferences settings.

2.3.6 Service names assignment (General settings\Named ser-

vices)

In case, that there are services provided on unconventional ports in the monitored network, it
is appropriate to add this assignment (port number-service name) to the Named services list. This
assignment is used in event details of DOS and SRVNA detection method.

www.invea.com 17 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

2.3.7 Using own services to querying IP addresses (General Set-

tings\External IP services)

It is possible to get additional info about IP addresses using any available web services. Defined
services can be invoked using context menu over an IP address. New tab on the current page is
opened after querying. The query is an URL address. In this URL should be used an $IP variable
that is replaced by the given IP address.

It is possible to use an $MAC instead of $IP variable. That web service can be applied on the MAC
address in the Event evidence view.

2.3.8 User interface configuration (General settings\User Prefer-

ences)

User can set own parameters of user interface. It is possible to enable logout confirmation dia-
log box, select default language for user interface, set the session timeout, enable displaying of the
application tips, enable automatic domain names resolving, showing the welcome screen window
and disabling the automatic load of the dashboard tables. Next, it is possible to hide the inactive
methods from the search criteria filters. Each user can set the default scale (logarithmic/linear) for
the Dashboard:Overview view.

2.3.9 Configuration of NetFlow Data sources (Traffic process-

ing\NetFlow sources)

NetFlow data sources represent individual monitored points of the network and are one of the
licensing restrictions (number of simultaneously active NetFlow data sources). The second licensing
restriction is the number of concurrent users working with plug-in user interface. For each moni-
tored point of the network a NetFlow data source must be created in the plug-in. Configuration of
data source includes:

Name Unique data source name

www.invea.com 18 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Profile Name of the profile which is used as an input.

Channels Channel selection which are used as input data for application.

Sampling rate Rate for sampling the input data.

Deduplicate If active, the uniqueness of the NetFlow received by one NetFlow source is guaran-
teed.

Check timestamps If active, the NetFlow with timestamp that differs more than 30 minutes from
system clock are deleted.

SIP processing The switch between the NetFlow data processing and processing of NetFlow data
enhanced with the SIP entries. It is impossible to process both (NetFlow data with SIP en-
tries and NetFlow data without SIP entries) on the single NetFlow source together. Only the
detection methods with "SIP" prefix are used if the SIP processing is active.

State The current state of the NetFlow source.

Proxy active performs the replacement of two flows client-proxy and proxy-server by one flow
client-server. This correlation allows the functioning of some methods that would not be able
to detect events correctly in the network with proxy to work properly. Within the method con-
figuration it is possible to set up the tolerated data amount difference between the two par-
ticular flows that have to be correlated (Tolerance) and the counts of milliseconds that could
take the flows outer the proxy longer (ReqDurationOverload – request, RepDurationOver-
load – reply). The correlation has got high accuracy and coverage but it is not absolute.
The correlation of flows before and behind the proxy is possible only if the network is moni-
tored at two points – inside the network behind the proxy server and outside the proxy server.
It is necessary to set up the IP addresses of outer (External IP) and inner (Internal IP) inter-
faces and the proxy server’s listening port (Internal Port). For reducing false positives, the
proxy clients (Clients Filter) can be specified. It is possible to define more proxy servers for
each NetFlow source. The maximum count is limited by license.

Channels as virtual sources It is possible to activate so called Virtual sources for NetFlow sources.
These virtual sources are dedicated to isolate NetFlow data from individual channels of the
input profile. These virtual sources allows the channels to be assigned to the instances of de-
tection methods and to the priorities. Data from different channels are processed separately
from each other if active.

The NetFlow sources use (since the 6.04 version) directly the profiles on the collector (or on the
built-in collector of the probe), so it is not necessary to forward the data to next target. The NetFlow
sources can be used on any real profile, so the input data can be filtered on collector level. This

www.invea.com 19 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

leads to decrease the load of the FlowMon ADS application. The FlowMon ADS NetFlow sources
support the NetFlow v5, v9 and the IPFIX protocol.

After configuring NetFlow data sources (hence configuring the profiles) you should configure
theDetails on configuring the exporters can be found in FlowMon probe documentation. The gran-
ularity of flows impacts the accuracy of detection methods. To reduce the number of flows that are
generated by the probe following values are appropriate:

• active timeout – 300 s

• inactive timeout – 30 s

2.3.10 Configuring filters (Traffic processing\Filters)

Correct settings of NetFlow data sources and the logical network topology affects the results
of the detection methods and the overall plug-in predicative capability. The basic distinguishable
entity in the plug-in is the IP address. When the occurrence of an event is detected, the event is
bound to an IP address that caused it and to NetFlow data source on which the event has been
detected. That implies a number of limitations when IP addresses are dynamically allocated and
stable allocation of identical IP addresses to each network device is not guaranteed. In such case
it is not possible to derive a direct responsibility of particular user for the event detected in the
network.

Filters are named logical groupings of arbitrary IP addresses. Each filter has a unique name,
can be linked to the defined NetFlow data sources and includes any number of IP address ranges.
Filters are also used by detection methods for limiting the range of the addresses relevant for each
detection method. Binding to NetFlow data sources can further reduce the processing of NetFlow
data in the detection method (see example later in this subsection). IP addresses for filters can be
specified in the following ways:

• Network address/mask for the IP version 4 and 6 (e.g. 192.168.1.0/24)

• Range of IP addresses for IP version 4 and 6 (e.g. 10.0.1.2-10.0.1.10)

• Single IP address for IP version 4 and 6 (e.g. 192.168.2.1) or comma separated list of single IP
addresses

www.invea.com 20 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

192.168.1.0/24;LAN
192.168.10.0-192.168.10.25;LAN
192.168.1.1;SMTP
Figure 3: Example of filter definition file

• Wildcards notation of IPv4 addresses (enumeration, range, all), only single wildcard can be
used in one IP address. Examples:

192.168.{1,3,20}.1 IP addresses 192.168.1.1, 192.168.3.1 and 192.168.20.1

10.[1-3].0.0 IP addresses 10.1.0.0, 10.2.0.0 and 10.3.0.0
172.16.*.1 Same as 172.16.[0-255].0

It is strongly recommended to activate the Filter booster parameter in the General configura-
tion\Storage if there is a lot of IP ranges defined in some filter.

New filter can be created also as a subtract of two another filters. This can be performed by
the Subtract filters button. Similarly, Invert the filter button creates a new inverted filter from
already existing one.

It is possible to use Import filters button for import filter definitions from the text file. Format
of the file is one filter definition per line where IP address definition is in the first column, Name of
the filter is in the second column. Columns are separated by semicolon. IP address can be specified
in the same ways as manual filter defining. If the name of the filter already exists in the application,
you will be noticed and the import fails.

If the checkbox Overwrite existing filters is checked then the IP ranges of the filters with same
name as in the uploaded file are overwritten by new ones that are given in the file

Example of filter configuration – consider environment of an organization monitoring its net-

work at two points. The first point connected to probe port 1 and 2 is the Internet connection
behind a firewall, which is monitored via TAP. The second monitored point is a central switch of
the organization connected to the probe port 3 via SPAN port. In the FlowMon ADS plug-in we
define WAN data source representing the Internet connection and LAN data source representing
the central switch. We are going to export data from probe port 1 and 2 into the WAN source
and data from probe port 3 into the LAN source. Next, we create a filter LANout comprising ad-
dresses 192.168.1.0/24 and bind it to the WAN source and filter LANin comprising also the addresses
192.168.1.0/24 which we bind to the LAN source. We activate detection of instant messaging services
on the LANout filter, since this detection does not make sense for internal communication. If we

www.invea.com 21 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

IP;Host;Role;Username;OS;HWconfig
192.168.1.1;stone.foo.com;LAN gateway;;CentOS 5.5;
192.168.1.33;pc33.foo.com;client-station;Johny;WindowsXP;VM
Figure 4: Example of the content of the file to import information about IP addresses

didn’t bind filters with NetFlow data sources, there would be duplication in the detection of Instant
Messaging (identical data would be processed twice independently).

It is possible to add own information from CSV text file by using Import IP information button.
Information can be downloaded back by Export IP information button. Remember, the import
deletes all previous information! Following fields are supported:

• IP – IP address to which the information relates

• Host – Domain name of IP address (max. 32 characters)

• Username – Responsible user (max. 32 characters)

• OS – Running operating system (max. 50 characters)

• HWconfig – Hardware description (max. 1000 characters)

• Role – Role of devices on the network (max. 32 characters)

• Notes – Additional notes (max. 1000 characters)

The text file consists of a header and records. The header contains of list of fields separated by
a semicolon. It must include required field IP and at least one optional (Host, Username, OS,
HWconfig, Role, Notes). Each record is on a single line. The fields are separated by a semicolon.
Empty lines are ignored. More records can be added to one IP address.

2.3.11 Configuration of detection methods (Traffic process-

ing\Methods)

Detection methods are predefined by the manufacturer and used to detect various potentially
undesirable activities on the network. Thus they build the core of FlowMon ADS plug-in. The
various methods are described in detail in the third chapter.

www.invea.com 22 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Part of the configuration is:

• activation/deactivation of a method

• assignment of filters to methods (any number of filters can be assigned)

• specific configuration (methods may have specific configuration parameters that can be set
or actions that can be performed)

Depending on the method nature some of the above options can be inactive. For example system
methods (e.g. event reporting) cannot be turned off nor assigned with filters. All configuration
changes will take effect immediately upon next batch of NetFlow data processing by given method.

2.3.12 Aggregation of events (Traffic processing\Aggregation of

events)

Aggregation of events merges some events into groups and allows to define patterns of larger
attacks which consist of several sub-events. Individual aggregations of events can be activated or
deactivate. Parameter Window sets maximum time in seconds between two separate events.

2.3.13 Configuration of perspectives (Traffic process-

ing\Perspectives)

In the FlowMon ADS plug-in you can create your own event perspectives that will assign events
with priorities according to their type, the network segment where they occurred (based on the
filter) and to the NetFlow source, that provides NetFlow data used for event detection. Priority can
be assigned to all sources by keeping default value NONE in the selection of the source. These
perspectives can then be used when reporting events, alerting or searching in the application UI.
Each perspective is a uniquely named group of assigned priorities to events of given type (i.e. to
events generated by given detection method), and thus either network-wide or depending on the
filter.

FlowMon ADS plug-in offers five event priorities:

www.invea.com 23 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

• CRITICAL

• HIGH

• MEDIUM

• LOW

• INFORMATION

The default perspectives can be generated using the Create default perspectives button (the
icon with the star).

2.3.14 Configuration of categories of events (Traffic process-

ing\Event categories)

In subsection Event categories you can define your own event categories into which you
can then assign events through Manage event categories context menu item. In this way you
can mark interesting events that should be further explored; marks can be used in subsequent
searches.

2.3.15 Configuration of false positives (Traffic processing\False

positives)

Detected events can be marked as false positives through Mark as false positive context menu
item. This mark means that the event of given type caused by given IP address will no longer be
reported. Validity of marking an event as false positive can be limited to individual days of the week,
time intervals and the NetFlow source. The validity of marking an event can be limited only to the
targets of the current event as well. If there is a limitation by the targets of the events, it is possible
to ignore the event source. The event source or event targets relevant to the rule can be defined
by filter as well. It is recommended to use these filters to define the restrictions based on event
source and event target IP addresses because of the limitations on the false positive number.

It is possible to send an e-mail about the false positive event to the INVEA-TECH company. The
e-mail will consist from event details data, NetFlow entries that are related to the event, application

www.invea.com 24 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

model and version and from the customer’s name. That data will be used to enhance the perfor-
mance of the application. The data will be processed in accordance with the law on personal data
protection.

The false positive rule can be defined by weekday choice. The events can be ignored during
the whole day or within the interval specified by the event time and by the radius of the interval in
minutes. The rule has to be connected to event source or to some (or all) event targets. It can be
set the validity and the comment to the rule.

It is possible to define the false positive rule without respect to the event on which was was this
dialog window opened. It is possible to manually choose the detection methods, enter the source
and target IP addresses and enter the time range. The rule is always created for each combination
of detection methods and source IP address, the targets are all assigned to each rule.

IP addresses can be entered as comma separated list. When entering the IPv4 address, one
of its fields can be written using wildcard. This wildcard can represent the numbers enumeration
(comma separated list enclosed in curly braces), range of two numbers (2 numbers separated by
dash enclosed in square brackets) or the asterisk that represents the 0-255 range.

Examples:

192.168.{1,7,100}.1 ] IP addresses 192.168.1.1, 192.168.7.1, 192.168.100.1

10.[1-3].0.0 IP addresses 10.1.0.0, 10.2.0.0, 10.3.0.0

172.16.*.1 Equivalent to 172.16.[0-255].0

Removal of rules for false positives marking is done in the Traffic processing\False positives
subsection. Removal of selected rules can be done through Delete selected.

It is possible to edit the comments of the false positives in this subsection, too.

www.invea.com 25 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

2.3.16 Configuration of event reporting (Traffic processing\Event

reporting)

FlowMon ADS plug-in allows you to define regular reports which will be sent via e-mail by the
application.

Each e-mail report must be uniquely named and bound to just one perspective. A report has
active/inactive state. The inactive report is defined in the system but not sent regularly. The report
can be assigned with any number of recipient addresses by Add new mail. There is also an option
to suppress sending of an empty report (Prevent empty report – only daily and weekly reports can
be sent empty, if disabled) and option to set minimum priority of events to be reported (Minimal
priority to report). Reports are sent according to the following rules:

• CRITICAL – reporting immediately after the batch processing of NetFlow data, approximately
every 5 minutes, a blank report is never sent.

• HIGH – reporting hourly summaries

• MEDIUM – reporting six hour summaries

• LOW – reporting daily summaries

• INFORMATION – reporting weekly summaries

You can use the Same events gap parameter to suppress repetitive sending the same event in
the given report for the chosen time period. The events with same event type and event source are
considered as a same. Only one same event is reported in the long-term report (reports for priority
HIGH or lower) if set to non-zero value.

The FlowMon ADS application allows to sending e-mail reports in few formats. The Full for-
mat sends the reports as a table formatted by HTML, the Compact format sends the reports in
plain text, the Extra compact format is also in plain text, but there are some omitted information
(e.g. event detail, event targets etc.). The Mail per event format sends in one e-mail only infor-
mation about single event and it is dedicated especially for automatic processing. This report is in
a following format:

<ID>: (unique event identifier);

<Category>: (code of the detection method);

www.invea.com 26 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

<Type>: (name of the detection method);

<Perspective>: (name of the perspective assigned to the report);
<Severity>: (priority of the event);
<Time>: (start time in UTC);
<Protocol>: (protocol related to the event or empty value);
<Source>: (source IP address);
<Target IPs>: (first 10 target IP addresses);
<Ports involved>: (port numbers related to the event or empty value);

It is possible to send reports as a tickets to the ticketing systems. Nowadays, the RT ticketing
system is supported. The format has to be set to RT value. This format is adding three attributes
into the e-mail header: X-RT-Tool-Name, X-RT-Incident-IP and X-RT-Incident-Time. The first at-
tribute is always set to the “FlowMon ADS - ” string concatenated with the name of the event, the
others have assigned their values with respect to the reported events. There are all events with
given type related to the one IP in the single e-mail/ticket.

It is possible to send reports using your own SMS gateway. Please contact the vendor, company
INVEA-TECH a.s., in case you want to use this possibility.

Application also supports event export in chosen format (e.g. Common Event Format) to one
remote syslog which can be configured in Event reporting subsection. All events are exported
according to selected perspective, according to this perspective they may be assigned with a specific
level (CRITICAL priority fits to the alert severity). It is possible to extend the syslog message with
the field that contains the unique identifier of the event by setting the parameter EventId to the
value “yes”. If the remote syslog is listening on nondefault port it is possible to set the port number
to the current value (Port). It is possible to activate sending one syslog message for each event
target (Divide by targets parameter). The count of messages for single event is limited by the
value of Max messages for one event parameter. The last message for the given event contains
the list of the remaining targets. Syslog messages are sent using the daemon facility. If the Machine
readable syslog parameter is active, the list of tuples parameter:value is used as a format of the
event detail for better parsing.

Application supports exporting events using SNMP too. Events are generated as a SNMP traps
that are generated based on MIB file INVEA-ADS-MIB.txt (this file can be downloaded from the
authenticated subsection of www.invea.com pages). Except for the SNMP traps that report the
events there are also generated the SNMP traps of the number of processed flows per a batch and
of the time necessary for processing of the batch. It is necessary to configure the IP address and
the port number of the device, that is dedicated to receive the traps. Then it is required to choose
the perspective.

www.invea.com 27 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

3 Detection methods
Detection methods are the core of FlowMon ADS . They serve for detecting various potentially
undesirable activities on the network or to cumulate appropriate information (behavior profiles).
Detection methods are predefined by the manufacturer who guarantees their development and
expansion according to the current trends in the area of network services and security of computer
networks in particular. Detection methods can be imagined like signatures for IDS systems (e.g.
SNORT). Unlike signatures which represent particular strings to be searched in individual packets,
detection methods contain specific behavior patterns of network devices. FlowMon ADS uses the
principle of detection methods also for other tasks (e.g. event reporting etc).

Detection methods are divided into the following groups:

• Common network behavior patterns – common network behavior patterns that generate
events always when processing the current batch of NetFlow data (typically every 5 minutes).

• Common behavior patterns for SIP traffic – common behavior patterns that are based on
SIP extensions. These methods works only with NetFlow sources with activated SIP process-
ing.

• Advanced network behavior patterns – advanced network behavior patterns that detect
long term trends in network behavior based on continuous processing of NetFlow data.

• Derived behavior patterns – derived behavior patterns that generate characteristics of indi-
vidual devices. They do not directly depend on processing of the NetFlow data. Typically they
use the outputs of the above two detection method groups and are run periodically (every
hour).

• Anomaly detection system – methods of general anomaly detection system based on

changes in the behavior of network devices.

A typical duty cycle of the FlowMon ADS application includes performing of following steps:

1. Receiving and storage of NetFlow data – receiving of NetFlow data batch representing the
actual network traffic, typically every 5 minutes.

2. Processing of NetFlow data batch – application of all active detection methods on given Net-
Flow data batch which results in events generation and event reporting. Applications lever-
ages multi-threading to increase overall processing throughput.

www.invea.com 28 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Independently of the NetFlow data processing the application performs regularly every hour active
detection methods from General system procedures and Derived behavior patterns groups.

3.1 Introduction to detection methods

All detection methods have many common features and they are configured via uniform user
interface. The remaining text of this subsection is devoted to description of individual detection
methods in terms of the principle of their operation, their configuration and interpretation of their
results, which is typically based on practical experience with detection methods. Information on
the detection method always includes a general description, tips for method configuration. For
detection methods from the groups Common network behavior patterns, Advanced network
behavior patterns, Common behavior patterns for SIP traffic, Derived behavior patterns
or Anomaly detection system it also contains instructions for interpretation of results.

3.1.1 Common configuration options

It is possible to create so called instances of the detection methods. Each instance represents
specific settings of the detection method and it should be connected to some NetFlow sources.
The count of instances is limited by the maximal number of NetFlow sources for each detection
method.

Two types of actions are available for method settings – actions performed collectively on whole
group of instances and actions performed on single method instances.

Actions for group of instances

• Method instance/instance group activation/deactivation – each method, except for the

system ones, can be activated or deactivated (Activate/Deactivate). This option is reflected
immediately, precisely when processing the next batch of NetFlow data.

• Method instance configuration/method configuration template edit – specific configura-

tion of detection methods is available through function Edit method.

www.invea.com 29 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

• Adding new method instance – it creates new method instance with configuration along
the method configuration template. It is necessary to assign the method instance to some
NetFlow sources (New instance).

• Setting the time to store outputs – it sets the time period within which are the outputs of
the detection method stored in the system (Set Delete after parameter).

Actions for single method instances These actions are available in addition to events corre-
sponding to actions available for templates:

• Delete method instance – it removes the given method instance (Delete method instance).

• Perform action – some methods allows to call actions that are related with the given method.
This action could be for example deleting the learned classifier. The action is performed after
clicking the Perform action button.

• Activate/Deactivate method instance – activates or deactivates the given method instance.

• Edit method instance – allows to configure the given method instance

• Assigning filters to the method instance – most methods may be restricted in terms of pro-
cessed traffic by assigning filters to them (Assign filters). This setting is reflected immediately,
precisely when processing the next batch of NetFlow data.

3.1.2 Common features

• Event generating – most detection methods generate events. Events always include event
originator (IP address), event type (corresponding to a type of the method which detected the
event), the time stamp of event occurrence according to NetFlow data, link to the NetFlow
data source, event details (additional information on the event according to its type) and the
list of all event targets (IP addresses).

• Periodic deletion of events – all detection methods which generate events offer their peri-
odic deletion through a configuration option DeleteEventsAfter indicating the number of
days for which the events remain in application memory. Older events are automatically
deleted. When the option is set to value “0” events are never deleted.

www.invea.com 30 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

3.1.3 NetFlow sources and assigned filters

• The method instance has to be assigned to at least one NetFlow source. Assigned filters are
optional except some detection methods.

• The method instance is always processing only the data from assigned NetFlow sources.

• Data from single NetFlow source are processed isolated, the classifiers based on these data
are also kept separately for each NetFlow source and each method instance.

• The assigned IP address filter restricts the data according the source or destination IP ad-
dresses (details follow).

• There is no need to use the IP filter, if all data from the current NetFlow source satisfies this
filter.

• It is better not to use any filter instead of using the filter with all IP addresses.

• Some of detection methods needs assigned filter because of performance.

3.2 Common network behavior patterns

3.2.1 ALIENDEV – New or alien device

Method description A method for detecting parasite device in monitored network. There are two
ways used to detect parasite devices.
Within the configuration of the first one it is necessary to set the filter that exactly corresponds
to the IP addresses assigned to specific network devices (KnownSegment parameter) and
the filter (LANFilter parameter), that is corresponding to the whole used network segment
(including addresses that can be assigned by the DHCP server). If the KnownSegment pa-
rameter is empty, this way of detection is not used.
The other way of detection is using simple machine learning methods. It is necessary to
set the LANFilter parameter that defines whole network segment (including the gaps). The
ClosedSeason parameter determines how long should be the method in the learning phase
(the events are not generated). If the new device occur after learning phase, the event is
generated. The device is removed from the classifier after TimeToDeath days of inactivity.
The second way of detection is also applicable on the MAC addresses that appears on the lo-
cal network. The MAC address based detection configuration is separated from the IP address

www.invea.com 31 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

based detection configuration, but the ClosedSeasonMAC and TimeToDeathMAC parame-

ters are applicable in the same way. The detection is performed only over the NetFlows, their’s
source IP addresses fit into the filter assigned to the detection method. It is necessary to re-
alize that the MAC addresses are available only for the devices in the subnet limited by the
closest router. The autoconfiguration link-local IPv6 address with embedded MAC address is
used as a event source. Each IP address, that was assigned to the device with the given MAC
address in the processed five-minute batch is displayed as a event target (these addresses are
limited by the filter assigned to the detection method).

Method configuration It is appropriate to activate this method network-wide for all traffic on the
network. Appropriate place for monitoring the traffic is the central switch.

Assigned filter Filter is used for restricting source IP addresses.

Interpretation of results This method is able to detect unknown (or forgotten) devices that are
connected to the monitored network.

3.2.2 BITTORRENT – BitTorrent traffic

Method description A method for detecting P2P networks of the BitTorrent type. This method
consists of four different detection methods that analyze network traffic concurrently. The
incidents detected by individual methods are compared. The event is generated in case of de-
tecting Bittorrent traffic by multiple methods. The option MinimalProbability allows you to
set the minimum number of methods, that have to detect the incident, in the form of percent-
ages. In this way, it is possible to detect almost any Bittorrent clients. Parameter LANFilter
enables the reduction of possible false positive by excluding internal network communication
from detection. Next parameters are MinSeeds and MinHighPorts allowing to set minimal
count of remote peer sources, where data are downloaded from, and minimal count of con-
nections on ports higher than 10240.

Method configuration It is appropriate to activate this method network-wide for all traffic on the
network regardless of IP addresses excluded from communications on the LAN by the option
LANFilter. Appropriate place for monitoring the traffic is the Internet connection line.

Assigned filter Filter is used for restricting source IP addresses.

Interpretation of results This method achieves very reliable results in detection of notorious P2P
downloaders. On the other hand, incidental and occasional use of P2P network may not be
detected, especially when strict mode is set on. Furthermore, this method may alert to spy-
ware infected devices, whose symptoms are often similar to the symptoms of P2P networks.

www.invea.com 32 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

3.2.3 BLACKLIST – Communication with blacklisted hosts

Method description A method for detecting communication with IP addresses which are included
in the blacklist collected by INVEA-TECH a.s. Typically they are the control centers of botnets or
world-renowned attackers. The list of IP addresses is periodically updated (every 8 hours), if
the method is active. Within the method configuration you can set up monitoring of selected
types of blacklists (BotnetActivities, SpammerActivities, AttackerActivities a MalwareAc-
tivities). The method also supports communication control based on its own blacklist, whose
address is set by parameters CustomListServer and CustomListLocation (the device has to
be allowed to establish a connection with this service). The CustomListDescription param-
eter can be used for setting the string that is shown in event detail as a blacklist description.
Parameter IgnoreUnreachable allows ignoring ICMP type 3 (destination unreachable) replies
to request from blacklisted IPs. If the parameter IgnoreUnsuccExt (or IgnoreUnsuccInt) is
set to “yes”, the unsuccessful attempts from blacklisted IP addresses are ignored (or from
monitored network).
For FlowMon ADS application with active Gold Support are available the premium blacklists
as well. The P2P botnet supernodes blacklist (P2PBotnetActivities parametr) contains IP ad-
dresses and port numbers of supernodes of P2P botnet networks (e.g. ZeroAccess, Sality). The
Known phishing web domains blacklist (PhishingDomains parameter) contains the database
of HTTP URLs, on which are provided phishing web presentations. The Known botnet c&c do-
mains blacklist (BotnetDomains parameter) contains the database of HTTP hostnames, that
are used for communication of some botnets (e.g. ZeuS Gameover, Conficker B).

Method configuration It is appropriate to activate this method network-wide for all traffic on the
network regardless of IP addresses. Appropriate place for monitoring the traffic is the Inter-
net connection line. To update the list of IP addresses correctly it is necessary not to block
the communication of the device (probe/collector) to port 443 (HTTPS, standard secured web
traffic) on services.invea.com server.

Assigned filter Filter is used for restricting source or destination IP addresses.

Interpretation of results This method uses the INVEA-TECH blacklist service. If some of the black-
listed IP addresses are marked as the event originator it’s probably a network attack on the
organization. If some of the organization IP addresses is the event originator it’s likely to be
part of botnet or infected with some form of malware.

www.invea.com 33 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

3.2.4 COUNTRY – Behavior profiling – country reputation

Method description This method determines the daily country of communication peers for each
of monitored device. It stores count of flows and amount of transferred data between country
and monitored devices. The traffic statistics are divided according to whether the communi-
cation was initialized by IP address from out of monitored network (reply) or by IP address
from monitored network (request).
This method also allows to detect too big data transfers between the device and the given
country. Within the detection is monitored the amount of sent or received data or ratio be-
tween upload and download related to the given country. All values are compared to the
average of other devices in the monitored network, that are communicating with given coun-
try.
This detection is allowed after setting the GenerateEvents parameter to “yes”. Into the detec-
tion are included only these IP addresses that have sent to the given country more data than
is defined by the MinimalTransferredU parameter or downloaded more data than is defined
by the MinimalTransferredD parameter. The event is generated if the traffic is bigger than
the n-multilple of the network average, where the n is defined by the MinQuota parameter.
The event can be also generated if the upload/download rate of the device is bigger than m-
multiple of the network average, where the m is the value of the RatioQuota parameter. If
this parameter is zero, the rate comparison is not applied.

Method configuration It is appropriate to activate this method for IP addresses of an organiza-

tion. Appropriate place for monitoring the traffic is the central switch or the to/from Internet
connection line, but not both places at the same time.

Assigned filter Filter is used for restricting source IP addresses.

Interpretation of results The results of this method can be used to identify IP addresses commu-
nicating with the potentially dangerous country destinations.

3.2.5 DHCPANOM – DHCP anomaly

Method description Detection method identifies suspicious communication in DHCP traffic. The
method is able to highlight the increased DHCP network traffic. It monitors the long-term
behavior of a node in the network and compares the current data transfer to historical statis-
tics for the node and also global statistics for the network. Additionally, it can detect fake
DHCP servers by observing UDP traffic from servers (port 67) towards clients (port 68) from
addresses that are not specified by filter as legitimate DHCP servers.

www.invea.com 34 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Using the parameter TimeWindow you can set the time window (in hours) for collecting and
processing long-term statistics. Filter DHCPServers defines DHCP servers that are used in the
network, it is necessary for proper detection of bogus DHCP servers. Parameter DHCPThresh-
old specifies the maximum allowed increase of observed DHCP traffic. The parameter Traf-
ficSizeThreshold is used to set the minimal amount of DHCP traffic for an individual IP ad-
dress to be considered as the flood attack. The detection of fake DHCP servers can be en-
abled by the parameter FakeDHCPDetEnabled. It is possible to exclude communication of
DHCP servers from detection of anomalously increased DHCP traffic (servers defined by filter
DHCPServers).

Method configuration It is appropriate to activate this method network-wide for all traffic on the
network regardless of IP addresses and additionaly set a filter defining DHCP servers. Appro-
priate place for monitoring the traffic is the central switch.

Assigned filter Filter is used for restricting source or destination IP addresses.

Interpretation of results The method is able to detect flooding attacks in DHCP traffic and suspi-
cious increase of the volume of communication. The typical example is DHCP discover flood-
ing which is used to exhaust resources of DHCP server. Detection of fake DHCP server can
indicate attempted man-in-the-middle attack or incorrect configuration of a network device.

3.2.6 DIRINET – Direct internet communication

Method description This method detects devices that are communicating directly into the Inter-
net (beyond the segment defined by parameter LANSegment). It is possible to set reporting
of unsuccessful and successful communication out of the allowed network segment using pa-
rameter ReportTries (eventually ReportCommunication). The minimal transfer is given by
the value of MinimalTransfer parameter.

Method configuration It is appropriate to activate this method for IP addresses from own net-
work, that shouldn’t be able to communicate directly into the Internet (e.g. due to security
guidelines). Appropriate place for monitoring the Internet is the connection line.

Assigned filter Filter is used for restricting source IP addresses.

Interpretation of results This method is capable to detect devices that communicate directly into
the Internet even if they are expected not to do this (they should use proxy server or they
should communicate only with other devices inside the local segment).

www.invea.com 35 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

3.2.7 DIVCOM – Target hosts/ports anomaly

Method description A method for detection of detect devices which exhibit great diversity of com-
munication. The method determines for each IP address its communication factor as a prod-
uct of the unique destination address and unique destination ports. If the defined tolerance
limit (value of CommunicationFactor option) is reached the corresponding event is gener-
ated. Parameter ExcludeServers specifies name of filter that defines server’s IP addresses,
which should be excluded from detection. The servers have a higher diversity of communica-
tion than the client’s stations.

Method configuration It is appropriate to activate this method for IP addresses from own net-
work or for all addresses when monitoring publicly available server farms. Appropriate place
for monitoring the traffic is the central switch as well as the Internet connection line.

Assigned filter Filter is used for restricting source IP addresses.

Interpretation of results This method is capable of detecting devices that scan ports, spyware of
infected devices or misconfiguration of the devices. Typical false positives include detection
of devices implementing SNMP Monitoring such as Zabbix.

3.2.8 DNSANOMALY – DNS anomaly

Method description Method detecting the suspicious communication in DNS traffic. The method
is capable to notify about UDP traffic greater than 576 B (this follows from DNS service stan-
dard) or large data transfers on TCP port 53. UDP packet size control defined in RFC 1035 can
be disabled if you set IgnoreRFC1035 parameter to “1” (default value is “0”). Sensitivity in the
detection of large data transfers can be adjusted via the option TCPTransferLimit.
This method is extended by a detection of using DNS servers that are not allowed in the
monitored network. This extension is activated by the choice of the filter DNSServers that
defines IP addresses of allowed DNS servers.
Next extension is based on simple model of used DNS servers. The parameter LearnCycles
defines how long should be the model trained. The parameter MinimalRatio defines the
minimal ratio (in percents) of count of connections that should the DNS server satisfy to be
considered as usually used DNS server. It is possible to exclude the DNS servers in monitored
network from the detection by setting the ServersToExclude parameter.

Method configuration It is appropriate to activate this method network-wide for all traffic on the
network regardless of IP addresses. Appropriate place for monitoring the traffic is the Internet
connection line.

www.invea.com 36 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Assigned filter Filter is used for restricting source IP addresses (classifier and illegal DNS servers
detection), source or destination IP addresses (large UDP packets and DNS TCP transfer de-
tection).

Interpretation of results This method is capable of detecting DNS service abuse for other unde-
sirable activities, which typically include tunneled traffic. The sudden change of usage of DNS
servers could indicate the malware infection.

3.2.9 REFLECTDOS – Amplificated DoS attack

Method description This detection method allows to unveil the DoS attacks using the weaknesses
of some services for amplification of the attack (the services can send much bigger response
on specific requests, this response is sent to the forged source IP address of the request).
Purpose of this method is to detect the misuse of the servers in the monitored network to
this type of DoS attack. It is implemented the detection of misuse of the NTP (UDP/123) and
DNS (UDP/53, TCP/53) services.
The misused servers are detected base on the ratio of sent and received data (communication
with single client). To generate an event, server has to send at least x-times more data, than
it receives (for x being the value of the ThresholdChanges parameter) and the server has
to send at least as much packets to all of its clients as it is the value of the MinimalReplies
parameter.
The detection method has to have assigned the filters defining the IP addresses of NTP and
DNS servers in the DNSServers and NTPServers parameters. If one of these filters is not
assigned, the relevant part of detection is not active. In case none filter is assigned to both
parameters and the method is still active, the warning is displayed after processing the next
batch.

Method configuration It is appropriate to activate this method network-wide for all traffic on the
network regardless of IP addresses. Appropriate place for monitoring the traffic is the central
switch.

Assigned filter Filter is used for restricting source or destination IP addresses.

Interpretace metody This method alerts to the misuse of the provided service. The solution of
this situation can be the change of the service configuration.

www.invea.com 37 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

3.2.10 DOS – Denial of service attack

Method description A method for detection of Denial-of-Service or Distributed-Denial-of-Service
attacks. This method is based on evaluating the ratio of incoming to outgoing packets for
each device on the monitored network. It is predicted the maximal boundary with respect to
historical data. Exceeding the predicted boundary leads to generating the event.
This method can be configured using the WindowLength parameter, that defines the maxi-
mal age of the data, that could be used to the classification, Threshold parameter, that de-
fines the tolerance to increase of the ratio (the tolerance is directly proportional to the value of
the parameter), MinimalIncoming parameter, that defines minimal count of incoming pack-
ets, AbsoluteThreshold parameter, that defines minimal ratio and AttackersThreshold pa-
rameter, that defines the minimal count of attackers involved into the attack.

Method configuration It is appropriate to activate this method network-wide for all traffic on the
network regardless of IP addresses. Appropriate place for monitoring the traffic is the Internet
connection line or the central switch (for large organizations with the vast network).

Assigned filter Filter is used for restricting source IP addresses (victim of the attack).

Interpretation of results This method reliably alerts to the DoS/DDoS attacks of the specified
minimum range.

3.2.11 HIGHTRANSF – High volume of transferred data

Method description A method for detection of massive usage of the data link by one user (IP
address). Method aggregates all traffic for each IP address and checks exceeding the maxi-
mum limit. The option TransferThreshold specifies the absolute data volume threshold for
single IP address (in MiB). When this limit is reached or exceeded an event is reported. This
event has set only the IP addresses with which was transferred at least the given percent-
age (TargetPercentile parameter) of maximal transfer between two IP addresses. Parameter
ExcludeServers specifies name of filter that defines servers IP addresses, which should be
excluded from detection. The servers have typically higher data transfers than the client’s
stations. Parameter LegalServers specifies the name of filter that defines IP addresses with
which are the high transfers allowed.

Method configuration It is appropriate to activate this method only for IP addresses from own
network. The appropriate place for monitoring the traffic is the Internet connection line.

Assigned filter Filter is used for restricting source IP addresses.

www.invea.com 38 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Interpretation of results This method reliably alerts to the IP addresses which transferred more
data then it is allowed.

3.2.12 HONEYPOT – Honeypot traffic

Method description This method is inspired by so called honeypots, the network traps. Comput-
ers on that are not expected for the incoming traffic. All such traffic can be considered as
anomaly. The detection method works similarly. The IP addresses representing honeypots
are defined as a filter and if there is any access to these IP addresses, the event is generated.

Method configuration It is appropriate to activate this method network-wide for all traffic on the
network except for the IP addresses from which we except the access to the honeypots (e.g.
because of configuration). It is necessary to set up the name of the filter defining honeypots
for proper functioning. Appropriate place for monitoring the traffic is the Internet connection
line or the central switch.

Assigned filter Filter is used for restricting source IP addresses.

Interpretation of results This method alerts to the unauthorized access on the chosen comput-
ers in the network. It could mean horizontal scanning or the attempt to network-wide ssh
attack.

3.2.13 HTTPDICT – Web form attack

Method description This detection method is focused on detecting web login form dictionary at-
tacks (or brute force attacks). Minimal number of attempts to login from single IP address
is given by the MinimalPerClient parameter. Due to the possibility of some false positives
caused by regullar webpage updates (using e.g. A JAX technology) is necessary to set the Min-
imalPageSize parameter as the minimal size of the page returned in case

Method configuration It is appropriate to activate only for the webservers in the monitored net-
work, possibly for all traffic on the network (to detect attacks from clients in the monitored
network). Appropriate place for monitoring the traffic is the Internet connection line or the
central switch.

Assigned filter Filter is used for restricting destination IP addresses.

www.invea.com 39 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Interpretation of results The method highlights the increased count of sending the same-sized
file from the webserver to single client. That probably means the dictionary attack on the web
login form.

3.2.14 ICGUARD – Internet connection utilization anomaly

Method description Detection method monitors usage of internet connection line and is able to
alert an excessive usage per host (user) or in total based on defined threshold values. Within
the configuration it is necessary to set connection type (symmetrical line, asymmetrical line)
and define the line speed in Mbps. Another configuration option is LANFilter which defines
local IP addresses; communication between these addresses is computation of line usage
ignored. Setting up the local addresses is mandatory.
This method can detect a high number of packets per second transferred over connection
to internet. Event is detected if the overall sum of packets per second exceeds the value
of TotalPPS parameter. If at least half of this operation is generated by one IP address the
address is identified as the originator of an event.

Method configuration It is appropriate to activate this method network-wide for all traffic on the
network regardless of IP addresses. Appropriate place for monitoring the traffic is the Internet
connection line or the central switch.

Assigned filter Filter is used for restricting source IP addresses.

Interpretation of results This method shows clearly the excessive usage of internet connection.

3.2.15 ICMPANOM – ICMP anomaly

Method description Detection method identifies suspicious communication in ICMP traffic. The
method reports increased number of ICMP type 3 messages, which could signal spread of
worm. It monitors long-term behavior of a node in the network and compares the current
observation with statistics for the node and also global statistics for the network. Addition-
ally, it can detect ICMP scans, ICMP smurf, ping flood attacks and excessive payload of ICMP
packets.
Using the parameter TimeWindow you can set the time window (in hours) for collecting and
processing long-term statistics. When TimeWindow is set to 0 detection of ICMP type 3 mes-
sage anomalies is disabled. Parameter ICMPThreshold specifies the maximum allowed in-

www.invea.com 40 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

crease of observed ICMP type 3 messages and parameter Type3MsgThreshold is used to set
the lower bound of ICMP type 3 messages for a single IP address (minimal number of mes-
sages that could be considered as anomalous). By setting the parameter ICMPSmurf and
ICMPScan to 1 you will enable detection of ICMP smurf attacks and ICMP scans, respectively.
The ICMP scans part of detection method can be limited by minimal count of scanned devices,
too (the ScannedDevices parameter).
The ICMP echo request flood detection is limited by the PingFloodThreshold parameter. Its
value defines minimal count of sent echo request packets. If the value equals zero, echo
request flood detection is not performed.
Excessive payload of ICMP packets detection is limited by MinimalPackets and MinimalPay-
load parameters that corresponds to minimal count of given ICMP type and their minimal
average payload. If the MinimalPayload parameter equals zero, the excessive payload of
ICMP packets detection is not performed.

Method configuration It is appropriate to activate this method for all IP addresses. Appropriate
place for monitoring the traffic is the central switch and the Internet connection line.

Assigned filter Filter is used for restricting source or destination IP addresses.

Interpretation of results The method is able to detect increase of ICMP type 3 messages (Un-
reachable). This could happen during spread of worm, especially in case when UDP protocol
is used and hosts with closed ports send back ICMP Port Unreachable messages. ICMP scans
are used to determine live hosts in the network and it could be used by malware. The goal
of ICMP smurf attack is to flood the network and especially connection link to the victim with
a large number of ICMP Echo replies.

3.2.16 IPV6TUNNEL – IPv6 tunneled traffic

Method description The IPV6TUNNEL detection method allows detecting the network devices,
which are communicating through tunneled IPv6 protocol over Teredo or 6in4 protocol. The
first parameter is the ConnectionsThreshold parameter, which allows to restrict the mini-
mum amount of connections between stations. With parameter UploadDataThreshold re-
spectively DownloadDataThreshold is possible to limit the minimal amount of transferred
data. Another parameter is IgnoreFailedConnections, which allows to ignore unpaired com-
munication. It is possible to set method for ignoring Teredo protocol (Value of IgnoreTeredo
is set to “yes”) or for ignoring 6in4 protocol (Value of Ignore6in4 is set to “yes”).

Method configuration It is appropriate to activate this method for all IP addresses. Appropriate
place for monitoring the traffic is the central switch and the Internet connection line.

www.invea.com 41 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Assigned filter Filter is used for restricting source or destination IP addresses.

Interpretation of results The method detects devices communicating over IPv6 protocol thah is
tunneled through IPv4.

3.2.17 INSTMSG – Instant messaging traffic

Method description A method detecting the use of instant messaging services even if they mask
through the ports reserved for other services (e.g. port 80 for web traffic). Based on the
statistical characteristics of the instant messaging traffic the method distinguishes between
OSCAR protocol (ICQ and its derivatives), XMPP (Jabber service and its derivatives, including
Google Talk) and Skype. Any client of any of the above listed services is sufficient for successful
detection. Detection of particular instant messaging types can be suppressed by setting the
Ignore option. For suppression of false positives which may arise from the local network,
there is the option LANFilter available, which allows you to specify the name of the filter
comprising a local network addresses between which the traffic exhibiting instant messaging
characteristics is ignored. Parameter IgnorePorts allows to ignore communication on ports
993 and 443 for reducing false positives during XMPP instant messaging detection.

Method configuration It is appropriate to activate this method network-wide for all traffic on the
network regardless of IP addresses. Appropriate place for monitoring the traffic is the Internet
connection line or the central switch (with option LANFilter set).

Assigned filter Filter is used for restricting source IP addresses.

Interpretation of results Although this is a heuristic the method achieves very reliable results
in the real traffic. In some cases the confusion of roles of the event originator/event target
occurs, i.e. IP address from a local network that runs the client’s instant messaging is marked
as the event target and the server of the service as the event originator.

3.2.18 L3ANOMALY – L3 network anomaly

Method description The detection method reveals traffic anomalies on the network layer. The
first part detects situations where the source or destination IP address of the communicating
parties is not from our legitimate internal networks (additional info is available in RFC 2827).
The second part reports the flows with broadcast or multicast source IP address. The third

www.invea.com 42 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

one detects packets with the same source and destination IP address. Both IPv4 and IPv6 are
supported.
The filter InternalNetworks specifies the range of allowed internal networks and it is impor-
tant for the first part of the detection (IP spoofing). It is possible to individually enable or
disable each part of the detection using parameters IPSpoof, SourceIPAnom and SameSr-
cDestAnom. Enabling the parameter IgnoreBroadMulticast you can inhibit the detection of
IP spoofing for the flows with multicast or broadcast destination IP address. The flows with
link-local IP addresses and zero network broadcasts are by default excluded from detection
of IP spoofing.

Method configuration It is appropriate to activate this method network-wide for all traffic on the
network regardless of IP addresses. Appropriate place for monitoring the traffic is the Internet
connection line or the central switch (with option InternalNetworks) set).

Assigned filter Filter is used for restricting source or destination IP addresses.

Interpretation of results The communication of IP addresses outside the scope of local networks
may indicate IP spoofing or an attempt to modify IP headers. In case of flows with incorrect
IP addresses (broadcast or multicast source IP address or the same source and destination
IP address) it could be an attack on some implementation issue of TCP/IP stack of a network
equipment.

3.2.19 LATENCY – Network latency anomaly

Method description A method for measurement of delay at the network level, i.e. delay between
the recording of the first request packet and the first response packet. The method uses
Bidirectional flows standard (RFC 5103), i.e. classification of data flows such as requests and
responses. The delay has to be measured for a given group of IP addresses specified by a fil-
ter. Within the configuration it is necessary to set the option LatencyThreshold whose value
determines the maximum tolerated value of the delay between the request and the response.
Another option is StrictMode which determines whether the delay will be measured for ad-
dresses matching the filter assigned to the detection method (value “normal” of the option)
or exclusively between these addresses (value “strict” of the option). It is possible to affect
the behavior of this method using option TCPFlags which enables to detect the latency only
during connection establishment.

Method configuration It is appropriate to activate this method according to network topology

of the network and the objectives of the measurement. In any case, it makes no sense to
measure the delay on any targets in the Internet. Optimal place for monitoring the traffic is

www.invea.com 43 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

for example data link between two workplaces of the organization or line to the organization
servers.

Assigned filter Filter is used for restricting source or destination IP addresses.

Interpretation of results This method shows a particular value of delay between recording of the
first request packet and the first response packet. This value thus indicates the delay at the
network layer and can help in analyzing the problem of latency in selected application or data
link. The method can also be used to check the SLA on the selected data link.

3.2.20 MULTICAST – Multicast traffic

Method description A method for detection of IPv4 multicast traffic based on the use of multicast
addresses (224.0.0.0 to 239.255.255.255), directed broadcast addresses (X.Y.Z.255) and all-host
broadcast address (255. 255. 255. 255). Detection of directed broadcast and all-host broad-
cast traffic can be suppressed by setting the option IgnoreBroadcast to value “Yes”. Minimum
number of multicast requests to be reported can be set via option MinimalAttempts.

Method configuration In the case of network problems or suspicion to problems associated with
multicast traffic, it is appropriate to activate this method network-wide for all communication
in the network regardless of IP addresses. Appropriate place for monitoring the traffic is the
Internet connection line or the central switch.

Assigned filter Filter is used for restricting source IP addresses.

Interpretation of results This method reliably alerts to the IP addresses on the network that gen-
erate multicast traffic.

3.2.21 OUTSPAM – SMTP anomaly

Method description A detection method based on the assumption that in the corporate environ-
ment emails should be sent only in a defined way. The method detects sending or attempts
to send mails through other than explicitly defined mail servers.
In addition, parameter SPAMCounter can activate detection of increased number of sent
emails from one station. The increased number is specified by parameter Multiplicator,
which defines times the average number of mails sent at other stations. The average is com-
puted only from stations which sent more than MinimalMailLimit messages in one hour.

www.invea.com 44 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

The method takes interest in the TCP/25 (SMTP), TCP/465 (Secured-SMTP) and TCP/587 (Mes-
sage Submission service). Based on the number of flows and responses from the mail servers
the method estimates the number of emails and whether the emails were actually sent. This
information is then available in the detail of the generated event. Event targets represent all
mail servers through which attempts to send mail were made.
The option ServersFilter identifies legitimate SMTP servers through which you can send mail.
The option StrictMode set to value “strict” means that IP addresses assigned to the method
by the filter have to be the sources of the event. The option ExcludeMailServers set to value
“exclude” means that IP addresses from the ServersFilter list are excluded from detection.
The option IgnoreSecuredSMTP allows to ignore secured SMTP traffic (port TCP 465). The
option IgnoreScans set to value “ignore” allows ignoring too small transmission, that can’t be
e-mail traffic. The option IgnoreTCP587 allows to ignore Message Submission service (port
TCP 587). The option IgnoreFailed allows to ignore e-mail delivery failures (e.g. mail server
isn’t responding).

Method configuration It is appropriate to activate this method for IP addresses of the organi-
zation. Appropriate place for monitoring the traffic is the central switch and the Internet
connection line.

Assigned filter Filter is used for restricting source IP addresses (according the StrictMode param-
eter and in the profiler part of detection).

Interpretation of results This method not only detects attempts to spam, but also may help to
identify spyware infected devices. Further it may help detecting employees that use other
than corporate mail servers, which may indicate misconfiguration as well as an intention.

3.2.22 PEERS – Partners communication anomaly

Method description Detection method reveals increased number of unique communication part-
ners. The method keeps sliding window with relevant statistics. The length of the window in
hours can be set by WindowLength parameter.
The detection is limited only on connections with more transferred packets than defined by
PacketsMinCount parameter. The detection is based only on requests sent by monitored
devices. It is possible to activate ignoring requests with no response using the IgnoreSNGL
parameter. The IP addresses defined by ExcludeServers filter are excluded from detection.
The devices with less unique communication partners than given by PartnersMinCount pa-
rameter are excluded as well.

www.invea.com 45 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

The average and standard deviation of communication partners statistics are calculated for
the sliding window during the detection. If the current count of unique communication part-
ners is higher than the sum of average and the standard deviation, then the increase rate is
calculated. The event is reported if the increase rate is higher than the value of the Threshold
parameter.

Method configuration It is appropriate to activate this method only for IP addresses from moni-
tored network.

Assigned filter Filter is used for restricting source IP addresses.

Interpretation of results This method alerts increased number of communication partners for
certain IP address.

3.2.23 SCANS – Port scanning

Method description A detection method used to detect common and used techniques of map-
ping the network and running services through the port scanning. The method distinguishes
different types of scans (SYN scan, FIN scan, Xmas scan and Null scan) and styles (horizontal
scan, vertical scan, chaotic scan). Parts of details are the number of scans, number of unique
targets, information about response from a scanned device and list of scanned ports. To ad-
just the sensitivity of the method serves the option ScansThreshold whose value indicates
the minimum number of attempts to scan from a single source that should be recognized as
an event. The option IgnoreChaotic allows to ignore chaotic scans and detect only horizontal
and vertical scanning. The option IgnoreUnsucc allows ignoring scans with no response. It
is possible to limit the detection only to the ports less than 1024 using DetectOnlyKnown
parameter. This can be extended by the comma separated list of port numbers defined as
a DetectThesePorts parameter value. In combination with the detect specified value of the
DetectOnlyKnown parameter can be the detection limited only to the ports listed in the De-
tectThesePorts parameter.
This detection method is also able to detect the unsuccessful attempts to scan the ports on
protocol UDP. This part of detection can be set by the UDPThreshold parameter, which de-
fines the minimal attempts number. Chaotic scans are ignored.
The detection, that can be activated using PortBasedDetection parameter is intended for
monitored network with NetFlows without correctly assigned TCP flags. This detection is using
the portlist defined in DetectThesePorts parameter. Only communication on these ports is
controlled. The attacker has to access on each port from the list on each target of the attack

www.invea.com 46 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

for successful detection. The DetectOnlyKnown and IgnoreChaotic are ignored in this type
of detection.

Method configuration It is appropriate to activate this method for all IP addresses. Appropriate
place for monitoring the traffic is the central switch and the Internet connection line.
If the PortBasedDetection parameter is active, it is appropriate to activate this method only
for IP addresses from monitored network. The event is then reported only if some IP address
from this definition is scanned.

Assigned filter Filter is used for restricting source or destination IP addresses, for destination IP
addresses only in case of portbased detection.

Interpretation of results Apart from detecting attempts to deliberate port scanning this method
may detect misconfigured devices which are unsuccessfully trying to establish a connection
or devices infected with malware that is trying to replicate itself to other devices.

3.2.24 SRVNA – Service not available

Method description A detection method used to detect unavailable services (IP address/port),
to which clients want to access. This method can be restricted by minimal number of ac-
cesses to the service (parameter AttemptsThreshold) and by filter that defines IP addresses
of provided services (parameter ServiceProviders). In case the event is generated, source IP
address is the address of the unavailable service provider. There is listed the count of suc-
cessful connection and successfully connected clients in the detail, too. It is possible to limit
the detection using the RelativeUnsuccessful parameter that defines minimal ratio between
unsuccessful requests and all connections to the given service.
This method allows also to detect the unavailable services on UDP protocol. This part of
detection can be set by the UDPThreshold parameter, that defines the minimal threshold of
unsuccessful attempts number.

Method configuration It is appropriate to activate this method for all IP addresses. Appropriate
place for monitoring the traffic is the central switch and the Internet connection line. It is
recommended to activate the OnlyRejected parameter if the detection is performed on the
sampled traffic.

Assigned filter Filter is used for restricting source IP addresses (servers).

Interpretation of results Apart from detecting successful Denial of Service attack this method
may also detect an erroneous configuration – either on server, which does not provide the

www.invea.com 47 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

service that should be provided, or on the clients, which demands services that are not pro-
vided.

3.2.25 TEAMVIEWER – TeamViewer traffic

Method description A method used to detect sharing desktop using TeamViewer.

Method configuration It is appropriate to activate this method only for IP addresses from the
monitored network. Appropriate place for monitoring the traffic is the central switch.

Assigned filter Filter is used for restricting source IP addresses.

Interpretace This method detects devices that are sharing their desktop using TeamViewer.

3.2.26 TELNET – Telnet anomaly

Method description A method used to detect increased use of Telnet service. Telnet service is
obsolete and currently should not be used at all for safety reasons. Eventually its use should
be a subject to a special regime. The method detects all connections to TCP port 23 (Telnet
service) including connection attempts and counts the number of connections for individual IP
addresses. Within the method configuration you must set up the minimum number of Telnet
connections to be considered unwanted through the option TelnetThreshold. Detection may
include all connection attempts including scans (option IgnoreScans and value “no”) or only
successfully established connections (option IgnoreScans and value “yes”). The servers to
which is allowed to logon via telnet protocol can be excluded from the detection using the
AllowedTelnet parameter.

Method configuration It is appropriate to activate this method for all IP addresses. Appropriate
place for monitoring the traffic is the central switch and the Internet connection line. By
setting the option IgnoreScans to value “yes” it is possible to detect devices that are infected
with some form of malware (e. g. botnet Chuck Norris) invading other network devices such
as routers, IP cameras, etc.

Assigned filter Filter is used for restricting source or destination IP addresses.

Interpretation of results This method detects devices using or attempting to use the Telnet ser-
vice (depending on configuration). The method can also detect specialized devices that are
infected with some form of malware oriented to misuse specialized network devices.

www.invea.com 48 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

3.2.27 TOR – TOR traffic

Method description A method designed to detect using anonymity protocol Tor while browsing
the Internet. The method configuration allows setting the minimal count of concurrently
started connections (parameter ConcurrentStart) and the minimal duration of the long-
standing connection (parameter LongConnection). It is possible to limit the false positives
by setting the filter that defines local network segment (parameter LANFilter) and minimal
probability of the event to be reported (parameter MinimalProbability).

Method configuration It is appropriate to activate this method for client stations of the monitor-
ing network. Appropriate place for monitoring the traffic is the Internet connection line.

Assigned filter Filter is used for restricting source IP addresses.

Interpretation of results This method detects client’s stations that are using the anonymity Tor
protocol while they are browsing the Internet.

3.2.28 UPLOAD – Data upload anomaly

Method description This method monitors amount of transferred data between individual com-
municating stations and checks the ratio of data transferred from computers of monitoring
network and data transferred in the opposite direction. When user-defined ratio or absolute
threshold is exceeded, the event is generated. Parameter ExcludeServers specifies the name
of filter that defines servers IP addresses, which should be excluded from detection. The
servers have a greater upload than the client’s stations.
The large data uploads can be detected by two different ways. The first method is based on
all traffic statistics between two devices, so the upload to the server that is sending back some
other data concurrently cannot be detected. The second method is comparing each request
to the relevant response, so the upload is detected even despite the concurrent download.
However, uploading using large amount of small connections may not be detected. The de-
tection mode can be set by the Pairwise parameter.

Method configuration It is appropriate to activate this method for client’s stations of monitoring
network. Appropriate place for monitoring the traffic is the Internet connection line.

Assigned filter Filter is used for restricting source IP addresses.

Interpretation of results This method reports the stations from which a file was uploaded, so it
may be an attempt to sensitive data leakage.

www.invea.com 49 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

3.2.29 VOIP – VoIP traffic

Method description A method for detection of VoIP traffic by known pairs of port/protocol. The
practical applicability of the method is limited to a strict corporate environment and selected
devices and is appropriate for detecting SIP and H.323 traffic. The method enables detecting
network devices that generate standard VoIP traffic.

Method configuration It is appropriate to activate this method for explicitly selected IP addresses
of organization whose traffic structure is known or expected. Appropriate place for monitor-
ing the traffic is the Internet connection line.

Assigned filter Filter is used for restricting source IP addresses.

Interpretation of results This method focuses solely on pairs of port/protocol therefore it can
produce large number of false positives in case that it is misconfigured.

3.2.30 VPN – VPN traffic

Method description A method for detection of VPN connections and tunnels by pairs of port/pro-
tocol. Parameter Advanced allows activating the advanced VPN tunnels detection based on
station communication with external network, which is characterized by long connection to
one IP address. Basic detection is appropriate mainly for detecting Microsoft PPTP, IKE Key Ex-
change or OpenVPN traffic on standard ports. Advanced detection allows detecting a general
VPN traffic to external servers. Parameter LanFilter specifies local network. Other parame-
ters MinimalTime and MinimalData defines minimal length of connection with external VPN
server and minimal capacity of transferred data in five-minute batch. Ror Microsoft PPTP it is
possible to set minimal length of VPN connection in seconds and minimal amount of trans-
ferred data in MiB.

Method configuration It is appropriate to activate this method for explicitly selected IP addresses
of an organization whose traffic structure is known or expected. Appropriate place for moni-
toring the traffic is the Internet connection line.

Assigned filter Filter is used for restricting source IP addresses.

Interpretation of results This method allows determining the devices on your network using VP-
N/tunnels. Basic detection is focused solely on pairs of port/protocol therefore it can produce
large number of false positives in case that it is misconfigured. Advanced detection success-
fully detects general VPN traffic where all station communication with external network is
going through.

www.invea.com 50 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

3.2.31 WEBSHARE – Web sharing traffic

Method description The WEBSHARE detection method allows identifying the network devices,
which download from web share services (e.g. RapidShare). Method can be configured to
ignore unsuccessful connections by option (Value of IgnoreSNGL set to “yes”). Detail of the
event can be extended by estimation of downloaded ("dowloaded to the WAN") and uploaded
("uploaded to the WAN") data from/to the Internet. This extension should not be activated if
the data from behind the proxy server are monitored. This extension can be enabled by set-
ting the parameter LANFilter. If this extension is enabled, the detection can be limited using
MinimalUp and MinimalDown parameters. These parameters limit the minimal transferred
data in the given direction.

Method configuration It is appropriate to activate this method for all IP addresses. Appropriate
place for monitoring the traffic is the central switch and the Internet connection line.

Assigned filter Filter is used for restricting source IP addresses.

Interpretation of results Accuracy of detection depends on the database of known web sharing
services. There is also statistical distortion in the Event evidence. This distortion is caused
by webshare server IP address used during transmission, which is often different from known
gateway address. Therefore the amount of transferred data is less than the amount shown in
the Detail field.

3.3 Common behavior patterns for SIP traffic

3.3.1 SIPFLOOD – SIP floods

Method description This detection method allows to detect devices that are trying to overwhelm
the SIP stations in the monitored network segment using the flood attack. It is possible to
(de)activate the detection of respective types of attacks using RegisterFlood and InviteFlood
parameters. The Threshold parameter allows to set the minimal ratio between the relevant
received and sent packets by the victim. The PerCalledParty parameter allows to set the
minimal count of relevant packets sent to single SIP address. The MessageLimit parameter
allows to set the minimal count of attempts to the victim of the attack.

Method configuration It is recommended to activate this method for all IP addresses of SIP de-
vices in the monitored network segment. Appropriate place for monitoring the traffic is the

www.invea.com 51 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Internet connection line. It is necessary to activate this detection method combined with the
NetFlow source with activated SIP processing.

Assigned filter Filter is used for restricting source IP addresses (attack victims).

Interpretation of results The victim of the attack is shown as a event source. Event targets (at-
tackers or devices trying to attempt actual SIP connection during the attack) have generated
large amount of Register or Invite requests and the victim cannot handle this amount of re-
quests. The flooded victim cannot handle the real phone calls, too.

3.3.2 SIPSCAN – SIP scans

Method description This detection method allows to detect devices, that are scanning the SIP
stations in the monitored network segment. It is possible to (de)activate the detection of some
scanning types using RegisterScan, OptionsScan or InviteScan parameter. It is possible to
set the minimal count of attempts with relevant SIP flags (Register, Options, Invite) using the
Threshold parameter.

Method configuration It is recommended to activate this method for all IP addresses of SIP de-
vices in the monitored network segment. Appropriate place for monitoring the traffic is the
Internet connection line. It is necessary to activate this detection method combined with the
NetFlow source with activated SIP processing.

Assigned filter Filter is used for restricting destination IP addresses.

Interpretation of results The scanning attacker is trying to detect SIP PBX’s and gateways (hori-
zontal, especially Register and Options scans; the information can be misused e.g. for eaves-
dropping) or active SIP addresses (vertical, especially Invite scans; the information can be mis-
used for telephonical SPAM).

3.3.3 SIPPROXY – SIP proxy

Method description This method uses the knowledge of single SIP URIs to detect the SIP proxy
servers (IP addresses used for SIP communication from distinct SIP URIs). The detection
method allows to set up the training period (ClosedSeason parameter)- During training pe-
riod aren’t generated any events by this detection method. The second option, that can be
set, is the time period used for storing the inactive devices in the classifier (TimeToDeath
parameter) – if the device becomes active after this time period, next event is generated.

www.invea.com 52 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

If the filter is assigned, only devices outside these IP addresses are detected.

Method configuration It is recommended to activate this method for all IP addresses of SIP de-
vices in the monitored network segment. Appropriate place for monitoring the traffic is the
Internet connection line. It is necessary to activate this detection method combined with the
NetFlow source with activated SIP processing.

Assigned filter Filter is used for restricting source or destination IP addresses.

Interpretation of results The device indicated as SIP proxy (the event source) transmits the SIP
traffic for callers with distinct SIP URIs. This device can be dedicated for wiretrapping the
forwarded communication (Man-in-the-middle attack).

3.4 Advanced network behavior patterns

3.4.1 BROKENSEN – Broken sensor

Method description This method is intended to control active sensors that are sending the mea-
sured data in a regular time periods. The method works on a machine learning principles.
Classifier for sensor is in a learning state as long as the parameter LearnCycles determines.
The minimum coverage of training data that has to be satisfied by a classifier is defined by
parameter MinimalCoverage. The tolerance used to control individual variables is defined
by parameters PeriodTolerance and TrafficTolerance.

Method configuration It is appropriate to activate this method only for IP addresses that belongs
to sensors. All non-sensors IP addresses in the controlled range would cause high amount of
false positives. Appropriate place for monitoring the traffic is the central switch.

Assigned filter Filter is used for restricting source IP addresses.

Interpretation of results this method alerts to the wrong behavior of sensor (based on transmis-
sion period, bytes per packet or transmissions per hour). It is necessary to consider how large
and often deviation from standard behavior can be caused by defective sensor.

www.invea.com 53 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

3.4.2 DNSQUERY – DNS query volume anomaly

Method description Method detecting an increased number of DNS queries sent by one station.
Number of DNS queries (one packet is considered as one DNS query) is counted for last hour.
The event is reported in case that the number is n-times greater than the average of the other
stations, where n is defined by parameter Multiplicator. The average is calculated only from
stations that sent more than MinimalQueryLimit queries. The DNS servers can be excluded
from this detection (value of the parameter ExcudeDNS is set to “yes”, default value is “no”).

Method configuration It is appropriate to activate this method network-wide for all traffic on the
network regardless of IP addresses. Appropriate place for monitoring the traffic is the central
switch.

Assigned filter Filter is used for restricting source IP addresses.

Interpretation of results This method reliably alerts to the increased number of DNS queries,
which can indicate the viral infection of the station identified as the event source.

3.4.3 RDPDICT – RDP attack

Method description This method is used to detect attempts to guess a user name /password for
Remote Desktop service (TCP/3389). The method builds a persistent tree of attackers and
victims and in the case of the exceeding limit values (20 attempts from a single IP address or
value of the options AttackAttempts) for a pair of attacker/victim an event is reported. The
data in the tree are stored for the period defined by TimeWindow parameter. This method
can be used to detect the distributed attack, too. There has to be at least so much attempts
by single attacker to a single victim, that is defined by multiplication of the PartOfAttack
and AttackAttempts parameters. The detection can be improved by specifying the minimal
number of targets of the attack using the MinTargets parameter. If needed, it is possible
to set the list of unusual ports on which is the RDP service provided besides the standard
TCP/3389 (ObscurePorts parameter). Most (not all) of the unsuccessful RDP connections
have TCP RST flag activated. Using the ResetFlag parameter is possible to limit the detection
only to these connections.
With this method it is possible to promptly detect the ongoing attack and block the attacker
before he can guess the password. If there is a greater delay between the attacker’s activities
(more than 30 minutes or value of the AttackHole option), the attack from a single IP address
can be interpreted as several separate attacks.

Method configuration It is appropriate to activate this method for all IP addresses and monitor

www.invea.com 54 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

not only attacks against own servers, but also the attacks from own network to the Internet.
Appropriate place for monitoring the traffic is the central switch and the Internet connection
line.

Assigned filter Filter is used for restricting source or destination IP addresses.

Interpretation of results The results of this method are relatively straightforward, the method
detects an attack against the RDP service.

3.4.4 SSHDICT – SSH attack

Method description This method is used to detect attempts to guess a user name /password or
login by forged certificate for SSH service (TCP/22). The method builds a persistent tree of
attackers and victims and in the case of the exceeding limit values (20 attempts from a single
IP address or value of the options AttackAttempts) for a pair of attacker/victim an event is
reported. The method is also capable to detect a successful attack based on an abrupt change
of statistical properties of the traffic and ending of the attack. With this method it is possible
to promptly detect the ongoing attack and block the attacker before he can guess the pass-
word. If there is a greater delay between the attacker’s activities (more than 30 minutes or
value of the AttackHole option), the attack from a single IP address can be interpreted as
several separate attacks. The detection can be improved by specifying the minimal number
of targets of the attack using the MinTargets parameter. If needed, it is possible to set the list
of unusual ports on which is the SSH service provided besides the standard TCP/22 (Obscure-
Ports parameter). The MaxPackets parameter allows to ignore connections with high count
of packets.

Method configuration It is appropriate to activate this method for all IP addresses and monitor
not only attacks against own servers, but also the attacks from own network to the Internet.
Appropriate place for monitoring the traffic is the central switch and the Internet connection
line.

Assigned filter Filter is used for restricting source or destination IP addresses.

Interpretation of results The results of this method are relatively straightforward, the method
detects an attack against the SSH service. The method may produce false positives when
evaluating activities of some surveillance systems using the SSH protocol.

www.invea.com 55 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

3.5 Derived behavior patterns

3.5.1 DNSREVERSE – DNS reverse records missing

Method description This method detects network devices without reverse DNS record. Reverse
DNS record is a standard means of configuration, which allows to convert IP address to DNS
name. It is also possible to determine the minimum amount of data that has to be sent by
the device daily to be included in detection (MinimalTransfer). The detection is performed
every day at midnight the previous day.

Method configuration It is appropriate to activate the method for all the IP addresses depending
on the DNS configuration policy of the organization. Appropriate place for monitoring the
traffic is the central switch and the Internet connection line.

Assigned filter Filter is used for restricting source IP addresses.

Interpretation of results This method can detect configuration problems, and also alert to new
or unauthorized devices on the network.

3.6 Anomaly detection system

3.6.1 Basic principles of anomaly detection

Automatic anomaly detection system provided by FlowMon ADS application works on the prin-
ciples of prediction based on short-time historical data. The statistics describing the network be-
havior are predicted for the whole network. In case the outlier between the predicted and the
current value occurs, the possible responsible device is identified and the event is generated.

The detail of the event always contains the predicted value of the relevant statistic, its current
value, its current value computed only for the responsible device and the procentual increase for
this device since the last batch of NetFlow data.

Automatic anomaly detection system is evaluating these statistics:

• Transferred data

www.invea.com 56 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

• Transferred packets

• Established connections

• Communication peers

• Devices connected to the monitored network

• Amount of the requests

• Amount of the replies

• Amount of unsuccessful requests

• Amount of the TCP traffic

• Amount of the UDP traffic

• Amount of the traffic over other protocols

• Total count of services

• Count of provided services

• Count of used services

• The ratio of the unsuccessful connections to the whole traffic

The ANOMALY method that is used for automatic anomaly detection has to have assigned the
filter defining the monitored segment to work properly. Two parameters defining the sensitivity of
the classifier can be set.

The first parameter is the length of the sliding window (WindowLengthNet), that defines the
maximal age of data used for the current value prediction. It applies that the longer period is used,
the less adaptable is the classifier in general (therefore more sensitive).

The second parametr is the threshold value for the event detection (NetworkThreshold). This
value defines how much bigger has to be the current value than the predicted value to generate
the event. E.g. if the predicted value is 100, the value of this parameter is 2, then the current value
has to be bigger than 300 (= 100 + (2 × 100)) to generate the event. This parameter can be set to
two decimal places. The lower is the given value, the higher is the sensitivity of the classifier.

The MinimalPart parameter can be used for improving the event source identification. This
parameter defines minimal part of whole traffic relevant to single device and to the exceeded mea-
sure. If the device exceeds this threshold, it gets bigger weight (the devices under the threshold get
the weight equal to 1).

www.invea.com 57 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

3.7 General system procedures

3.7.1 SYSCHECK – Data inconsistency

Method description The method is contolling the input data consistency.

Method configuration It is possible to configure the threshold ratio for each individual metric (e.g.
amount of unpaired flows) and set on or off the detection of wrong active timeout settings on
the NetFlow exporter or the detection of duplicit packets in the monitored network.

Interpretation of results The method is generating simple warnings. These warning can be in-
terpreted as some problems with NetFlow exporters (e.g. wrong configuration, incomplete
data).

3.8 High level events, threat detection

The so called High level events are available in the FlowMon ADS application since the version
6.5. It allows to analyze the outputs of individual detection methods (simple events). The high
level events are known as threats in the FlowMon ADS application. The threats can represent
aggregation of the simple events or some deduction from the given sequence of simple events (E.g.
the detection of successful spread of the malware infection using SSH service can be described as
a sequence of the SCANS event, SSHDICT event and the SCANS event again. In case of the first
scanning, the victim of the infection is the target. In the second case, the victim is the source of the
scanning). Only aggregations are available in the FlowMon ADS application currently.

Threat detections can be activated, deactivated and configured using the relevant parameters.
The individual threat detections always depends on the set of the simple event detetections. If
there is no active dependency, the threat detection cannot be activated.

The detected threats are displayed in the own tab in the Dashboard:Overview view. The
source, start time, current end time, completion (there will be no further update to the threat,
if closed), aggregated details and the list of particular simple events (dependencies, that are aggre-
gated into the threat) are shown for each threat.

In the moment, the particular event is deleted, the threat is deleted too.

www.invea.com 58 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

3.8.1 Common configuration

Each aggregation threat detection can be configured using the Window parameter, which de-
fines the maximal time window between two consecutive simple events (in seconds; if there is no
other desired simple event in the time window, the threat is closed).

3.9 Threat detections – aggregations

3.9.1 ACCESSATTACK – Network access attack

Method description The method is aggregating the simple events informing about the attacks
against authentication.

Dependencies SSH attack, RDP attack, Web form attack, Communication with blacklisted
hosts (Known botnet command & control center)

Method configuration The method does not provide any parameter other than the Window pa-
rameter.

Interpretation The threats has to be interpreted according to the number of particular events. In
case of very high number, it can be sign of an malware infection.

3.9.2 DATALEAKS – Potential data leaks

Method description The method is aggregating the simple events informing about possible data
leaks.

Dependencies Data upload anomaly, Country reputation, Web sharing traffic (only uploads).

Method configuration It is possible to set the minimal threshold for data sent out of the network
for particular event (Threshold parameter) except the Window parameter.

Interpretation The threats can be interpreted as a potential data leaks or as an use of the moni-
tored network to private purposes (e.g. uploading some vacation photos – but there could be
watermarked data in these).

www.invea.com 59 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

3.9.3 DOSATTACK – Denial of service attack

Method description The method is aggregating simple events informing about different kinds of
denial of service attacks.

Dependencies Denial of service attack, Amplificated DoS attack, ICMP anomaly (ICMP smurf
attack, ping flood), Behavior anomaly (increased packet ratio)

Method configuration The method does not provide any parameter other than the Window pa-
rameter.

Interpretation The source of the threat is a victim of some kind of denial of service attack.

3.9.4 DNSTRAFFIC – DNS traffic anomaly

Method description The method is aggregating simple events informing about the nonstandard
DNS traffic.

Dependencies DNS traffic anomaly (large TCP DNS traffic, use of unusual/unauthorized DNS
server), DNS query volume anomaly

Method configuration The method does not provide any parameter other than the Window pa-
rameter.

Interpretation The threat can be interpreted as a presence of the malware infection on the device
(the DNS is used as a communication channel to the C&C center) or as a wrong configuration
of the device.

3.9.5 LARGETRANSFER – Large data transfer

Method description The method is aggregating simple events informing about the large data
transfers.

Dependencies High volume of transferred data, Internet connection utilization anomaly

Method configuration The method does not provide any parameter other than the Window pa-
rameter.

Interpretation The threat can highlight the longlasting or frequently recurring high data transfer-
res.

www.invea.com 60 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

3.9.6 MALWARE – Malware infected device

Method description The method is aggregating simple events that could be the sign of malware
infection.

Dependencies Port scanning (scanning the 22, 23, 135, 137, 139, 389, 445, 1433 or 3389 ports),
SMTP anomaly, Telnet anomaly, Honeypot traffic, Target hosts/ports anomaly (only after
some of the other dependencies), Communication with blacklisted hosts (Known botnet
command & control center)

Method configuration It is possible to set the minimal count of targets for particular events
(MinTargets parameter) except the Window parameter.

Interpretation According the increasing number of the particular events is increasing also the
probability of the malware infection on the threat source.

3.9.7 MISCONFIGURED – Misconfigured device

Method description The method is aggregating simple events that could mean wrong configura-
tion of the device.

Dependencies SMTP anomaly (low number of e-mails using low number of mailservers), DNS
traffic anomaly (attempt to use unexpected/unauthorized DNS server), IPv6 tunneled traf-
fic

Method configuration It is possible to set the maximal number of mailservers and maximal num-
ber of e-mails (MaxTargets and MaxEmails parameters) for particular OUTSPAM events ex-
cept the Window parameter.

Interpretation The source of the threat is probably wrong configured – it is trying to use the unex-
pected/unauthorized DNS server, or it is using the unauthorized SMTP server (but still sending
adequate number of e-mails).

3.9.8 NETANOMALY – Network anomaly

Method description The method is aggregating simple events related to the standard behavior of
the network.

www.invea.com 61 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Dependencies Behavior anomaly, DHCP anomaly, Multicast traffic

Method configuration The method does not provide any parameter other than the Window pa-
rameter.

Interpretation The threat is highlighting significant changes in the monitored network traffic.

3.9.9 NETDISCOVERY – Network discovery

Method description The method is aggregating simple events informing about the devices trying
to discover the monitored network.

Dependencies ICMP anomaly (scanning), Port scanning, Honeypot traffic

Method configuration The method does not provide any parameter other than the Window pa-
rameter.

Interpretation The threat source is discovering the monitored network and trying to find some
exploitable weaknesses.

3.9.10 PROXYBYPASS
Method description The method is aggregating simple events informing about the devices that
are bypassing (or trying to bypass) the specified proxy server.

Dependencies Direct internet communication

Method configuration The method does not provide any parameter other than the Window pa-
rameter.

Interpretation The threat is simple aggegation of the DIRINET events.

3.9.11 SPAMMER – Potential e-mail spammer

Method description The method is aggregating simple events informing about potential spam-
mers.

www.invea.com 62 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Dependencies SMTP anomaly, Communication with blacklisted hosts (Known SPAM sources)

Method configuration It is possible to set the minimal count of mailservers (MailServers param-
eter) for particular OUTSPAM events except the Window parameter.

Interpretation The probability of the threat source sending the unwanted e-mails is increasing
according the number of particular events.

3.9.12 SNIFFER – Potential network sniffer

Method description The method is aggregating simple events unveiling the devices that are pos-
sibly eavesdropping the traffic on the network.

Dependencies DHCP anomaly (fake DHCP server), L3 network anomaly

Method configuration The method does not provide any parameter other than the Window pa-
rameter.

Interpretation Threat source is probably eavesdropping the network traffic.

3.9.13 SRVOUTAGE – Service outage or misconfiguration

Method description The method is aggregating simple events informing about unavailable ser-
vices.

Dependencies Service not available

Method configuration The method does not provide any parameter other than the Window pa-
rameter.

Interpretation The threat is simple aggregation of the SRVNA events.

3.9.14 UNDESIRED – Usage of undesired applications

Method description The method is aggregating simple events informing about the use of appli-
cations, that could be undesired in the given environment.

www.invea.com 63 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Dependencies BitTorrent traffic, Instant messaging traffic, Online messaging traffic, TOR
traffic, TeamViewer traffic, Target hosts/ports anomaly, Web sharing traffic, Telnet
anomaly, Country reputation.

Method configuration It is possible to set the maximal count of targets for particular TELNET
events (Telnet parameter) except the Window parameter.

Interpretation The threat highlights using the services/application, that can be undesired in the
given environment – either with respect to theirs nature (BitTorrent), or with respect to the
security (Telnet).

4 User interface
The FlowMon ADS plug-in offers a complete Web user interface based on JavaScript and A JAX
technology. For basic control and accessing various parts of the application there is the main menu
on the left side. The upper part displays the status and information bar, the rest of the window
area serves as the user workspace. Another means of controlling application is a context menu
available by right clicking on relevant object.

Tips of the day are part of the application displayed after successful user login. After login to the
application a welcome screen is displayed. You can find there some important information about
what should be done before you start using the application.

4.1 Basic controls

4.1.1 Main application menu

The main application menu is a basic guidepost to all perspectives and features available in the
application. Related functions and views are brought together in joint groups. The main application
menu contains the following items:

Dashboard Overview of current network status

Overview Chart of the legitimate and undesirable traffic.

www.invea.com 64 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Events Overview of the most important and the latest events, summary of all recognized
events.

Events Set of views on events

Aggregated view Aggregated view brings together neighbor events of the same type of indi-
vidual device into continuous blocks, which are then graphically displayed on the time-
line.
Simple list A simple list of events, advanced searching and filtering of events.
By hosts A view of events grouped by IP addresses, which relate to the events.

Reports A set of HTML/PDF reports (reports on request) that summarize all information about
individual IP addresses available in the plug-in.

Generate report Generate report based on given template and time window.
Reports Configuring the templates used for generating reports.
Chapters Configuring the chapters of reports.
Scheduled reports Scheduling of automatic generating and sending reports via e-mail.

Configuration Function used to configure and manage plug-in

Configuration and management of plug-in is described in detail in Chapter 2 (Installation and
configuration). In this chapter we are not dealing with functions of the Configuration group.

About Displaying a brief information about the application and its version, information about the
number of processed flows, license information, access to user documentation, information
about skipped methods and batches during the data processing.

The currently selected menu item is always highlighted. The main application menu can be
hidden and thus increase the available workspace of the user. For hiding/displaying the main menu
of the application there is a panel separating the main menu from the workspace of the user with
the arrow icon (left – to hide, right – to display). Moving between the individual subsubsections can
be done using the tabs in the user workspace.

4.1.2 Status and information bar

Status and information bar indicates selected basic information concerning the application and
its user interface to the user (items are listed from left to right):

www.invea.com 65 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Drop-down menu Switching between individual plug-ins that are available on the FlowMon
probe/collector.

NetFlow sources problem indicator Status icon which has a green color when everything is work-
ing correctly. If there are some warnings or errors, it changes color to orange or red. The most
recent error is displayed on the left of the icon. The number inside the status icon indicates
the number of unread messages. Click on the icon to open a window listing all messages,
time and severity. Users in the admin group can delete these messages.

Language switch An immediate switch of the user interface of the application to the language
selected by positioning the language switch (available English and Czech).

Help Link to the root page of the online help.

Logged on user The name of currently logged on user.

Logout Logs out currently logged user

4.1.3 Context menu

Context menu is a means for fast control of the application. Context menu brings together all
the actions that can be performed with element that is selected in the user interface. Context menu
appears after clicking the right mouse button.

Figure 5: Context menu of IP address/event

The most frequently used context menu is a menu of IP address/events which includes the
following items:

www.invea.com 66 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

General information The translation of IP address on the DNS name, obtaining WHOIS informa-
tion and displaying custom information about IP address (if specified – see Configuring filters).
The data are displayed in a floating window.

Related events A view of events associated with the IP address, transition to the perspective of
Events\By hosts view.

External IP services Allows to display additional information about IP addresses using user de-
fined external internet services.

Aggregated events A view of aggregated events on timeline associated with the IP address, tran-
sition to the Events\Aggregated view.

IP Tools Common diagnostic IP tools

Locate in map Traces the physical location of IP address and displays it on the map. This
function communicates with an external service (Yahoo Maps) and for its functionality it
is necessary not to block the communication of the device (probe/collector) to port 80
(standard web traffic) and the External services has to be allowed.
Ping Check availability of selected IP addresses.
Traceroute Is a computer network tool for measuring the route path and transit times of
packets across an Internet Protocol (IP) network.

Resolve all IP addresses Translation of all visible IP addresses to DNS names.

Display events of this type A view of all events of the same type, transition to the Simple list
view.

Mark as false positive Marks the event as a false alarm, it will be no longer reported. It is possi-
ble to send an e-mail about the false positive event to the INVEA-TECH company. The e-mail
will consist from event details data, NetFlow entries that are related to the event, applica-
tion model and version and from the customer’s name. That data will be used to enhance
the performance of the application. The data will be processed in accordance with the law
on personal data protection. It is possible to add an explanation as a comment during the
marking procedure.

Manage event categories The classification of events into a user-defined categories.

Event details Transition to event details, displaying of related information (categorization, notes).

Event evidence A detailed view of events including all data flows from which the event has been
generated. The view is primarily intended for exporting the evidence from the application;
displayed Web page is adapted to copy its contents in plain text to the clipboard.

www.invea.com 67 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

The menu item is only available if the given address of your NetFlow collector data is tied to
the event.

Visualize event A view of the events through an interactive chart based on NetFlow data caused
by the event.
The menu item is only available if the given address of your NetFlow collector data is tied to
the event.

Visualize events A view of method-specific visualisations.

Latency Graphical view of the latency of the packets between monitored devices.

Export as image This function opens focused dashboard or events table in new window as image.
It can be saved or copied into clipboard.
This function is available for Firefox browser only.

Export events to .csv This function exports the events from the displayed table into the CSV file.

Send feedback Allows to send the bugreport or feedback to INVEA-TECH company. The form is
placed on external web page.

Other specific context menu is given under the relevant parts of the user interface description,
namely the context menu available at some dashboard tables. Above the context menu there is
also a tooltip for IP addresses available. Tooltip contains information about the country where the
IP address is located.

4.1.4 Search criteria

It is possible to filter data in all views according to corresping search criteria. For greater clarity
are the search criteria devided to basic search criteria, that are displayed always, and to advanced,
that are available only in the complete form (the complete form can be open by clicking on the
bottom edge of the reduced form).

Basic search criteria Available in reduced search form

From, To The relevant period for displaying the information on the dashboard, the period
can be specified directly or chosen from associated calendar.

www.invea.com 68 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Figure 6: Example of reduced and complete search form

IPs, IP address, Targets IP addresses, which are to be given information on the Dashboard,
individual IP addresses can be separated by a comma. It is also possible to enter the
network address/mask, instead of IP addresses you can enter the DNS name.
In case of IP address field it is allowed to write only single IP address.

Advanced search criteria Available in complete search form

Categories User-defined categories of events

Event types Type of the events, in fact a reference to the detection method, which recognized
the event.
Filters Selection of the IP addresses, which are to be displayed.
IP’s role Role of the IP address (event source/target)
Max. rows Maximal number of rows that are displayed
NetFlow sources NetFlow sources
Perspective, Priority Rules for the prioritization of events, eventually minimal displayed pri-
ority.

4.2 Dashboard
Dashboard is a basic interface element that is displayed to the user right after logging on to the
application. Dashboard is used to obtain an overall picture of what is happening on the network
via a set of top 10 statistics. The default view shows events for the last 24 hours with the possibility
of adjusting the view by changing the corresponding search criteria (From, To, IPs, Event types,
Filters, NetFlowSources).

www.invea.com 69 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

According to dashboard part (Overview, Events only relevant search criteria are available.

4.2.1 Overview

The Overview chart allows to view the comparison of transferred data (packet count, flow
count) with respect to the priority of the events that are detected using this data. If the data were
used to detection of more events with different priorities, the data are displayed according the
highest priority, that was achieved.

Data can be filtered by start and end time, the perspective and the NetFlow source.

It is possible to mark the shorter time period. The available information are displayed for the
marked interval. You can use the context menu over the marked interval to display this data in
other views (Aggregated view, Simple list, By hosts and Dashboard events) or to zoom in or out.

You can shift the marked interval using arrows in right lower corner of the chart and switch the
scale of the vertical axis (linear, logarithmic, left upper corner of the chart).

4.2.2 Events
Top 10 events by priority The table shows the 10 most important events from the chosen per-
spective.
Within the table, you can:

• Change the perspective through the Perspective drop-down list

• Switch table/chart view
• Restore the content of the table according to currently configured filters
• View all events according to selected perspective, transition to the Events\Simple List,
view the chart including the legend

The latest 10 events Table displays 10 newest events.

Within the table, you can:

• Restore the content of the table according to currently configured filters

www.invea.com 70 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Figure 7: Dashboard: Overview

• View all events according to selected perspective, transition to the Events\Simple list

Top 10 events by event type The table shows the top 10 event types along with the number of
occurrences of the events of that type.
Within the table, you can:

• Switch table/chart view

• Restore the content of the table according to currently configured filters
• View a complete table of all kinds of events along with the number of occurrences of the
events of given type in a new tab, view the chart including the legend
• Display the context menu above the type of an event, which allows you to search all
events of the type (Display events of this type), transition to the Events\Simple list
view

Top 10 IPs by event count The table shows the 10 IP addresses, which produce the greatest num-
ber of events.

www.invea.com 71 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Within the table, you can:

• Switch table/chart view

• Restore the content of the table according to currently configured filter
• View a complete table of all IP addresses with the number of occurences of the events
with given IP address as a source in a new tab, view the chart including the legend

Events in last batch The table shows maximum 10 event types, which was detected during the
last processed batch of data.
Within the table, you can:

• Restore the content of the table according to currently configured filter

• View a complete table of all events in last batch, transition to the Events\Simple list view,
view the chart including the legend
• Display the context menu above the type of an event, which allows you to search all
events of the type (Display events of this type), transition to the Events\Simple list
view

4.3 Events

4.3.1 Aggregated view

Aggregated view presents events of particular device in an intuitive graphical way considering
the aspect of time.

Events are filtered by the following search criteria: From, To, IPs, Event types, Filters, Net-
FlowSources, Categories, Perspective.

Each event type the device takes place in a given time period is represented by one line called
a swimline.Event occurrences are represented by a colored rectangle in a particular swimline.
Event occurrences are represented by a colored rectangle in a particular swimline. According to
the selected scale the neighbor events are aggregated into one rectangle. Lenght of the rectangle
corresponds to the time length of the event. Time goes prom from left to right at the x axis. For
clarity the night and the day alternation is displayed.

www.invea.com 72 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Figure 8: Example of displaying aggregated events

Visualization interaction

Zoom User can zoom in visualization (showing in a larger scale) by using left mouse button to
select the requested time interval. There are “Undo” and “Redo” icons on the right side above the
visualization to navigate through changes of the scale. Using the icons “Plus” and “Minus” you can
change the size of colored rectangles in a swimline.

Event details By right clicking on the event (green rectangle) it is possible to display context
menu allowing displaying event details (IP address, start time, end time, summary) or transition
to Events\Simple list with the corresponding events. The detail summary can be shown only for
events detected after installation of application FlowMon ADS version 2.08.00 because of migration
to new technologies, which allow us to aggregate the events into the high level events better.

Computing aggregated event details, which consists of more than 25 events is accelerated by
sampling. When sampling is used there is information about lower accuracy of data in event detail.

www.invea.com 73 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

4.3.2 Simple list

View of events in the form of a simple list (events table). It is primarily sorted by the time of the
event creation.

Events are filtered by the following search criteria: From, To, Source IP, Targets, Filter, Method,
Categories and Perspective.

User can show directly the Event details view of the event with known event ID using the search
dialog available after clicking the magnifier glass icon in upper right corner of the search criteria
box.

The results of query are divided into pages where one page contains a maximum of 500 items
of the result. The result is a table that includes the following items:

Row number Number of the table row

Event source Event originator (IP address)

Type Type of event, in fact a reference to the detection method, which recognized the event.

Detail Detailed information on the event

Timestamp Time stamp of event generation

NetFlow source NetFlow data source on which the event has been generated

Targets Event targets (a list of IP addresses). At most 10 items is shown in the table. If more targets
are associated with the event they are available on request in a dialog window.

It is possible to export the output into the CSV file by clicking Export events to .csv in context
menu.

4.3.3 By hosts

A table view of the events grouped according to the sources and targets of events.

www.invea.com 74 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Figure 9: Example view of events grouped by IP addresses

Events are filtered by the following search criteria: From, To, Source IP, Filter, Method, Cate-
gories, Perspective, IP’s role and Number of events.

The result table is sorted according to the IP addresses, for each IP address the number of
events where the IP address is the source or the target of the event is displayed. Consequently,
it is possible to view a list of event types related to the IP address. For each event type can be
displayed specific events in the form of a separate table, which includes the same data as in event
table Events\Simple list.

4.3.4 Event details

The Event detailsview is unlike other event views available only through the context menu.
Event details include all available information about the event, event comments and classification
of events into categories.

Event details include the following information:

Type Type of event, in fact a reference to the detection method, which recognized the event

Timestamp Timestamp of event generation

First NetFlow Timestamp of the first NetFlow on which was based the event detection

Event source Event originator (IP address)

Captured source hostname DNS name assigned to the IP address at the time of event detection

Detail Detailed information on the event

Probability Probability with which the event has been detected

www.invea.com 75 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

NetFlow source NetFlow data source on which the event has been generated

False positive Indicates whether it is a false positive (according to rules for marking events as
false positives currently in effect). Event can be marked as a false positive by Mark as false
positive context menu item. When marking an event it is necessary to enter time relevance of
marking (individual days of the week, time tolerance). Marking of an event as a false positive
means that event of the same type and originator will not be generated if there is a rule for
marking the events as the false positive in effect.

Targets Event targets (a list of IP address). The targets can be shown grouped by the appropriate
countries or address prefixes.

User Identity User ID from domain controller (for more information see FlowMon collector docu-
mentation)

Further for each event there are chronologically listed related comments. The comment always
includes the author (Author) and a timestamp of comment insertion (Timestamp). Comments
may be changed (Change) or deleted (Delete)depending on the author and currently logged on
user. It is always possible to add a new comment (Add new comment).

Event details also include event categories. The category always includes the author (Author)
and the timestamp (Timestamp). Individual categorization can be removed (Remove) or added
(Add to category). Note that the management of event categories is also available through Man-
age event categories context menu item.

Figure 10: Example of event details

www.invea.com 76 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

4.3.5 Interactive event visualization

The Interactive event visualization view enables to view the network traffic data, based on
which the event was detected. The view is available for each event detected on the basis of network
traffic through the Visualize event context menu item. Similarly as in the Event details view the
event details are displayed first in the table to make clear what the event is visualized.

Interactive visualization displays individual IP addresses as nodes and data transmission be-
tween the IP addresses as edges. Size of nodes and edges is proportional to the volume of trans-
mitted data and their colors ranged from green to red are corresponding to the number of flows.
Event visualization can be interactively traversed; each node has a context menu marked by sym-
bol “+”. The item More data of this menu ensures downloading of all relevant IP address com-
munication. The item Info obtains and displays the details of the network traffic in the form of
a floating table. For nodes it displays table of aggregated communication with other IP addresses.
For inbound traffic the communication is aggregated on source IP address, destination port and
protocol. For the outbound traffic it is aggregated on the destination IP address, source port and
protocol. For edges it displays a table of individual data flows that constitute the edge including
details such as the duration of the connection, flags and the type of service (TOS).

Special type of node is called aggregation. Aggregation represents a larger number of IP ad-
dresses and is visualized as a circle shaped node. Clicking on such a node displays a list of IP
addresses that constitute the aggregation. Selecting any of the displayed IP address will tear it
from the aggregation. Furthermore it is possible to work with the IP address and details of its
communication by a standard means that are described above.

4.3.6 Event evidence

The Event evidence view provides the means to export the evidence (network data flows on
the basis of which the event was detected) from the application. Displayed web page is adjusted to
be able to copy its content to the clipboard in a plain text. For each event there is the event type,
timestamp of event creation, event originator, event details and targets.

It is followed by the histogram, which could display relations between various pairs of variables.
Below is displayed the list of data flows (raw NetFlow data from the collector). The displayed in-
formation includes the source and the target IP address, time stamp of the data flow, its duration,
protocol, source and destination port, the volume of transferred data, number of transmitted pack-

www.invea.com 77 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Figure 11: Example of interactive visualization of events

ets and the type of service.

The listed flows can be filtered along one of the columns. The filter can be defined by chosing
the column and the relation from the lists and by writing the constant into the text box.

The listed flows with the same (or reversed) tuple source IP address, destination IP address,
source port, destination port and protocol can be highlighted using the context menu over the
single flows (Flows coloring\Follow flow). The flows without corresponding opposite flow can be
highlighted using the Flows coloring\Single flow item.

The list in the user interface is limited to 10000 flows. The exported text file includes all appro-
priate flow records.

www.invea.com 78 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Figure 12: Example of Event evidence view

4.4 Reports
The reports are a means to obtain complete information about the IP address/IP addresses
registered in the application. Reports save the information on events into an assembly, which can
be directly exported to the PDF.

The reports consist from chapters, which could be modified by user.

4.4.1 Chapters

Following types of chapters are defined:

Overall status report It displays the network traffic overview chart and the traffic statistics table.

Event matrix Table of the most important events in the network. It is displayed by single days and
devices.

Event list List of the most important events in the network displayed as in Events\Simple list
view.

www.invea.com 79 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

The given chapter consists from the given type and parameter settings. It is possible to create
more chapters of same type but different settings.

Each user can create and edit the chapters. The user can delete the chapter only if the chapter is
not used in the report created by another user (or if the user has admin rights). The user is warned
if the deleted chapter belongs to some report. If the deleted chapter is the last one in the report,
the user will be warned and the report will be deleted, too.

4.4.2 Reports

The report is defined as the sequence of chosen chapters. Each user can create and edit his
own reports. The user can mark the report as public (it could be seen by other users). The common
user can edit or delete only his own reports, the administrator can see, edit or delete all reports.

To generate the report it needed to choose one of the defined report templates and specify the
time window, which will be included into the report. The generated report can be directly exported
to the PDF. Generating the report can consume much time and system resources with respect to
the chapter parameters settings and the chosen time window. The generating of the report can be
interrupted anytime.

4.4.3 Default report

It could be used also the default report template beyond the user defined report templates. The
default report consists from following chapters:

Overall status for Security Issues Based on the Security Issues perspective, the chart is gener-
ated along the flow count in the logarithmic scale for each NetFlow source separately.

Overall status for Operational Issues Based on the Operational Issues perspective, the chart is
generated along the flow count in the logarithmic scale for each NetFlow source separately.

Event matrix for Security Issues For the priority HIGH or higher.

Event matrix for Operational Issues For the priority HIGH or higher.

www.invea.com 80 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

4.4.4 Scheduling reports

The FlowMon ADS application allows to set up the automatic report generating and sending
in the PDF format. It is necessary to choose the report to generate (Report), activate/deactivate
the generating and sending (Active), select the period used for the generating (Interval). When
is the daily or weekly reporting selected, it is necessary to choose which weekdays are the reports
generated. Using the monthly generated report, the report is generated at the first day of the next
week. Using the Custom interval (it is needed to choose the first and last day of the report), the
report is generated at the end of the given period.

It is possible to set the e-mail addresses of the sender (Sender email) and of the recipients
(Recipient emails).

www.invea.com 81 / 82
 FlowMon ADS Enterprise 7.02.00
User Guide, April 30, 2015

Contacts

INVEA-TECH a.s.
U Vodarny 2965/2
Brno 61600

Web: www.invea.com
Email:[email protected]
Tel.: +420 511 205 251

Feedback

We would be pleased if you tell us your comments to this text (typing errors, incomplete or unclear
information). Please, contact us via email [email protected].

Copyright

This document is intended for informational purposes only. Any information herein is believed to be reliable. However,
INVEA-TECH assumes no responsibility for the accuracy of the information. INVEA-TECH reserves the right to change the
document and the products described without notice. INVEA-TECH and the authors disclaim any and all liabilities.
Except as stated herein, none of the document may be copied, reproduced, distributed, republished, downloaded, dis-
played, posted, or transmitted in any form or by any means including, but not limited to, electronic, mechanical, photo-
copying, recording, or otherwise, without the prior written consent of INVEA-TECH. Any unauthorized use of this speci-
fication may violate copyright laws, trademark laws, the laws of privacy and publicity, and communications regulations
and statutes.
FlowMon logo is a trademark registered to CESNET, z.s.p.o. association. Other brands and product names are trademarks
of their respective owners.
This product contains NfSen and Nfdump software Copyright © 2004, SWITCH - Teleinformatikdienste fuer Lehre und
Forschung.
All other trademarks are the property of their respective owners. Copyright © 2007 – 2014 INVEA-TECH a.s. All rights
reserved.

www.invea.com 82 / 82