False Positives

This part of the configuration can be found in Settings → Processing → False positive.

The False positive feature allows you to define rules for exceptions in the monitored traffic. It is useful for excluding special cases of uncommon behavior in the network. For example, a machine performing legitimate penetration testing of devices on the network should be excluded from the detection. The false positive rule evaluation takes some performance because the rule is applied as an additional filter to input flows. It is a good practice to try to tune the configuration of detection method parameters or assigned filters first. The false positive rule can be created in two ways: manually on the False positive settings page or by using the Mark as false positive option of an event menu which prefills the rule options from the event attributes.

False positive rules are evaluated according to the order in which they are created. If two false positive rules can be applied to the same traffic, the first rule is used to filter the traffic before the second rule is evaluated. Usage statistics are only updated for the rule that was used. Also, note that when a false positive rule with specified targets is created, the targets are not retrospectively removed from (in)active events that were triggered before the false positive rule creation.

Overview

Table columns can be customized by adding or removing optional columns (the button). A list of optional columns is as follows:

• Data feeds: a list of selected data feeds the false positive is associated with

• Created: date of the creation of the false positive

• Latest usage: date of the latest usage of the false positive

• Method instances: a list of selected method instances the false positive is associated with

Above the table, there is a search field that supports a full-text search and a search by IP address.

You can temporarily deactivate the false positive rule. You can do this by clicking the Deactivate button in a context menu of the corresponding false positive rule in the section Settings → Processing → False positive. You can activate the false positive rule may again by clicking the Activate button in the same place.

Removal of rules for false positive marking is done on the same page. It is done by clicking the Delete rule button in a context menu of the corresponding false positive rule.

Clicking on the row of the specific false positive rule expands the row showing detailed information about the rule.

The detailed view contains information about using the false positive rule in the last 24 hours and 7 days. Every column represents a time slot in history, during which the false positive rule was either applied or not. When the rule is newly created, deactivated, or the processing backend is stopped, it is visualized as a non-applied rule in particular time slots, and a note about the non-evaluated rule is added to the slot detail.

Configuration options

It is possible to define the false positive rule regardless of the detected event. This option can be found in Settings → Processing → False positive.

• Method: Specifies one or more detection methods for which the false positive rule should be applied. The rule is created for every selected method.

• Data feed: Allows restriction of which data feeds the false positive rule should be applied for.

• Comment: An optional text with additional information.

• Event source/Event target: The false positive rule has to be connected to an event source or/and to one or more event targets. IP addresses can be entered as a comma-separated list. When entering the IPv4 address, one of its fields can be written using a wildcard. This wildcard can represent the enumeration of numbers (a comma-separated list enclosed in curly braces), a range of two numbers (two numbers separated by a dash enclosed in square brackets), or the asterisk that represents the 0-255 range. Note: If at least one Advanced filtering parameter is specified, it is not necessary to fill in the Event source/Event target.

• More options:

  • Advanced filtering parameters: If both parameters below are used, both the Autonomous systems and Hostname conditions must be met for the false positive rule to be applied.

    • Autonomous systems: Allows restriction of which Autonomous systems (no matter if it is source or destination) the false positive rule should be applied for. Note that the Autonomous system list usage needs to be turned on. The AS list can be turned on in the Flowmon probe (FCC > Monitoring Ports > Advanced Settings). It can also be enabled on the Collector side (FCC > FMC Configuration > Autonomous Systems) if flow data from 3rd party exporters are missing AS information.

    • Hostname: Allows the restriction of which Hostnames the false positive rule should be applied for. N ote that this rule only applies to flows with the HTTP Hostname or DNS question name field filled in . To enable this feature, refer to the Advanced Settings and FMC Configuration chapters in the Flowmon user guide.

  • Time validity: Allows you to set specific days (and certain times during these days) when the false positive rule should be applied. The events that are detected during this time interval will be marked as false positives. In the case of the BPATTERNS method, the time validity is rounded to 5 minute batches.

  • Set expiration date of a false positive rule: Allows you to set an expiration date of the false positive rule.

  • Delete events marked as false positives: Deletes events marked as false positive detections by this rule. You can either select to delete all events or only events from a specific time period (last day, last week, last month).

    • Note that this operation may take a very long time when events older than one day are to be deleted.

    • The option is not available if Advanced filtering parameters are specified because the Autonomous system and Hostname are not present in the created events.