Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

BLACKLIST - Communication with Blacklisted Hosts

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
Table of Contents

BLACKLIST - Communication with Blacklisted Hosts

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

A method for detection of communication with IP addresses, domains, web pages, services, or JA3 fingerprints that are included in the blacklists maintained by the Progress Software or custom blacklists maintained by a user of the module. The method also allows a user to specify a list of applications from various categories (such as adult websites, remote access tools, streaming services, and so on) whose usage should be reported - this is called an application blacklist.

The IgnoreUnreachable parameter ignores the ICMP type 3 (Destination Unreachable) replies to requests from the blacklisted IP addresses. If the IgnoreUnsuccExt parameter (or IgnoreUnsuccInt) is set to yes, the unsuccessful communication attempts initiated by the malicious devices (or by internal devices) are not reported. It is also possible to ignore communication at specific ports by setting the IgnorePorts parameter.

It is possible to define a custom blacklist that is maintained by a user of the module. The management of the Flowmon and the custom blacklists is described in the Blacklists chapter.

This method consists of the following submethods:

  • Host: Reports devices that communicate with blacklisted IP addresses.

  • Service: Reports devices that use a blacklisted service (the service is defined by IP address, port, and protocol).

  • Web: Reports devices that communicate with a blacklisted website. The detection is performed using an HTTP hostname or SNI string from an encrypted communication.

  • Domain: Reports devices that send a DNS query containing a blacklisted domain.

  • Application: Reports devices that communicate with IP addresses where a blacklisted application is hosted.

  • JA3: Reports devices that use software whose JA3 fingerprint is blacklisted.

Method configuration

It is recommended to activate this method network-wide for all traffic on the network, regardless of IP addresses. The right place for the monitoring of the traffic is the Internet connection line. To update the Flowmon blacklists you must ensure to not block the communication of the device (probe/collector) to port 443 (HTTPS, standard secured web traffic) on the services.flowmon.com server.

Method parameters

  • IgnoreUnreachable: Ignore the ICMP type 3 responses (destination unreachable) to requests from the blacklisted IP addresses.

  • IgnoreUnsuccExt: Ignore unsuccessful communication attempts initiated by external malicious devices.

  • IgnoreUnsuccInt: Ignore unsuccessful communication attempts initiated by internal devices.

  • IgnorePorts: List of ports that will be ignored during the detection.

  • ActiveBlacklists: List of blacklists that should be processed by the method instance. The management of the blacklist's content is described in the Blacklists chapter.

Assigned filter

Only flows whose source or destination IP address matches the assigned filter will be processed.

Interpretation of results

This method uses the Flowmon Network blacklist service or custom blacklists defined by a user. Events generated by this method may indicate that the device is compromised or takes part in malicious activities depending on the category of the blacklisted subject - if some of the organization IP addresses are the event originator it is likely to be part of a botnet or infected with some form of malware.

TitleResults for “How to create a CRG?”Also Available inAlert