Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

TELNET - Telnet Anomaly

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

The method is used for the detection of increased use of the Telnet service. This service is obsolete and currently should not be used at all due to safety reasons. Its use should, therefore, be subject to a special regime. The method detects all connections to the TCP port 23 (the Telnet service) including connection attempts. It counts the number of connections of individual IP addresses. As a part of the method configuration, you must set up the minimum number of Telnet connections that should be considered unwanted (the TelnetThreshold option). Detection may include all connection attempts including scans (the no value of the IgnoreScans option) or only the successfully established connections (the yes value of the IgnoreScans option). You can exclude servers that are allowed to use the telnet protocol using the AllowedTelnet parameter.

This method consists of the following submethod:

  • PortBased: Reports the usage of the obsolete Telnet protocol for remote device management.

Method configuration

It is recommended to apply this method for all IP addresses. The right place for traffic monitoring is the central switch and the Internet connection line. By setting the IgnoreScans option to value yes, it is possible to detect devices that are infected with some form of malware (for example, botnet Chuck Norris) and which invade other network devices such as routers, IP cameras, and so on.

Method parameters

  • TelnetThreshold: Threshold of a minimum number of connections using the Telnet service (TCP/23).

  • IgnoreScans: Omission of the traffic recognized as the TCP port 23 scan.

  • AllowedTelnet: Definition of the IP addresses that are allowed to be accessed using the Telnet service.

  • UploadThreshold: Minimal amount of data uploaded by a single device.

  • DownloadThreshold: Minimal amount of data downloaded by a single device.

Assigned filter

Only flows whose source or destination IP address matches the assigned filter will be processed.

Interpretation of results

This method detects devices using or attempting to use the Telnet service (depending on configuration). As the Telnet service is not encrypted, it should no longer be in use. Reported events may indicate an attacker's activity in the network or devices that are infected with some form of malware oriented to misuse specialized network devices.

TitleResults for “How to create a CRG?”Also Available inAlert