Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

WEBSHARE - Web Sharing Traffic

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

The WEBSHARE detection method allows you to identify the network devices that transfer data from/to web-sharing services (for example, uloz.to or mega.nz). The method can be configured to ignore unsuccessful connections (if the value of IgnoreSNGL is set to yes). The detail of the event can be extended by estimation of downloaded (downloaded to the WAN) and uploaded (uploaded to the WAN) data from/to the Internet. This extension should not be activated if the data from behind the proxy server is monitored. It can be enabled by setting the LANFilter parameter. If this extension is enabled, the detection can be limited using the MinimalUp and MinimalDown parameters. These parameters limit the minimal transferred data in the respective direction. It is also possible to choose whether data transfers should be detected only with web-sharing services (if the CloudServices parameter is set to no) or if cloud services should also be included (if the CloudServices parameter is set to yes).

This method consists of the following submethods:

  • SiteVisit: Reports the devices that visit web domains that provide file-sharing services. This submethod is active when the LANFilter parameter is not set.

  • SiteTransfer: Reports the devices that probably transfer data with websites that provide file-sharing services. This submethod is only active when the LANFilter parameter is set.

Method configuration

It is recommended to apply this method for all IP addresses. The right place for traffic monitoring is the central switch and the Internet connection line.

Method parameters

  • IgnoreSNGL: Omission of the attempts to a file share web server without response during the detection.

  • LANFilter: Name of the filter that defines the IP addresses of the devices in the local network. It is used for the identification of uploading/downloading devices.

  • MinimalDown: Threshold for a minimal amount of data probably downloaded from the file share webserver (in MiB). This applies only if the LANFilter parameter is set.

  • MinimalUp: Threshold for a minimal amount of data probably uploaded to the file share webserver (in MiB). This applies only if the LANFilter parameter is set. To report an event, only one of the MinimalDown and MinimalUp thresholds has to be exceeded.

  • CloudServices: Specifies whether data transfers should be detected only with web-sharing services or also with cloud services.

Assigned filter

Only flows whose source or destination IP address matches the assigned filter will be processed.

Interpretation of results

Web-sharing services usually host content that violates author rights such as movies or software. Uploading data to those services is a popular data exfiltration technique. The accuracy of detection depends on the database of known web-sharing services. There is also a statistical distortion in the Event evidence. This distortion is caused by the web share server IP address used during transmission, which is often different from the known gateway address. The amount of transferred data is, therefore, smaller than the amount shown in the Detail field.

TitleResults for “How to create a CRG?”Also Available inAlert