Powered by Zoomin Software. For more details please contactZoomin

Detection Methods and 3rd Party Flow Data

Table of Contents

Detection Methods and 3rd Party Flow Data

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 1, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

This document lists detection methods and their compatibility with high-quality flow data from standard flow exporters such as routers, switches, and other network devices. The compatibility assessment assumes that third-party flow data is accurate and includes all attributes, including TCP flags, but provides visibility limited to network (L3) and transport (L4) layers only. Methods and submethods marked as "No" or "Partially" require additional application layer (L7) information that only Flowmon Probes provide.

Method Submethod Working with
standard quality flows
ALIENDEV KnownSegment Yes
ALIENDEV IPBased Yes
ALIENDEV MACBased No
ANOMALY SentPackets Yes
ANOMALY ReceivedPackets Yes
ANOMALY SentBytes Yes
ANOMALY ReceivedBytes Yes
ANOMALY SentFlows Yes
ANOMALY ReceivedFlows Yes
ANOMALY Peers Yes
ANOMALY ActiveDevices Yes
ANOMALY Requests Yes
ANOMALY Responses Yes
ANOMALY CountUnpaired Yes
ANOMALY TCPFlow Yes
ANOMALY UDPFlow Yes
ANOMALY OtherFlow Yes
ANOMALY PercentUnpaired Yes
ANOMALY ProvidedServices Yes
ANOMALY UsedServices Yes
BITTORRENT General Yes
BLACKLIST Applications Yes
BLACKLIST Host Yes
BLACKLIST Service Yes
BLACKLIST Web No
BLACKLIST Domain No
BLACKLIST JA3 No
BPATTERNS Depends on the submethod Partially
BROKENSEN Bytes Yes
BROKENSEN Duration Yes
BROKENSEN Packets Yes
BROKENSEN Period Yes
COUNTRY IncreasedCommunication Yes
DHCPANOM FakeServer Yes
DHCPANOM ServerOverloadIP Yes
DHCPANOM ServerOverloadNetwork Yes
DHCPANOM OversendingClientIP Yes
DHCPANOM OversendingClientNetwork Yes
DHCPANOM ServerChange Yes
DICTATTACK SMTPProtocol Yes
DICTATTACK SambaProtocol Yes
DICTATTACK VNCProtocol Yes
DICTATTACK IMAPProtocol Yes
DICTATTACK POP3Protocol Yes
DICTATTACK FTPProtocol Yes
DICTATTACK SSHProtocol Yes
DICTATTACK TelnetProtocol Yes
DICTATTACK RDPProtocol Yes
DICTATTACK HTTPProtocol Yes
DIRINET General Yes
DIVCOM VariousCommunication Yes
DNSANOMALY TCPHighTraffic Yes
DNSANOMALY ForbiddenServer Yes
DNSANOMALY UnusualServer Yes
DNSQUERY QueriesCount Yes
DOHDET BehavioralDetection Yes
DOHDET KnownServers Partially
DOS Volumetric Yes
DOS SYNFlood Yes
DOS FIN2WAIT Yes
GEODIST EnthropyChange Yes
HIGHTRANSF General Yes
HONEYPOT General Yes
HTTPDICT SameSize Yes
ICMPANOM DestinationUnreachIP No
ICMPANOM DestinationUnreachNetwork No
ICMPANOM SmurfAttack No
ICMPANOM ICMPScan No
ICMPANOM PingFlood No
ICMPANOM LargePayload No
IPV6TUNNEL TeredoTunnel Yes
IPV6TUNNEL 6in4Tunnel Yes
L3ANOMALY IPSpoof Yes
L3ANOMALY SourceMulticast Yes
L3ANOMALY SameIPs Yes
MULTICAST MulticastDetection Yes
NATDET General No
PEERS PeersIncrease Yes
RANDOMDOMAIN General No
RDPDICT General Yes
REFLECTDOS Amplification Yes
SCANS PortBased Yes
SCANS UDP Yes
SCANS TCPSYN Yes
SCANS TCPFIN Yes
SCANS TCPNull Yes
SCANS TCPXmas Yes
SCANS ARP No
SIPFLOOD Invite No
SIPFLOOD Register No
SIPPROXY General No
SIPSCAN Register No
SIPSCAN Options No
SIPSCAN Invite No
SMTPANOMALY UndefinedServer Yes
SMTPANOMALY SpammingClient Yes
SRVNA TCPService Yes
SRVNA UDPService Yes
SRVNA TCPServiceReset Yes
SSHDICT General Yes
TEAMVIEWER General Partially
TELNET PortBased Yes
THREATS Depends on the submethod Partially
TOR ClientDirectAccess Yes
TOR ServerAccess Yes
UPLOAD General Yes
VOIP General Yes
VPN BehavioralDetection Yes
VPN OpenVPN Yes
VPN MSPPTP Yes
VPN IPSec Yes
VPN InternetTunnel Yes
VPN Hamachi Yes
WEBSHARE SiteVisit Yes
WEBSHARE SiteTransfer Yes
TitleResults for “How to create a CRG?”Also Available inAlert