Powered by Zoomin Software. For more details please contactZoomin

Flowmon User Guide

Table of Contents

Configuration in the Flowmon User Interface

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 5, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon
    • Documentation

This section contains a description of the basic settings that you can configure directly in the Flowmon user interface. For more advanced tuning of the Suricata IDS system (for example, false positive tuning or Suricata rules management), continue to the Configuration in the command line section.

The settings can be found in the Flowmon Configuration Center, under the section Monitoring Ports (in the left menu). On this page, it is possible to set the global settings for all interfaces or configure individual interfaces by selecting the IDS probe tab in the respective section. The global settings are always applied to all interfaces that do not have an individual configuration set.

By default, Suricata IDS monitoring is disabled for all monitoring interfaces, so you must explicitly enable it. You can enable IDS globally for all monitoring ports using the global settings, use custom settings to override the global settings for individual monitoring ports, or do both — enable globally and selectively disable or enable individual ports — using the Enabled toggle under the IDS Probe tab.

As mentioned above, it is possible to set the individual configuration for each interface when the global setting is not convenient for some reason. You can enable this using the Use custom settings toggle. If this toggle is enabled, two more options are displayed - Filter and Packet count.

You can use the first option (called Filter) to enable packet filtering and specify which packets should be processed by the Suricata IDS. The filter can contain one predefined filter. For more information about filters, see IDS Probe filters.

As mentioned in the Suricata IDS Configuration and Tuning section, only the first N packets from each session (per bi-flow) are passed to the Suricata IDS system for inspection. You can adjust this value by using the Packet count option. By default, this value is set to 10 packets (that is, 5 packets from both directions). The value can be in the range of 3-100 packets.

In the following screenshot, you can see the configuration of the IDS probe in the Flowmon Configuration Center:

Detected IDS events are sent using Syslog:

  • To all servers defined in Syslog event logging settings (Flowmon Configuration Center > System > System settings). Selecting or deselecting any of "Configure Syslog Message" groups does not affect the IDS Probe.

  • Directly to IDS Collector in the Flowmon ADS module if installed on the same machine.

Detected events are stored in the /data/idsp/outputs/eve.json file. The json file is processed by syslog-ng according to the configuration file /etc/syslog-ng/conf.d/idsp.conf. In the idsp.conf, you can configure sending of events using syslog manually.

You can start or stop the IDS Probe using the Flowmon Configuration Center (Versions > IDS Probe - Stop/Start).

TitleResults for “How to create a CRG?”Also Available inAlert