Powered by Zoomin Software. For more details please contactZoomin

Flowmon Anomaly Detection System (ADS) Release Notes

Table of Contents

Version 11.2

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 1, 2026
  • 3 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Version 11.2.4

Date: 2021-04-28

Fixed issues:

  • 7635730: Enabling SMB extension no longer causes false positives detection by 'DICTATTACK: SambaProtocol' submethod.

  • 7636413: Event detail of BPATTERNS and Custom patterns events now contains information about the number of removed targets by the false positive rule.

  • IDS events processing is no longer stopped after receiving corrupted IDS event using Syslog.

  • The CZ user guide is available again.

Version 11.2.2

Date: 2021-03-10

What's new:

  • The MITRE ATT&CK matrix used for mapping to ADS events was updated to version 8 (from previous version 7). Mapping according to version 8 is done for newly detected events only. Events detected prior to this update will be still mapped according to version 7.

Note:

This version includes changes from version 11.1.5 which was released on the same day (for more details see Previous releases - version 11.1.5).

Version 11.2.1

Date: 2021-02-25

Fixed issues:

  • Fixed an issue that shifted the header in a CSV file with exported events.

  • 7634473: Fixed an issue in DHCPANOMALY (ServerChange submethod) that caused the current MAC address not to be updated which could result in showing the same former and current MAC address in the Event Detail.

Note:

  • This version includes performance optimizations from version 11.1.3 (for more details see Previous releases - version 11.1.3).

  • This version includes changes from version 11.1.4 which was released on the same day (for more details see Previous releases - version 11.1.4).

Version 11.2.0

Date: 2021-01-27

What's new:

  • Modernized visualization of event chart in Analysis.

    • Event chart is now smoothened using curve interpolation.

  • MITRE ATT&CK tactics and techniques are mapped to ADS detection (sub)methods to provide users with additional context.

    • Tactics and techniques are shown in Event Detail or in Events > Simple List by enabling a corresponding column in table customization.

    • Contextual analysis is done to achieve the most accurate mapping. Therefore different tactics and techniques can be assigned to different events of the same submethod. Also, multiple tactics and techniques can be assigned to one event based on how the event evolves.

    • Some detection methods or submethods are not assigned to any tactic and technique (for example when no suitable tactic and technique exists or the method detects configuration issues).

    • Mapping corresponds to ATT&CK v7: https://attack.mitre.org/versions/v7/.

    • Mapping is not done retrospectively, therefore events detected before update to ADS 11.2 are not assigned to any tactic or technique.

  • Encrypted traffic analysis using JA3 fingerprints.

    • JA3 fingerprints extend the BLACKLIST method to detect malicious communications in encrypted traffic.

    • JA3 fingerprints can be added as local or remote blacklist using the new JA3 blacklist data format.

    • Requires JA3 fingerprint parameter in flow records (provided by Flowmon Probe). The JA3 fingerprints can be enabled Configuration Center:

      • Flowmon Probe - Monitoring Ports > Advanced Settings,

      • Flowmon Collector - FMC Configuration > Flow Database Fields.

    • Using JA3 fingerprints might lead to false positives due to possible collisions of JA3 fingerprints of legitimate and malicious applications. You can download the JA3 blacklist from the link below and add it as a local blacklist and edit if needed. The blacklist can be added as remote to achieve automatic update at the cost of the ability to edit the blacklist.

    • The JA3 blacklist is available from the Flowmon JA3 Malware Repository.

  • MISP threat intelligence sharing platform is now supported.

    • MISP instances can be connected to the ADS as a remote blacklist to automatically create blacklists from the MISP IoC feeds and to detect malicious communications.

    • Includes all supported blacklists data formats in ADS including new JA3 fingerprints.

  • Increased BPATTERNS flows per second (fps) performance.

    • All customers with ADS Business or higher models benefit from increased performance.

    • Maximum performance increased from 15k to 25k fps (valid for Enterprise and Ultimate models).

    • For more information see product specification.

  • 'Service type' blacklist allows to use keyword 'ANY' for any protocol.

  • P2P Supernodes blacklist was removed due to limited usability.

Fixed issues:

  • 7633860: Fixed an error that caused the VPN event to not have source IP in some cases which caused ADS to stop working
TitleResults for “How to create a CRG?”Also Available inAlert