Version 12.0

Version 12.0.4

Date: 2022-11-22

Fixed issues:

• 170980, 177545: False-positives sorting now works correctly.

• 173143: RANDOMDOMAIN, TEAMVIEWER, and TOR are now active when applying the Typical Company template in Configuration Wizard.

• 176192: HIGHTRANSF now correctly shows the transferred amount of data in Event Detail for the Japanese language.

Version 12.0.3

Date: 2022-06-01

Fixed issues:

• 171498: False-positive rules no longer restart the processing engine when applied to SIP methods on running SIP data feed.

• 171575, 171736: Selecting method instance in perspective no longer prevents saving.

Known issues:

• The user guide in Czech and Japanese languages cannot currently be exported as a PDF.

Version 12.0.2

Date: 2022-05-10

What's new:

• Added user guide for Czech and Japanese languages.

FIXED ISSUES:

• 168438: Fixed an issue where IDS Collector allocated too much memory, which sometimes led to performance issues.

• The RANDOMDOMAIN detection method instance is now created automatically.

• Note: The method is not automatically added to any of the defined perspectives (including default perspectives). To display detected events, the method must be added to the perspective manually by the user.

KNOWN ISSUES:

• Some newly added texts are not translated into Czech and Japanese.

Version 12.0.1

Date: 2022-04-06

FIXED ISSUES:

• 167521: The TELNET method is now restricted to TCP and UDP traffic.

• 167761: Events detected by the MULTICAST method now show description of the multicast addresses again.

• The header of the Attached Flows table is now shown correctly for the RANDOMDOMAIN method.

• Flowmon ADS now correctly installs on Flowmon 12 instances with Flowmon APM.

KNOWN ISSUES:

• The user guide for Czech and Japanese languages is currently unavailable and will be available in the upcoming 12.0.x releases (prior to the stable version).

• Event details of methods that were changed in this version are not currently available in Japanese language and will be available in the upcoming 12.0.x releases (prior to the stable version).

Version 12.0.0

Date: 2022-03-02

WHAT'S NEW:

• New detection method RANDOMDOMAIN was added to automatically detect random domains, which can indicate that devices infected by malware are communicating with the Command and Control server.

  • The method analyzes multiple properties of the second-level domain names and evaluates whether the random domain name patterns are being used.

  • The method requires flows with HTTP Hostname or DNS question name field filled in. To enable this feature, see Flowmon user guide chapters 4.3.1 Advanced Settings and 5.1 FMC Configuration.

• Following detection methods were refined, extended, or reworked to enhance detection accuracy and provide intelligible insights to the users.

  • TOR:

    • The method was completely reworked to provide accurate results when detecting malicious communication with the TOR network. The method now consists of two submethods.

    • ClientDirectAccess submethod - reports devices in the network that actively connect to the TOR network (via TOR browser, TOR-based OS distributions, or other clients that connect to TOR).

    • ServerAccess submethod - reports connection attempts from the TOR network to the monitored devices (e.g., servers accessible from the Internet).

  • ANOMALY:

    • The prediction value calculation was improved to increase the accuracy of the method.

    • Event detail was changed and now shows an increase between the current value and predicted value instead of the current and previous value.

  • SCANS:

    • SCANS method was extended to detect TCP connect scans.

    • TCP SYN scan detection accuracy increased by analyzing flows when the scan is successful (service is listening at the scanned port) - flows with request flags SYN|RST.

• False-positive rule definition is extended with new options that allow granular tuning.

  • Users can exclude traffic of legitimate autonomous systems (Microsoft, Google, Amazon, etc.) or domains (e.g., *office365.com) from processing in detection methods by defining Autonomous System Number (ASN) and Fully Qualified Domain Name (FQDN) in the false-positive rule.

    • All traffic of defined ASNs is excluded from processing for respective ASNs (and their mapped IP address ranges).

    • Usage of ASNs in false-positive rules requires ASNs in the flow data. Flow data from Flowmon Probes are exported with ASN based on settings (can be checked in FCC > Monitoring Ports > Advanced Settings). If the 3rd party flow sources are not exporting ASN in the flow data, the flows can be extended with ASN on the Flowmon Collector side. This feature can be enabled on Flowmon Collector in FCC > FMC Configuration > Autonomous Systems.

    • Only HTTP/S and DNS traffic is excluded from processing for respective FQDN.

    • Usage of FQDNs in false-positive rules requires flows with HTTP Hostname or DNS question name field filled in. To enable this feature, see Flowmon user guide chapters 4.3.1 Advanced Settings and 5.1 FMC Configuration.

  • False-positive rules can now be applied to all or selected method instances.

• Attached flows can be shown in event detail to improve analysis of the detected event.

  • Attached flows is a list of flows based on which the event was detected by the system. This feature is disabled by default. To enable this feature, go to Setting > System Settings > Storage Settings and enable 'Attach flows'.

  • Attached flows are displayed in the sub-tab in the Event Detail > Event Evidence once the feature is turned on.

  • The previous Event Evidence that shows flows stored in Monitoring Center is available under the sub-tab 'Monitoring Center' and the attached flows can be viewed in the sub-tab 'Attached Flows'.

• Custom patterns can be now mapped to MITRE ATT&CK tactics and techniques by the user.

• SYSCHECK: Event Flood parameters are now stricter in disabling detection methods that detect too many events (usually due to misconfiguration) and affect the system performance.

  • The parameters are set to a maximum of 100 events per 5 minutes and a maximum of 1000 event updates per hour. The values can be configured in the method configuration available in Settings > Processing > Methods.

• REST API was revised and extended.

  • SNMP and Syslog Reporting endpoints were added to the REST API. For more information see the built-in REST API documentation.

• Compatibility with Flowmon 12.0.

FIXED ISSUES:

• 151106: Configuration Wizard now correctly creates LAN filter with address range 172.16.0.0/12 (instead of 172.16.0.0/20).

• 152492: Outdated BPATTERNS are no longer processed if no BPATTERN method instance is defined which caused system warning messages.

• 159461: Various issues and documentation mismatches were fixed to ensure that the REST API and documentation are up to date.

• 159483: Fixed an issue in DHCPANOMALY (ServerChange submethod) that caused the current MAC address not to be updated which could result in showing the same former and current MAC address in the Event Detail.

• 159640: The ADS in DA no longer remains stopped after replacing expired license.

• 163575: Fixed an issue with missing Traffic Recording tab in Event Detail.

• 164545: Fixed an issue that caused GUI unresponsivity on misconfigured system with large amout of events.

• HIGHTRANSF: the limit of TransferThreshold parameter is now correctly used.

KNOWN ISSUES:

• The user guide for Czech and Japanese languages is currently unavailable and will be available in the upcoming 12.0.x releases (prior to the stable version).

• Event details of methods that were changed in this version are not currently available in Japanese language and will be available in the upcoming 12.0.x releases (prior to the stable version).