Version 12.1

Version: 12.1.3

Date: 2023-07-17

Copyright © 2007 - 2023 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.

You can use this package for new installations or to upgrade Flowmon ADS on Flowmon appliance.

Support information

For help, contact our support team at support@flowmon.com.

Compatibility

• This package is compatible with Flowmon OS 12.2.0 or higher.
• This package is compatible with Flowmon Packet Investigator 11.0.0 or higher.

Dependencies

The following table summarizes the minimum required versions of Flowmon OS and Flowmon ADS for various versions of package.

The table only lists versions with a change in dependencies.

---

ADS pkg version	Minimum required version of Flowmon OS	Minimum required version of ADS upg / standard package	Notes
12.1.0	12.2.0	11.1.1*	*ADS 12.0.4+ is needed for upgrade FM to 12.2.0
12.1.0	12.2.0	11.1.1*	*ADS 12.0.4+ is needed for upgrade FM to 12.2.0
12.0.0	12.0.0	11.1.1*	*ADS 11.2.4+ is needed for upgrade FM to 12.0.0
11.4.1	11.1.9	10.0.0*	*ADS 11.1.1+ is needed for upgrade FM to 11.1.9
11.3.2	11.1.7	10.0.0*	*ADS 11.1.1+ is needed for upgrade FM to 11.1.7
11.3.0	11.1.6	10.0.0*	*ADS 11.1.1+ is needed for upgrade FM to 11.1.6
11.2.0	11.1.0	10.0.0*	*ADS 11.1.1+ is needed for upgrade FM to 11.1.0
11.0.4	11.0.1	10.0.0

Installation

The installation requires a Flowmon ADS license.

For upgrades from previous major versions, you need a license with Gold or Platinum support.

The installation and uninstallation process of Flowmon ADS 11 restarts the flow collector for a short period of time during which flow data are not collected.

This will affect traffic charts in Flowmon Monitoring Center and event charts in Flowmon ADS.

1. Download the package from the support portal. Do NOT unpack it.
2. Log in to Flowmon Configuration Center on your Flowmon appliance.
3. Open the Version page.
4. Click Import package and choose the installation package.
5. Wait until a notification appears informing you that the update was successful.

After upgrading from a previous major version, the web UI may display incorrectly with visual artifacts like missing text.

In that case, try to clear the browser cache first.

Cleaning local storage in Firefox/Chrome browser:

1. Press F12 to open developer tools.
2. Switch to the "Console" tab.
3. Type the following command: localStorage.clear();
4. Press Enter to confirm the command.

Notes

The Czech and Japanese translations (user guide and texts added or changed in the UI) might not be available with beta releases. The translations will be available with the stable release at the latest.

Changes in version 12.1.3 (2023-07-17)

FIXED ISSUES:

• 188450, 190531: Fixed an issue that caused an error when editing and saving BPATTERNS method instances.

• 189882: False positive rules with ASN or hostname only are no longer removed when any filter is removed.

• 190933: False positive rules are now correctly applied to DHCPANOM: OversendingClientIP submethod.

• 191058: Imported false positive rules (through XML configuration import) correctly respect selected method instances.

Previous releases

Version 12.1.2 (2023-05-10)

What's new:

• REFLECTDOS:

  • The method was extended to detect misuse of SLP protocol to amplify DoS attacks (CVE-2023-29552).

FIXED ISSUES:

• 187564:

  • Fixed an issue that caused the ADS processing engine to restart when receiving only flows with zero bytes in last five minutes.

  • The IP (hosts) blacklists from MISP servers now work correctly after an update to ADS 12.1. Previously, the blacklist would not work until the blacklist was updated.

Version 12.1.1 (2023-03-14)

What's new:

You can add the following blacklists as a custom blacklist to detect Remote Access Applications activity:

• IP based blacklists: Download IP-based Remote Access Applications blacklist

• Domain based blacklists: Download domain-based Remote Access Applications blacklist

FIXED ISSUES:

• API: Improved REST API documentation for filters and fixed invert and atomize action during filter creation.

• Special characters '&', '"', '>', '<' are now shown correctly in the name fields.

• Applying ISP configuration template removes default configuration for corporate networks again (LAN filter, Operational and Security issues perspectives).

• Many minor fixes and improvements to the user experience, for example:

  • Blacklist file can be uploaded with CR EOL format.

  • Data feed column is now sorted properly.

  • Delete all events marked as false-positive now works correctly.

  • The ADS appliance logs are now significantly smaller in size.

  • Improved error message when importing invalid atomic filters.

Version 12.1.0 (2023-01-31)

What's new:

• A new detection method DOHDET was added to detect DNS over HTTPS (DoH) traffic.

  The DoH traffic can be used to hide from the network monitoring tools and to conceal malicious activities or communications.

  The method consists of two submethods to detect DoH communications and servers.

  • The first submethod is based on a list of known DoH servers.

    • This method relies on SNI information to accurately detect DoH servers and therefore requires Flowmon Probe with enabled HTTPS monitoring.

    • To enable SNI in the flow data, see Flowmon user guide chapters 4.3.1 Advanced Settings and 5.1 FMC Configuration.

  • The second submethod uses an advanced algorithm that inspects behavioral patterns in flow data.

    • The submethod is applied to communications with known DoH servers if the SNI is not available.

    • Therefore, the detection works without the need for SNI (that is, it does not require Flowmon Probes).

Note:

• The method is not automatically activated and added to any of the defined perspectives (including default perspectives).

• You can activate the method in Settings → Processing → Methods.

• To display detected events, you must add the method to the perspective manually in Settings → Processing → Perspectives.

• The following detection methods were refined, extended, or reworked to enhance detection accuracy and provide additional tuning options to the users.

  • RDPDICT:

    • The method was revised to reliably detect attacks against the current versions of RDP protocols.

    • Additionally, new method parameters are introduced to allow you to tune the detection.

  • TEAMVIEWER:

    • The method's accuracy was increased with the new usage of Autonomous System Numbers (ASNs) when the DNS domain name is not available.

    • Usage of ASNs in the TEAMVIEWER method requires ASNs in the flow data.

    • Flow data from Flowmon Probes are exported with ASN based on settings (can be checked in FCC > Monitoring Ports > Advanced Settings).

    • If the 3rd party flow sources are not exporting ASN in the flow data, the flows can be extended with ASN on the Flowmon Collector side.

    • You can enable this feature on Flowmon Collector in FCC > FMC Configuration > Autonomous Systems.

  • DNSANOMALY:

    • The ForbiddenServer submethod now allows you to exclude local DNS servers from the detection of communication with unauthorized servers to remove false positive detection when a local DNS server communicates with public DNS servers.

    • To do so, assign a filter with local DNS servers to a new parameter called 'PolicyExceptions'.

  • RANDOMDOMAIN:

    • Added parameter to specify which traffic the method processes (DNS, HTTP(S), or both).

    • This allows you to, for example, report only on HTTP(S) communication with random domains and not report the communications with only the DNS translations (or report with lower priority by using another method instance for DNS traffic in the Perspectives).

  • BLACKLIST:

    • The IP blacklist format now includes an optional comment field to provide additional information about blacklisted IP addresses. The comment is shown in Event Detail.

• The detail of 'General information' for an IP address was extended.

  • When 'General information' is shown for the blacklisted IP address, the detail now shows all blacklist names and comments the IP address is part of.

  • With this change, you can also add a comment to the blacklisted IP addresses by adding the IP address and your own comment to a CSV file.

    • You can then add the CSV file as a custom blacklist in the ADS and the comment will be shown in 'General information' detail.

    • There might be some delay as the custom blacklists are updated every 6 hours.

• Added customizable columns in event tables to present important information without the need to open Event Detail.

  • You can now customize the IP view table (events table) from the table header.

    • It is possible to show or hide the following columns: Method Instances, Comments, and Categories.

  • The existing table customization options in the Events page (tabs 'Simple list', 'By Host', and 'By MITRE') were extended with the same columns.

  • Context menu of an event now also contains options to add comments to the event (added to already existing option to assign categories).

    • Adding comments or assigning categories to events is now also available for non-admin users.

    • To enable this, check the ADS Settings > System Settings > General settings.

  • The settings are currently stored in browser cookies.

• Direct link from Event Evidence to Monitoring Center > Analysis is added to streamline event investigation.

  • Using the link, a new tab with Monitoring Center > Analysis is opened.

  • The Analysis is preconfigured (corresponding period, profile, and channels) and the filter is pre-filled.

• MITRE ATT&CK mapping was updated to version 11.

  • Report preset for MITRE ATT&CK v11 is available in Dashboard & Reports.

• The ADS UI has been updated with new colors and logos to be in line with Progress branding.

FIXED ISSUES:

• 168123: Method-specific and optional parameters of a SCANS method are now shown correctly.

• 175984, 182700: The SVRNA method now shows correct flows in Event Evidence.

• 179999: The usage of the 'Assign to detection methods' function is now logged and the usage can be viewed on the 'Logs' page.