Flowmon Demo Tutorial

www.flowmon.com 1
Contents
Part One - Network Operations
Introduction 3
Basic Network Monitoring 5
Status Dashboard 5
NetOps Dashboard 7
Office 365 9

Bandwidth Monitoring 11
Internet Traffic Spikes 11
Alerts 15
DNS Errors 17

Encrypted Traffic Analysis 21

Potentially Unsafe TLS Standards 21

Application Performance Monitoring 25

Online store application performance and errors 25
Public website monitoring 30

Automated Packet Analysis 34

Part Two - Security Operations

SecOps Dashboard 39

Ransomware 41
Discovery 41
Network service scanning 41
Credential access 45
Dictionary attacks 45
Collection 49
Exfiltration 50
Command & control 53
Impact 54

Cryptocurrency Mining 57

Massive Spamming 59

Unwanted Applications 61
BitTorrent 61
TeamViewer 63
Webshare 65

www.flowmon.com 2
Introduction
This demonstration walkthrough contains a broad range of use cases that can be seen in the
Flowmon public demo​ (use ​demo​; ​demo​ as username and password when prompted to log in).

It is divided into two parts. Part one provides guidance through a top-level view of a monitored
network through to a drilldown into the smallest detail. It showcases basic techniques of network
monitoring, application performance monitoring, and automated packet analysis.

Part two focuses on security use cases including a full walkthrough of a ransomware attack,
detection of potentially harmful applications, and various other malware infections.

www.flowmon.com 3
 Part One
Network Operations

www.flowmon.com 4
Basic Network Monitoring

Status Dashboard
Follow this link to access your ​main dashboard​, using the credentials ​demo​; ​demo​ when asked
for a username and password.

Your dashboard should look like this.

Your main status dashboard provides a top-level, view of your network health, security status,
and application performance. Every dashboard and widget displayed here is fully customizable.

The two widgets titled ​Application performance overview​ at the top right provides useful
information about the performance of applications, which includes the average and median time
it takes an application to respond, as well as their 95​th​ and 99​th​ percentile.

The percentage number at the top and the performance bar below it show the ​APM index,​ which
is a metric calculated from the response time of all transactions and represents the fulfilment of
SLA.

www.flowmon.com 5
Similarly, the ​Overall network performance​ widget below reports on network performance via
a variety of metrics. Namely, the average bi-directional delay caused by the network
(Round-Trip Time), the average delay caused by waiting for servers to respond (Server
Response Time), the average variance of delay (jitter), and the average number of packets that
needed to be retransmitted.

The average value of retransmissions is also displayed as a percentage accompanied by the

color-coded performance bar at the top.

www.flowmon.com 6
Do not be alarmed by the horrifying number of security events in the bottom-left section; this
demonstration contains several recorded scenarios, all of which are being displayed here. It
proves, however, that if a security event is detected, it shows up right on the dashboard (and
elsewhere).

To continue the demonstration, switch to the ​NetOps​ tab at the top of the screen.

www.flowmon.com 7
NetOps Dashboard
The ​NetOps dashboard​ is a high-level view but customized to give an overall understanding of
network issues.

Similarly to the Status dashboard, it shows the status of connected flow data sources, but also
the overall traffic structure, active alerts, active devices, and, at the bottom of the screen,
various statistics about top talkers, the most used network services, and the most common
internet destinations.

Note the ​Structure of overall traffic ​widget, which, as the name implies, provides information
about network traffic trends for a chosen time period and an at-a-glance understanding of the
network’s performance.

www.flowmon.com 8
All the data displayed here is periodically refreshed and the time period displayed can be
changed.

Now, switch to the ​Office 365​ dashboard.

www.flowmon.com 9
Office 365
Office work of the future is all in the cloud. Fortunately, it is no hurdle for Flowmon’s analytics.

The ​Office 365 dashboard​ shows you the suite’s delivery performance and status.

At the top left, you can see the performance of each Office 365 application and just next to it
there are the individual applications ranked by bandwidth consumption.

The ​Office 365 Retransmissions​ widget reflects the quality of service delivery in terms of one
of the most important aspects affecting it.

Below these, there is a breakdown of Office 365 users in terms of the busiest downloaders and
uploaders.

Feel free to explore the other dashboards as well. Note that some of them will feature in other
sections, too.

www.flowmon.com 10
Bandwidth Monitoring

Internet Traffic Spikes

Given how much organizations rely on smooth Internet connection, any emergent issues need
to be quickly identified and traced down to the root cause.

Start at the ​Internet traffic dashboard​ (use the credentials ​demo​; ​demo​ if prompted to log in).

Here you can see traffic statistics of your internet traffic as well as the average values of key
metrics.

The bottom half of the page shows top sources and destinations of inbound and outbound
Internet traffic.

Notice that the traffic graph in the top left is showing a massive spike between 15:00 and 16:00.
This phenomenon is worth investigating, as it may cause network congestion and degrade user
experience.

Start the drilldown by clicking the cog icon in the top-right corner and choosing ​More info​ from
the dropdown menu.

www.flowmon.com 11
Now, you are in the analysis view.

The spike is still clearly visible. Note the red color, which, as the legend explains, represents a
spike in downloads.

There is more than one way to get to the bottom of what is causing it, but for this demonstration,
just draw a box around it with your mouse.

www.flowmon.com 12
Then right-click on the box and in ​Top 10 statistics by​ choose ​Conversations IP-IP​.

www.flowmon.com 13
In the ​Advanced analysis ​window, a chart shows the first 10 IP conversations (i.e., aggregated
connections between two hosts) in order of bytes transferred. Looking closely, you can see that
the communication pair ​172.217.23.193​ - ​192.168.70.80​ has generated more than 4GB of traffic
within three flows/connections.

www.flowmon.com 14
You can now display every single connection related to this communication by right-clicking on
one of the IP addresses and selecting ​First 20 flows​ from the dropdown menu.

The list of flows shows you a detail of each connection. The internet traffic spike was caused by a 
large download from an HTTP server.

Alerts
You may configure the system to alert you whenever a particular situation occurs. Concerning
the above-described case, you would be automatically notified when the Internet uplink is
saturated.

Switch to the ​Alerts​ view from the menu on the right.

www.flowmon.com 15
Look for the ​Inet Uplink Saturation​ alert in the list of alerts. You can see its status, the last time
it was triggered, and have the option to view the details of its activity (​Details​) or a preview of its
settings (​Show​).

Click ​Details​ to see when the alert fires.

www.flowmon.com 16
This dialog shows the condition and whether or not it applies at the present moment. The trigger
occurs when traffic exceeds 40 Mb/s. Below the condition, you can see a chart and three lists
telling you statistics over the past 24 hours.

DNS Errors
An error-free functioning of DNS servers is essential for maintaining smooth connectivity.

Start at the ​DNS dashboard​ (use the credentials d

​ emo​; ​demo​ if prompted to log in).

The top part of the dashboard provides an overview of your DNS traffic and DNS errors,
followed in the lower section by a breakdown of DNS servers handling the greatest load,
devices getting the most DNS errors, etc.

To investigate the ​Server Fail ​errors, click the cog icon in the top-right corner of the ​DNS Errors
widget and choose ​More info​ from the dropdown menu.

www.flowmon.com 17
In the graph below you can now see that the majority of errors comprise attempts to connect to
non-existing domains (orange) with periodic server failures (red).

You may further experiment with checking and unchecking them in the legend (​Channels​) to
see them better.

To avoid ​No error​ replies or other data within the profile interfering with your analysis, make
sure you only have the ​Server fail​ profile channel selected.

Select an interval around a spike and right click on it. Under the ​First flows​ menu, choose ​First
20 flows​.

www.flowmon.com 18
You will notice a list of flows has appeared in the ​Advanced analysis​ section below.
Apparently, the DNS server leasing the IP of 172.18.28.240 is the one experiencing the issues.

Let’s dig even deeper into its communication. Enhance the data display with L7 statistics by
selecting ​dns​ in the ​Output ​field and hit the ​Process ​button again.

www.flowmon.com 19
This provides you with more DNS-related information including the type of the DNS message,
the payload of those messages, and, most importantly, the DNS question names, which the
DNS server has had troubles serving.

Feel free to explore other means of sorting and filtering available in Flowmon Monitoring Center.

www.flowmon.com 20
Encrypted Traffic Analysis

Potentially Unsafe TLS Standards

Organizations often have security policies in place that prescribe conditions ensuring that
encryption is strong enough. This guide explores investigation into potentially non-compliant
hosts.

Start on the ​ETA/TLS dashboard​ (use the credentials ​demo​; ​demo​ if prompted to log in).

At the top, you see a graph of TLS protocol usage differentiated by version. Next to it is a list of
the top 10 endpoints using TLS 1.0. This gives you an immediate overview of devices using an
obsolete, thus vulnerable, encryption standard.

Below is an overview of the TLS client key length as well as a chart of TLS ALPN
(application-layer protocol negotiations).

To learn more about the use of the standard in these communications, click the cog icon in the
top-right corner of the widget and select​ More info​ from the dropdown menu.

www.flowmon.com 21
Scroll down to the ​Advanced analysis ​section in the lower part of the screen and switch to the
List of flows​ tab. In order to display servers using the potentially dangerous TLS v1.0, enter
tls-sver "TLS 1.0"​ in the ​Filter ​field​.​ When done, make sure that the ​Output​ field reads
extended-tls​. If not, choose it from the dropdown menu. Then click ​Process​.

The output indicates that there is a device using the IP of 192.168.2.4 in the organization that
utilizes an obsolete TLS standard.

www.flowmon.com 22
You may also try to explore other possibilities in terms of TLS application-layer visibility
including the validity of TLS certificates, TLS issuer name, encryption algorithms, etc. Just
change the ​Output​ field to ​tls-certificate​ and hit the ​Process ​button again.

www.flowmon.com 23
There are copious possibilities of sorting and filtering out different information in the Monitoring
Center, so feel free to experiment.

You are welcome to play around with the demo, and if you have any questions, don’t hesitate to
ask. We’ll gladly show you everything you’d like to know.

www.flowmon.com 24
Application Performance Monitoring

Online store application performance and errors

The smooth operation of applications is critical to business productivity. This guide shows you
what insight and evidence you can get from Flowmon APM - a module dedicated to providing
insight into application performance.

Begin on the ​MySQL_DB dashboard​ (use ​demo​;​ demo​ as access credentials if prompted to log
in).

This dashboard gives you an overview of the performance of an application database server.

At the top of the screen you can see the number of concurrent users, an overview of application
performance (individual metrics are discussed later), and the five slowest transactions.

Below you can see the amount of data transferred related to network transport time, transaction
counts differentiated by their SLA compliance, and a pie chart of errors distinguished by code.

Slow transactions always require attention, so to perform a drilldown, click the cog icon at the
top-right corner of one of the widgets and choose ​More info​ from the dropdown menu.

www.flowmon.com 25
Now switch to the ​WebShop​ tab, if not already there.

www.flowmon.com 26
Once again, you can see the development of your APM index over the selected timeframe (see
the top-right corner of the screen).

Next to it, you can see some basic information on the most important metrics followed by a list
of the top five slowest transactions.

Below, there is an overview of the application response time with charts for the average,
median, as well as the 95 and 99 percentile.

If you scroll down, you can see a chart of transaction counts over the selected timeframe
followed by lists of the individual transactions.

At the bottom of the page, there are widgets showing error counts and their particular codes,
although none are displayed here (if you wish to see some, switch to the ​MySQL_DB ​tab, but
remember to return back to continue the demonstration).

The analysis view allows you to investigate individual transactions as well.

Your main pain points are where you usually want to start analysis, so for ease of
demonstration, scroll back up to the ​Five slowest transactions​ and click on the icon next
to one of them.

www.flowmon.com 27
Most of this tab gives you the same information as the previous view, except it relates only to
the one selected transaction.

To find out the source of the performance degradation, scroll down to the ​Instances of
transactions​ widget. A transaction represents a mutual interaction between the application and
user (in web applications, a transaction is by default defined as a unique pair comprising an
HTTP method and a URL path unless configured otherwise).

www.flowmon.com 28
Click one of the instances to investigate deeper.

Now you can see the transaction in full detail. Notice the enormous difference between the
value of ​SLA​ and ​Application response time​; i.e., the difference between the expected
user-defined response time and the actual delay caused by the application. These numbers
indicate a serious issue.

Now, poor performance may also be caused by a poorly performing network; however, looking
at the value of ​Network transport time,​ you can see that the network is running smoothly.

Another potential bottleneck may be in a subordinate application, such as the database

application subordinate to the web shop application. To check this, scroll down and view the
Application response time​ of the subordinate MySQL transactions.

www.flowmon.com 29
Looking at these values, it is easy to infer that the subordinate MySQL queries are not causing
the issues either, which means that the source of the performance degradation is indeed the
application itself.

Feel free to explore other ways of filtering, ordering, and analyzing the data in Flowmon APM.

Public website monitoring

Flowmon APM Transaction Generator is a software agent running directly on the Flowmon
appliance that tests the availability and performance of chosen websites. This form of testing is
well-suited for automated, lightweight testing of application availability and response.

Start at the ​Analysis dashboard​.

At the top of the screen, there are your daily, weekly, and monthly availability scores.

www.flowmon.com 30
Below is a summary that lists statistics per each test suite. At the moment there is only one - a
suite testing the website of Flowmon Networks. Click ​Flowmon Web​ to view more details.

This view provides much more detail about the testing.

Below the main availability statistics at the top of the screen, you can see charts showing the
availability of the tested website as measured by all the active robots and the average duration
of the tests performed.

At the bottom, there is the history of each individual test with failed tests marked in red.

Click on a failed test.

www.flowmon.com 31
This dialog shows the individual steps of the test. You can see that the failure occurred during
the third one when the agent attempted to interact with a form

www.flowmon.com 32
You can also see the full error message and the option to display a screenshot from the website
when the error occurred.

www.flowmon.com 33
Automated Packet Analysis
Sometimes, flow data alone is not enough to provide enough information to understand the root
cause of network issues and answers must therefore be sought inside the packets.

Flowmon Packet Investigator is a tool that captures full packet data (either manually or
automatically based on a variety of triggers) and analyzes them automatically. Custom PCAP
files may also be uploaded and analyzed.

Note: Since this demonstration works with pre-recorded scenarios and not real traffic, it is not
possible to show how to make new traffic recordings. However, there are multiple sample
PCAPs available for analysis.

Start in the ​Recordings​ section of Flowmon Packet Investigator. Make sure the ​Group​ field is
set to ​1) FPI​.

This list contains all the traffic recordings created by the Packet Investigator or uploaded by the
user. At the top there are multiple fields that allow you to filter your recordings according to a
variety of criteria.

The ​State​ column shows the current stage of analysis they are in and whether the analysis was
successful. All of these recordings have been ​Analyzed​.

In the ​Analysis result​ column there is a preview of what warnings ( ) and errors ( ) have
been found.

www.flowmon.com 34
The ​Tools​ column allows you to view the results, edit and download the recording, and display
details about the recording.

Find a recording named ​DNS_Nonexisting_Domain​ and click on ​Analysis​ in the ​Tools

column.

At the top there is a field showing all the protocols included in the analysis. This is a default
setting and, for now, let’s leave it without change.

The left side of the dialog shows events representing the results of each step of the
decision-tree analysis. On the right, you will soon see a description of each event.

Click on the ​first event​.

The green checkmark indicates that this event shares a piece of neutral information. In this
case, it informs that a DNS query has been detected.

Note the list of details including the time frame, IP source and destination, port, or queried
domain name.

Click on the ​second event​.

www.flowmon.com 35
This event tells you that the query has generated a UDP reply from the server. However, this
reply was not successful, as you will see in the next event.

Click on the ​third event​.

The red icon indicates an error. Looking at the description, the reply has failed, giving error code
3.​ At the bottom right you can see the system’s decoding of the error message reading,
“Domain name does not exist.”

www.flowmon.com 36
Finally, click on the ​fourth event​.

As indicated by the yellow triangle icon, this event provides a warning, raising suspicion of the
event and pointing out that no successful DNS reply has been found in the whole data set.

Note that the system not only reports the DNS query-reply failure but also provides a suggestion
for resolving the issue.

Feel free to explore the other analyzed PCAPs and see for yourself what detections and
interpretations the system provides.

www.flowmon.com 37
 Part Two
Security Operations

www.flowmon.com 38
SecOps Dashboard
The ​SecOps dashboard​ provides an overview of your network’s security status (use ​demo​;
demo​ as username and password if prompted to log in). It lists detected security events in order
of priority from ​critical​ t​ o ​low​ or ordered by age.

The widget at the bottom right titled ​Top 10 IPs by event count​ lists hosts that generate the
most events and thus bear a higher risk of complex security incidents such as ransomware
infections.

On the right, you can see an ​Event overview by type​. This widget lists the detected security
events depending on the detection method and shows their counts.

Now, click on the cog icon in the top-right corner of the widget and select ​More info​.

www.flowmon.com 39
You are now in Flowmon ADS (Anomaly Detection System). This is a security module that uses
a wide spectrum of detection methods to discover anomalies that are hidden in network traffic.

www.flowmon.com 40
Ransomware
Important:​ Make sure you are viewing the ​Ransomware​ perspective. You can check/change
this via the dropdown menu at the top of the page.

Since this is a recorded scenario, this view shows all manifestations of ransomware activity from
every stage of its lifecycle.

Now, let’s start at the beginning.

The perimeter has been breached, and the attack is commencing. The attacker’s movements
can be detected at every stage. Usually, this takes several days.

1. Discovery

Network service scanning

As an opening move, the attacker performs initial scans to gain an awareness of active devices
or services. The system notifies you of this activity by alerting you to two anomalies - ​port
scanning​ and ​target hosts/ports anomaly​.

In Flowmon ADS, while in the ​Analysis​ view, select ​SCANS ​and ​DIVCOM​ in the ​filter​ of
detection methods.

www.flowmon.com 41
Here you can see the events that triggered the alert and can dig deeper.

In the ​Events by priority​ list, click on ​SCANS ​to expand the event and view additional details.

You can immediately see that the source of the events was a device with the IP address
192.168.1.50​. Click on it to see more.

www.flowmon.com 42
This detail shows the individual scanning attempts the attacker made (in this case three,
although this number on your screen may be different).

Now select ​Event evidence​ from the context menu next to one of the attempts.

www.flowmon.com 43
Event evidence​ shows you the full detail of the attacker’s activity including a description of the
attack, the number of attempts that did or did not generate a response, ports, and a full list of
targets if you scroll down.

This type of behavior is known as ​reconnaissance​, during which the attacker communicates with
as many devices as possible to seek vulnerabilities and discover options for continuing the
attack. Another technique the attacker may use to scout your network is to perform an ARP
scan.

In the ​Events by priority​ list, expand the ​DIVCOM​ event to view the source.

You can see that the source is the same device as in the case of SCANS. Click the IP address
192.168.1.50 to see more.

In this list you can see all the attempts the attacker has made. Click the ​Event ID ​(e.g. ​#12345​)
of one of the events to view the targets.

www.flowmon.com 44
This dialog shows that the infected station has contacted 255 communication partners.

Please note that out of the context of this attack demonstration, this behavior may indicate other
issues, such as peer-to-peer data sharing or a simple misconfiguration.

2. Credential access
Now that the attacker has scouted your network, they have learned which devices to target and
try to steal your data. Here is how they may gain access.

Dictionary attacks
As a Flowmon ADS user, you will have received alerts about attempted dictionary attacks.

In the ​Analysis​ view, disable all methods and leave only ​DICTATTACK​ and ​RDPDICT
selected.

In this way you filter out only the event you need. Click on the ​DICTATTACK​ event to expand it.

www.flowmon.com 45
Here you will learn that the source of the attack was again the device with the IP address
192.168.1.50​. Click on it to view the targets.

This list shows that the attacker used two types of brute-force attacks to try and guess your
passwords - an RDP dictionary attack and a Samba dictionary attack, which means they also
targeted two of your servers. The ​Targets​ column also shows their IP addresses.

You may click the ​Event ID​ for additional details, such as the explanation of the event or its
possible cause.

The above-mentioned RDP dictionary attack is also detected by the ​RDPDICT​ method.

In the ​Events by priority​ list, expand the ​RDPDICT​ event.

www.flowmon.com 46
Expand the source IP address (​192.168.1.50​) to view more details.

These events show you that the attacker has made hundreds of attempts to gain access to a
single target. Choose ​Event evidence​ from the context menu of one of the events to see a
description.

www.flowmon.com 47
Now, you may notice that next to the ​Event evidence​ tab there is another one named ​Related
IDS events​ with a bracketed ​(2)​ next to it.

Click on it to see what events they are.

This dialog shows two other events - an ​unusual behavior on port 445​ (red) an ​RDP exploitation
attempt​ (blue). Click on the ​RDP exploitation attempt a
​ nd see more details.

This tells you that the attacker used the infected device (192.168.1.50) to try and exploit the
Bluekeep vulnerability to gain administrator privileges.

In the end, the attacker did manage to gain access credentials. Continue to the next section to
see how the attack progressed.

www.flowmon.com 48
 3. Collection
Now that the attacker can access the company data, they begin hoarding and preparing it for
exfiltration.

This behavior is suspicious by anomalous amounts of data being transferred by the infected
station.

In the ​Analysis ​view, disable all the methods and leave only ​HIGHTRANF ​selected.

In the ​Events by priority​ list, you will see one high-priority event detected by the HIGHTRANSF
method. Expand the event by clicking on it.

The event lists the company server with the IP address of 192.168.1.2 as the source. Click on it
to learn more.

Here you can see the original infected device (192.168.1.50) as the recipient of the transfers as
well as the volume of data being transferred.

Note that this could easily be just a routine data backup, but in a properly set-up deployment,
where high data transfers are part of normal operation, the backup server would be exempted

www.flowmon.com 49
from detection and thus not trigger a security event. However, in this particular case, it is
obvious that the data transfer was anomalous.

4. Exfiltration
The attacker has now finished gathering data and is trying to smuggle it out.

There are two ways this can be done and detected. In the ​Analysis​ view, disable all methods
and leave only ​UPLOAD​ and ​ICMPANOM​ selected.

In the ​Events by priority​ list below you will see two events; one for each method. First, click on
UPLOAD​ to expand it.

This may indicate data exfiltration, as the host with the IP address ​192.168.1.50​ has been
uploading a large amount of data outside the trusted segment (an unknown IP address on the
Internet).

The list shows every upload had the same recipient - an external host with the address
1.0.132.227.

www.flowmon.com 50
You have options to investigate the host further from here. Click on the arrow next to the target
to display a dropdown menu.

From here you can access additional operations, such as viewing other events the host was
involved in, investigate the address with IP tools, or look it up using external tools. For now, just
click ​General information​.

www.flowmon.com 51
The dialog identifies this domain as a known botnet C&C center, incriminating the
communication as part of the cyberattack.

Another method the attacker may use to try and exfiltrate sensitive data is via an ICMP
message.

In the ​Events by priority ​list, switch to the event labeled ​ICMPANOM​.

www.flowmon.com 52
Expand the source to view the destination as well as additional details.

The destination is the same as in the case of ​UPLOAD​. However, notice the description, ​“A
large payload of ICMP packets has been detected.”

This is a reasonable indicator of data exfiltration. While ICMP messages are perfectly common
and innocent, these have triggered a critical-priority alert because it is not normal for “ping”
messages to have a large payload.

5. Command & control

Both detection methods described in the ​Exfiltration ​section involve data sent to a domain
associated with a botnet command & control center. But even if no data were being exfiltrated,
the system would have picked the communication up.

In the ​Analysis​ view, disable all methods and leave only ​BLACKLIST​ selected.

Expand the event and click the source IP address to view details of the communication.

www.flowmon.com 53
The list shows every communication with the above-mentioned malicious domain including the
number of attempts and amount of data transferred.

6. Impact
If the attack is allowed to progress this far, the attacker may start encrypting the data they have
located and stolen. When this is finished, a ransom note usually follows.

In the ​Analysis​ view, disable all methods and leave only ​BPATTERNS ​selected.

BPATTERN ​stands for ​behavior pattern,​ which is a method that detects malicious activity based
on its characteristic manifestation in network traffic without having to detect a particular piece of
code, unlike traditional signature-based methods.

Expand the detected event and click the source IP address to view details of the
communication.

www.flowmon.com 54
You can see from the description that suspicious Samba traffic was detected and you recognize
the Samba server’s IP address (192.168.1.2) in the ​Target​ column. This may indicate that data
encryption is in progress.

As a summary of the ransomware attack scenario, choose ​Aggregated events​ from the context
menu at the top of the detail (next to the ​Related events​ button).

www.flowmon.com 55
This dialog shows the full timeline of the attack, including all the diverse methods used to detect
the malicious activity at its every stage.

www.flowmon.com 56
Cryptocurrency Mining
Mining means lending computing power for the validation of cryptocurrency transactions, for
which miners receive a reduction in transaction fees. However, this process is very
resource-intensive, which is why some miners hijack the computing time of other machines by
infecting them with malware.

In Flowmon ADS, make sure you are viewing the ​Cryptocurrency Mining ​perspective (if not,
choose ​Cryptocurrency Mining​ from the dropdown menu at the top of the page and click
Apply​).

In the ​Events by priority​ you will see a detected ​BPATTERNS ​event. Expand it by clicking on
it.

The expanded event shows that the source of the anomaly was a station with the IP address
192.168.70.2. Click on it to see further details.

www.flowmon.com 57
You can see in the ​Detail ​column that the system recognized this behavior as cryptocurrency
mining and that the source host communicated with several targets. In the context menu of one
of the events, choose ​Event evidence​ to see full detail.

This dialog tells you the full extent of what happened including a list of the individual
communications, the number of data flows transferred, as well as every detail of the hosts
involved.

www.flowmon.com 58
Massive Spamming
In Flowmon ADS, make sure you are viewing the ​Massive Spamming ​perspective (if not,
choose ​Massive Spamming​ from the dropdown menu at the top of the page and click ​Apply​).

The ​Events​ graph and ​Events by priority​ list are showing a SMTPANOM event. The name
suggests a SMTP anomaly.

The SMTP protocol is a standard protocol for email communication, which is why devices
infected with spamming malware will use this protocol as well. Although most spam is a mere
nuisance, some spam messages may contain phishing links or malicious executables in
attachments.

Click on the ​SMTPANOM​ event to expand it.

www.flowmon.com 59
This view shows that the device that triggered the anomaly detection has the IP address of
192.168.107.32​. Click this address to see more.

The ​Detail​ column in this list shows that the infected host has sent over 800 emails through 489
unique hosts (SMTP servers).

There is a considerable discrepancy between this number and the network average of 20,
proving that the device has been involved in a spamming operation.

www.flowmon.com 60
Unwanted Applications

1. BitTorrent
BitTorrent is a popular protocol used for transferring and sharing large files, many of which can
be bootleg copies of films or computer games. Companies are well-advised to stay wary of its
use to avoid incrimination in copyright violation and for the sake of their own security, as illegally
distributed software may contain harmful code, such as ransomware.

In Flowmon ADS, make sure you are viewing the ​Bittorrent Download ​perspective (if not,
choose ​Bittorrent Download​ from the dropdown menu at the top of the page and click ​Apply​).

You can see in the ​Events​ graph and the ​Events by priority​ list that a ​BITTORRENT​ event
has been detected. Expand the event by clicking on it.

The source of the event is a device with the IP address ​192.168.70.9​. Click on it to see more.

www.flowmon.com 61
Here is a list of communications between the source and its many targets. Open the context
menu of one of them and choose ​Related IDS events​.

This dialog lists the communications and differentiates them by type. Looking at the description,
you can see that some were legitimate (a Windows update), while others (P2P BitTorrent) were
potentially harmful.

www.flowmon.com 62
 2. TeamViewer
TeamViewer ​is a popular desktop-sharing platform that allows conferencing, remote control, and
file transfers. However, it is known to have been exploited in remote service scams, as a
gateway for covert malware activity, or being used as part of shadow IT.

In Flowmon ADS, make sure you are viewing the ​Teamviewer ​perspective (if not, choose
Teamviewer​ from the dropdown menu at the top of the page and click ​Apply​).

You can see in the ​Events​ graph and the ​Events by priority​ list that a ​TEAMVIEWER​ event
has been detected. Expand the event by clicking on it.

The expanded view shows that a client with the IP address ​10.0.2.15​ has initiated
communication via ​TeamViewer.​ Click on it to see more.

www.flowmon.com 63
Now, click on the ​Event ID​ (e.g. ​#12345​) of one of the events in the list.

This dialog explains the event and discloses the communication’s targets. You may switch to
the ​Event evidence​ tab to view the real traffic that triggered the event and see for yourself what
data the system used to evaluate the detection.

www.flowmon.com 64
 3. Webshare
In Flowmon ADS, make sure you are viewing the ​Webshare Download ​perspective (if not,
choose ​Webshare Download​ from the dropdown menu at the top of the page and click ​Apply​).

You can see in the ​Events​ graph and the ​Events by priority​ list that a ​WEBSHARE ​event has
been detected. Expand the event by clicking on it.

www.flowmon.com 65
This view shows you that a host with the IP address of ​192.168.70.16 ​has communicated with a
domain that provides file-sharing services. While this behavior may not result in direct
infringement of copyright laws in every country, it raises both ethical and security concerns, as
the files downloaded from there may contain malicious code.

In the list of the individual detected events, choose ​Event evidence​ from the context menu.

www.flowmon.com 66
This dialog provides more context about the event and lists the individual incoming and outgoing
transactions.

www.flowmon.com 67