FlowMatrix - NetFlow Network Anomaly Detection and NetFlow Network Behavior Analysis, NetSim

Jump to:

FlowMatrix Download
Network Simulator Download
Z1 Monitor Download

News

November 17, 2008
New first official public release of FlowMatrix, (ver.0.9.73) is available for FULLY FREE downloads and use. FlowMatrix is first FULLY FREE version of NetFlow based Network Anomaly Detection and NetFlow based Network Behavior Analysis tool.
Read More

August 25, 2008
FlowMatrix - NetFlow based Network Behavior Analysis, Network Anomaly Detection System new version 0.9.65, improves network and network applications security, available for downloads
Read More

July 2, 2008
FlowMatrix - NetFlow based Network Behavior Analysis (NBA) System new version, 0.9.62, now supports network application level security and available for downloads
Read More

February 23, 2008
FlowMatrix - NetFlow based Network Behavioral Analysis (NBA) System new beta version 0.9.56 is available for downloads
Read More

January 19, 2008
Netsim - Network delay, packets loss and bandwidth simulator new version 0.9.127 is available for free downloads
Read More

November 1, 2007
FlowMatrix - NetFlow based Network Behavioral Analysis (NBA) System new beta version 0.9.47 is available for downloads
Read More

Links

Top 100 security tools
Honeypots.net
SecLists.org
SecurityConfig.com
WindowSecurity.com

More Links

FlowMatrix FAQ

What port(s) is/are used by FlowMatrix to receive NetFlow packets from routers?

By default, FlowMatrix receives NetFlow records on port 2055. But this default port can be changed. After changing the port FlowMatrix service must be restarted. Restarting of FlowMatrix service can be done using Windows Service Control Manager or from command line using these commands:

net stop flowmatrix

net start flowmatrix
Can FlowMatrix be installed on a system that has already Apache Web server and/or PostgreSQL database installed?

Currently, FlowMatrix installation program doesn't support installation on systems with Apache or PostgreSQL already installed. In addition, the installation program checks if required ports are available, if any of these checks fail the install will terminate. These checks are needed to guarantee that FlowMatrix is installed on mostly a dedicated system due to intense computational needs of FlowMatrix under high load such that the system can't be shared without being affected.
How do I get a valid license file to use free, fully functional and not time limited version of FlowMatrix?

If you qualify (check if you do) for free a FlowMatrix license, please follow these steps:
- Download current version of FlowMatrix, from: FlowMatrix Download
- Install it on the system where you intend to use it.
- Open a command prompt and change to where you have installed FlowMatrix, then run command getinfo:
  
  C:\Flow Matrix\engine\getinfo
- This will produce a license request file with information needed to generate a license.
- Take the produced file and e-mail it to: support@akmalabs.com as an attachment along with your verbal request. Please, include in your email the name of your institution or company, if applicable, as well as your name. We will mail you a license file with instruction shortly.
What are the hardware requirements for a system to run FlowMatrix?

1. Small Networks (<100 hosts):
Intel Pentium 4 or compatible 2.4 GHz or higher processor;
1 GB of free disk space;
1 GB of RAM;

2. Medium Networks (<2000 hosts):
Intel Core 2 Duo or compatible 2.0 GHz or higher processor;
4 GB of free disk space;
2 GB of RAM

Minimum software requirements:
Windows 2000 (Server or Professional) or Windows XP (Home or Professional) or Windows 2003 Server.
Most critical system component that affects FlowMatrix performance is the system memory so make sure that for a high load you meet or exceed the minimum requirements for you installation.
How long does it take for FlowMatrix to learn my network traffic?

After installation FlowMatrix will monitor your network traffic for 2 hours, until it collects enough initial information. After these 2 hours the system will start generating reports about a state of the network (when it sees anomalous network events). Full learning cycle completes after 5 days of continious operation. Until that time the system is operational but false positive rate may be higher than after it completes the full 5 days learning interval. After the initial 5 days learning completes the system will constantly update its knowledge of your network but learning at this time can be considered complete. So to summarize, the learning never stops but complete learning is achieved after 5 days of operation.
Can I run FlowMatrix on a Virtual Machine?

Yes, assuming that you meet the minimum system requirements.
Does FlowMatrix retain any useful functionality after its timed evaluation version has expired?

After the evaluation period of 60 days, FlowMatrix will continue to operate with almost all functionality. The only disabled functionality is the absence of details about detected anomalies. For example, high performance monitoring rules creation such as:

Show all hosts that have contacted more than 100 hosts for the last 5 minutes

OR

Show a host contacted by more than 100 distinct hosts for the last 5 minutes

will be completely functional.
Also, the system will still be detecting anomalous events on your network and you will continue to see such conditions on the graphs showing values above the threshold, but the system will not provide the detailed information about the detected anomaly events.
What is FlowMatrix anomaly detection response time (i.e. time resolution)?

The FlowMatrix anomaly detection engine operates in real-time mode but produces its reports every 1 minute, so it is able to report an attack(anomaly) in at most 1 minute after it detects it.
How frequently FlowMatrix fast rules get executed?

The FlowMatrix fast rule execute every 5 minutes. If we see a need, based on user requests, we can make these rules to operate more frequently, say every 2 minutes.
Do rules that I can edit represent anomaly detection engine of FlowMatrix?

No, FlowMatrix has anomaly detection engine that constantly operates in background and it is not using fast rules at all. Also, fast rule changes made by the user will not affect operation of anomaly detection engine.
What NetFlow versions are supported by FlowMatrix?

At this time, FlowMatrix supports version 1 and 5 of NetFlow. We plan to add in near term support for other version of NetFlow.
Is a router performance significantly affected when NetFlow is enabled?

For information on Cisco routers please consult this link: NetFlow Performance Analysis
When I install a new beta version of FlowMatrix will my current, learnt information be lost?

Yes. The reason is because for our beta versions we change a number of features and that may include the database schema. Thus, in order to not complicate the installation process by making an update procedure the currently installed version of FlowMatrix must be uninstalled first to install a new version. In a process of doing so it will remove the old database and the information will be lost.
When do you plan to release a non beta version of FlowMatrix?

We plan to release FlowMatrix by the end of 2007.
What OS's are supported by FlowMatrix?

Right now FlowMatrix supports: Windows 2000 (Server or Workstation), Windows XP, Windows 2003 Server.
What outgoing connections are established by FlowMatrix?

FlowMatrix doesn't require any outgoing connections to work properly and detect an anomaly, the only outgoing connection is when you try to resolve an IP address information, in this case a whois service is used.
How can I integrate the FlowMatrix anomaly detection logic with my company existing monitoring solution?

FlowMatrix has a WebService interface which provides all the same services available to FlowMatrix WebGUI interface. You can use a language of you choice to interface to our FlowMatrix WebService. Please send as a request for a documentation on WebService API.