Threat Pattern Matching
Identify the toolkit,
not just the flood.
Flowtriq matches captured packet data against a curated library of known DDoS toolkits, botnets, and amplification signatures (known as indicators of compromise, or IOCs). Know if you're looking at Mirai, LOIC, a memcached reflector, or a custom payload, and get the confidence score to back it up.
Library Coverage
Known toolkits and amplification signatures
Mirai Botnet High Risk
Matches Mirai C2 handshake payloads and characteristic attack packet structures. Covers Mirai and known forks (Satori, Hajime, Okiru).
LOIC / HOIC High Risk
Low Orbit Ion Cannon and High Orbit Ion Cannon HTTP flood signatures. User-agent strings, request patterns, and TCP window sizes.
memcached Amplification Amplification
Stats request packets sent to port 11211 with spoofed source IPs. Characteristic response size explosion (50,000× amplification factor).
NTP Amplification Amplification
MONLIST requests to port 123 with spoofed source IPs. Response amplification factor up to 206×. Detected via request payload and response ratio.
SSDP Amplification Amplification
UPnP SSDP M-SEARCH requests with spoofed source IP targeting port 1900 on misconfigured IoT devices and routers.
DNS Amplification Amplification
ANY-record DNS queries with spoofed source IPs. Amplification factors of 28–54×. Detected via query type, spoofing indicators, and port 53 dominance.
How It Works
Pattern matching against live packet captures
When Flowtriq captures packets during an incident, it simultaneously checks them against known attack signatures. Each pattern is a set of rules that match specific byte sequences, ports, and protocols. This runs in the background without affecting detection or alert speed.
The threat pattern library is hosted by Flowtriq and updated as new toolkit signatures are identified. The FTAgent fetches the current set on startup and refreshes it every 6 hours. Agents behind restrictive firewalls can also sync patterns manually via the API.
Enterprise customers can add custom patterns via the Console or API. Custom patterns use the same rule syntax and are evaluated alongside the built-in library.
Agent fetches current IOC library
On startup and every 6 hours. 8+ built-in patterns plus any customer-defined patterns.
Pattern matching runs during packet capture
Each captured packet is tested against all threat rules in parallel. Efficient comparison directly against the packet data.
Match triggers annotation on incident
Matched toolkit name, confidence, and match details are attached to the incident record.
Threat match included in all alerts
Discord/Slack embeds, PagerDuty incidents, and webhook payloads include the matched toolkit name and confidence.
PCAP 10,000 packets scanned
─── IOC Scan Results ────────────
✓ memcached Amplification
confidence 97%
matched at pkt #3, offset 0x00
signature stats\r\n · port 11211
✗ Mirai no match
✗ LOIC/HOIC no match
✗ NTP amp no match
✗ SSDP amp no match
─── Custom Patterns ─────────────
✗ customer-001 no match
_
FAQ
Common questions about IOC matching
How do I add a custom threat pattern?
Custom patterns can be added via the Flowtriq Console under Settings, or via the REST API. Each pattern has a name, a byte-sequence rule (hex or ASCII with wildcards), optional port and protocol constraints, and a severity level. Custom patterns are evaluated alongside the built-in library on all future incidents.
Does threat pattern matching work if PCAP capture is disabled?
Threat pattern matching requires packet capture data to inspect payloads. If the agent is running in statistics-only mode (without packet capture permissions), pattern matching will not fire. Traffic-level classification (UDP flood, SYN flood, etc.) still works without PCAP, as it uses kernel statistics only.
How often is the threat pattern library updated?
Flowtriq updates the built-in library as new attack toolkits and amplification techniques are identified. Agents automatically pull updates every 6 hours. When a critical new signature is added, agents are notified and refresh immediately on their next check.
Can threat patterns produce false positives?
Built-in patterns are tuned to minimize false positives: all include multiple discriminating fields (port, payload prefix, protocol, direction) rather than single-byte matches. Custom patterns are your responsibility to tune. The confidence score on every match tells you how strongly the signature was matched, so low-confidence matches are easy to identify and review.
Related Features