diff --git a/flowmon-ads/warden3_flowmon_ads_filer.py b/flowmon-ads/warden3_flowmon_ads_filer.py
index 46503d7f5553bf935d14c92d8c45c8654e6f2e62..6b518a4fd5978f6b55dcbb6da5e0d8105303bf46 100755
--- a/flowmon-ads/warden3_flowmon_ads_filer.py
+++ b/flowmon-ads/warden3_flowmon_ads_filer.py
@@ -14,6 +14,8 @@ from warden_filer import SafeDir
 import json
 import csv
 from time import strptime, mktime
+import time
+import re
 from uuid import uuid4
 
 # Command line options handling
@@ -126,7 +128,7 @@ ads_types = {
     "ANOMALY": ["Anomaly.Behaviour"],
     "BLACKLIST": ["Other"],     # FIXME - will need to be set based on other data?
     "BPATTERNS": ["Attempt.Exploit"],   # FIXME - will need to be set based on other data?
-    "DNSANOMALY": ["Information.UnauthorizedAccess"],
+    "DNSANOMALY": ["information.UnauthorizedAccess"],
     "DNSQUERY": ["Anomaly.Traffic"],
     "DOS": ["Availability.DoS"],
     "GEODIST": ["Anomaly.Behaviour"],
@@ -172,7 +174,7 @@ def xlat_ads_proto(s):
         proto = "transport%s" % pnum
     except ValueError:
         # FIXME, will probably also need translation table
-        proto = s
+        proto = s.lower()
     return proto
 
 
@@ -184,7 +186,8 @@ def gen_idea_from_ads(ads, orig_data, anonymised_target, add_test):
        "Format": "IDEA0",
        "ID": str(uuid4()),
        "Category": xlat_ads_type(ads.get("Type")),
-       "DetectTime": format_time(*ts[0:6])
+       "DetectTime": format_time(*ts[0:6]),
+       "CreateTime": format_time(*time.localtime()[0:6])
     }
 
     if add_test:
@@ -218,7 +221,7 @@ def gen_idea_from_ads(ads, orig_data, anonymised_target, add_test):
     # Target related parts
     target = {}
     if ads["Ports"]:
-        target["Port"] = ads["Ports"]
+        target["Port"] = ads["Ports"] # FIXME are the ports related with Target, Source or does it depend on attack type?
 
     if ads["Protocol"]:
         target["Proto"] = [xlat_ads_proto(p) for p in ads["Protocol"]]
@@ -239,7 +242,7 @@ def gen_idea_from_ads(ads, orig_data, anonymised_target, add_test):
         event["Attach"] = [{
             "Content": "\t".join(orig_data),
             "Type": ["OrigData"],
-            "ContentType": "text/csv"
+            "ContentType": "text/tab-separated-values"
         }]
 
     # Insert subnodes into event
@@ -249,6 +252,23 @@ def gen_idea_from_ads(ads, orig_data, anonymised_target, add_test):
     if target:
         event["Target"] = [target]
 
+    # *** Modifications for specific alert types ***
+
+    if ads["Type"] == "DOS":
+        # Extract additional info from Note
+        match = re.search("service:\s*([^,)]*)", event.get("Note",""))
+        if match and match.group(1) != 'not specified':
+            source["Proto"] = match.group(1)
+        match = re.search("attackers:\s*(\d+)", event.get("Note",""))
+        if match:
+            # Note: Count field is not standardized, but it is sometimes used to
+            # tell the total number of sources when not all of them are listed.
+            target["Count"] = int(match.group(1)) 
+        # Swap Source and Target for DOS events
+        if source and target:
+            event["Source"] = [target]
+            event["Target"] = [source]
+
     return event