Configuration management for a capture/registration system

US 10,367,786 B2
Filed: 02/01/2016
Issued: 07/30/2019
Est. Priority Date: 08/12/2008
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine-readable storage medium comprising executable instructions that when executed, cause at least one processor to:

distribute, to a distributed capture system, a rule defining an action for the distributed capture system to perform regarding packets intercepted by the distributed capture system;

store the rule in a memory element, wherein the memory element is a configuration database including rules stored therein to be selectively distributed to a plurality of distributed capture systems, wherein the distributed capture system is associated with registered objects, each of the registered objects indicated by a respective signature and a respective object identifier that collectively form a searchable key, wherein the action is based on a particular one of the registered objects and content of an intercepted object provided in the packets, and wherein the particular registered object is to be identified, at least in part, by one or more signatures, which can be compared against signatures derived from the intercepted object; and

distribute a plurality of crawler tasks in a network that includes the distributed capture system, wherein the crawler tasks are to search for rule violations within resting objects on the network that are not being transmitted over a network connection.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus, and system is described for distributing a rule to a distributed capture system and storing the rule in a global configuration database, wherein the rule defines an action for the distributed capture system to perform regarding packets intercepted by the distributed capture system.

499 Citations

19 Claims

1. At least one non-transitory machine-readable storage medium comprising executable instructions that when executed, cause at least one processor to:
- distribute, to a distributed capture system, a rule defining an action for the distributed capture system to perform regarding packets intercepted by the distributed capture system;
  
  store the rule in a memory element, wherein the memory element is a configuration database including rules stored therein to be selectively distributed to a plurality of distributed capture systems, wherein the distributed capture system is associated with registered objects, each of the registered objects indicated by a respective signature and a respective object identifier that collectively form a searchable key, wherein the action is based on a particular one of the registered objects and content of an intercepted object provided in the packets, and wherein the particular registered object is to be identified, at least in part, by one or more signatures, which can be compared against signatures derived from the intercepted object; and
  
  distribute a plurality of crawler tasks in a network that includes the distributed capture system, wherein the crawler tasks are to search for rule violations within resting objects on the network that are not being transmitted over a network connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The machine-readable storage medium of claim 1, wherein the rule is distributed within a policy, and wherein the policy includes one or more rules.
  - 3. The machine-readable storage medium of claim 2, wherein the policy further includes a policy state of either active or passive and each of the one or more rules within the policy are individually set to inherit or not to inherit the policy state.
  - 4. The machine-readable storage medium of claim 2, wherein the policy further includes a designation indicating which one or more distributed capture systems in a network should apply the policy.
  - 5. The machine-readable storage medium of claim 4, wherein the designation is based on one or both of a type of capture system and a network division of the network.
  - 6. The machine-readable storage medium of claim 1, wherein the executable instructions, when executed, cause the at least one processor to:
    - distribute disparate policies to respective distributed capture systems in a network, wherein each policy includes one or more rules to be applied by a respective distributed capture system to which the policy is distributed.
  - 7. The machine-readable storage medium of claim 1, wherein the executable instructions, when executed, cause the at least one processor to:
    - distribute filters of a filter group to a set of distributed capture systems associated with the filter group.
  - 8. The machine-readable storage medium of claim 1, wherein the rule is based upon a user-defined template.
  - 9. The machine-readable storage medium of claim 8, wherein the executable instructions, when executed, cause the at least one processor to:
    - distribute, to each distributed capture device designated by the rule, a change made to the user-defined template.
  - 10. The machine-readable storage medium of claim 1, wherein the action is one or more of the following:
    - an email notification, a syslog notification, and prevention of the transmittal of the intercepted packets.
  - 11. The machine-readable storage medium of claim 1, wherein the rule further defines exceptions to the action.
  - 12. The machine-readable storage medium of claim 1, wherein the executable instructions, when executed, cause the at least one processor to:
    - store, in the memory element, a plurality of versions of the rule and which version of the rule applies to the distributed capture system.
  - 13. The machine-readable storage medium of claim 12, wherein the executable instructions, when executed, cause the at least one processor to:
    - identify an additional distributed capture system in a network; and
      
      distribute a default version of the rule to the additional distributed capture system, the rule defining an action for the additional distributed capture system to perform regarding packets intercepted by the additional distributed capture system.
  - 14. The machine-readable storage medium of claim 1, wherein the rule is distributed based on the occurrence of one or more of the following:
    - an addition of a capture system to a network, a capture system reestablishing a connection to a network, a periodic update, a creation of a new rule, a change made to an existing rule, and a deletion of a rule.

15. A system comprising:
- a memory including a memory element to store a rule, wherein the memory element is a configuration database including rules stored therein to be selectively distributed to a plurality of distributed capture systems;
  
  a configuration manager coupled to the memory element to distribute the rule;
  
  a distributed capture system to receive the rule and store the rule, the rule defining an action for the distributed capture system to perform regarding packets intercepted by the distributed capture system, wherein the distributed capture system is associated with registered objects, each of the registered objects indicated by a respective signature and a respective object identifier that collectively form a searchable key, wherein the action is based on a particular one of the registered objects and content of an intercepted object provided in the packets, and wherein the particular registered object is to be identified, at least in part, by one or more signatures, which can be compared against signatures derived from the intercepted object; and
  
  a network that includes the distributed capture system to distribute a plurality of crawler tasks, wherein the crawler tasks are to search for rule violations within resting objects on the network that are not being transmitted over a network connection.
- View Dependent Claims (16, 17, 18)
- - 16. The system of claim 15, wherein the configuration manager is to:
    - distribute disparate policies to respective distributed capture systems in the system,wherein each policy includes one or more rules to be applied by a respective distributed capture system to which the policy is distributed.
  - 17. The system of claim 15, wherein the rule is distributed within a policy including one or more rules, and wherein the policy further includes a designation indicating which one or more distributed capture systems in a network should apply the policy.
  - 18. The system of claim 17, wherein the designation is based on one or both of a type of capture system and a network division of the network.

19. A method, comprising:
- distributing, to a distributed capture system, a rule defining an action for the distributed capture system to perform regarding packets intercepted by the distributed capture system;
  
  storing the rule in a memory element, wherein the memory element is a configuration database including rules stored therein to be selectively distributed to a plurality of distributed capture systems, wherein the distributed capture system is associated with registered objects, each of the registered objects indicated by a respective signature and a respective object identifier that collectively form a searchable key, wherein the action is based on a particular one of the registered objects and content of an intercepted object provided in the packets, and wherein the particular registered object is to be identified, at least in part, by one or more signatures, which can be compared against signatures derived from the intercepted object; and
  
  distributing a plurality of crawler tasks in a network that includes the distributed capture system, wherein the crawler tasks are to search for rule violations within resting objects on the network that are not being transmitted over a network connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, LLC
Inventors
Gaitonde, Jitendra B.
Primary Examiner(s)
Lee, Bryan

Application Number

US15/012,105
Publication Number

US 20160241518A1
Time in Patent Office

1,275 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0813   characterised by the condit...

H04L 63/0218   Distributed architectures, ...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

Configuration management for a capture/registration system

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

499 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Configuration management for a capture/registration system

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

499 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links