Offline analysis of packets
First Claim
1. A method comprising:
- filtering packets based on a rule;
analyzing the filtered packets for a symptom; and
creating the rule based on the symptom, wherein the analyzing and the creating execute offline from the filtering.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, apparatus, system, and signal-bearing medium that, in an embodiment, filter packets received from a network based on rules. The filtering discards a subset of the packets based on the rules and keeps a remaining subset of the packets. The remaining subset is copied to a destination. The rules are created offline in a lower priority process from the filtering and copying by detecting whether symptoms exist in a sample of the remaining subset. In an embodiment, the order that the symptoms are detected is changed based on the frequency of the existence of the symptoms in the sample. In various embodiments, the symptoms may include receiving a threshold number of ping packets within a time period, receiving a threshold number of broadcast packets within a time period, receiving a packet with an invalid source address, receiving a packet with an invalid header flag, and receiving a threshold number of the packets within a time period that contain a sequence flag. In this way, firewall throughput performance is increased.
-
Citations
40 Claims
-
1. A method comprising:
-
filtering packets based on a rule;
analyzing the filtered packets for a symptom; and
creating the rule based on the symptom, wherein the analyzing and the creating execute offline from the filtering. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus comprising:
-
means for filtering packets based on at least one rule, wherein the means for filtering discards a first subset of the packets based on the rule and keeps a remaining subset of the packets;
means for creating a sample of the remaining subset;
a plurality of means for detecting whether each of a plurality of symptoms exists in the sample; and
means for determining the at least one rule based on the plurality of means for detecting, wherein the plurality of means for detecting and the means for determining execute in a different process from the means for filtering and the means for creating. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A signal-bearing medium encoded with instructions, wherein the instructions when executed comprise:
-
filtering packets based on at least one rule, wherein the filtering discards a first subset of the packets based on the rule and keeps a remaining subset of the packets;
creating a sample of the remaining subset;
detecting whether each of a plurality of symptoms exists in the sample;
changing an order of execution of the detecting whether each of the plurality of symptoms exists based on a frequency of each of the plurality of symptoms in the sample; and
determining the at least one rule based on the detecting, wherein the detecting and the determining execute in a different process from the filtering and the creating. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A firewall comprising:
-
a plurality of analyzer modules, wherein the plurality of analyzer modules detect a plurality of respective symptoms in packets and create a plurality of respective rules based on the plurality of symptoms; and
a filter module that filters the packets based on the plurality of rules, wherein the plurality of analyzer modules execute offline from the filter module. - View Dependent Claims (27, 28, 29, 30, 31)
-
-
32. A computer system comprising:
-
a processor; and
a network interface comprising a plurality of analyzer modules, wherein the plurality of analyzer modules detect a plurality of respective symptoms in packets and create a plurality of respective rules based on the plurality of symptoms, a filter module that filters the packets based on the plurality of rules, wherein the plurality of analyzer modules execute offline from the filter module, and a sampling module that sends the filtered packets to an application that executes on the processor and that sends a sample of the filtered packets to the plurality of analyzer modules. - View Dependent Claims (33, 34, 35, 36, 37, 38, 39)
-
-
40. A method for configuring a computer, comprising:
-
configuring the computer to filter packets based on a rule;
configuring the computer to analyze the filtered packets for a symptom; and
configuring the computer to create the rule based on the symptom, wherein the filtered packets are analyzed and the rule is created offline from the filtering of the packets.
-
Specification