Modular agent for network security intrusion detection system
First Claim
Patent Images
1. A machine-readable medium encoded with:
- a plurality of software modules, wherein each software module is configured to receive a normalized event, to modify the normalized event, and to output the modified normalized event; and
software agent instructions that, when executed by a processor, cause the processor to perform instructions comprising;
receiving, from a first device, an event, that originated in an event log that was generated by the first device;
parsing the event received from the first device;
creating a normalized event based on the parsed event;
modifying the normalized event using a set of software modules, wherein the set of software modules comprises two or more software modules of the plurality of software modules and does not comprise all of the plurality of software modules; and
transmitting the modified normalized event to a second device;
wherein a configuration file, associated with the software agent instructions, indicates which software modules of the plurality of software modules are in the set of software modules that are used by the software agent instructions, and wherein the configuration file is stored on a second machine-readable medium.
5 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides for the receipt of a request to modify a software agent'"'"'s configuration at a server-based manager. A determination of the modifications to the software agent is made at the server-based manager. The requested modifications are then delivered to the software agent. The software agent interprets the requested modifications and implements them.
-
Citations
21 Claims
-
1. A machine-readable medium encoded with:
-
a plurality of software modules, wherein each software module is configured to receive a normalized event, to modify the normalized event, and to output the modified normalized event; and software agent instructions that, when executed by a processor, cause the processor to perform instructions comprising; receiving, from a first device, an event, that originated in an event log that was generated by the first device; parsing the event received from the first device; creating a normalized event based on the parsed event; modifying the normalized event using a set of software modules, wherein the set of software modules comprises two or more software modules of the plurality of software modules and does not comprise all of the plurality of software modules; and transmitting the modified normalized event to a second device; wherein a configuration file, associated with the software agent instructions, indicates which software modules of the plurality of software modules are in the set of software modules that are used by the software agent instructions, and wherein the configuration file is stored on a second machine-readable medium. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
wherein a second configuration file, associated with the second software agent instructions, indicates which software modules of the plurality of software modules are in the second set of software modules.
-
-
14. The machine-readable medium of claim 13 wherein the second configuration file is stored on the second machine-readable medium.
-
15. The machine-readable medium of claim 1 wherein the software agent instructions support a set of commands.
-
16. The machine-readable medium of claim 15 wherein the set of commands comprises a command to add a software module to the set of software modules.
-
17. The machine-readable medium of claim 15 wherein the set of commands comprises a command to remove a software module from the set of software modules.
-
18. The machine-readable medium of claim 15 wherein the set of commands comprises a command to send a signal to the first device.
-
19. The machine-readable medium of claim 1 wherein the software agent instructions, when executed by the processor, further cause the processor to receive a command from the second device.
-
20. The machine-readable medium of claim 19 wherein the command was initiated by a user.
-
21. The machine-readable medium of claim 19 wherein the command was generated by a rules engine.
Specification