Modular agent for network security intrusion detection system
First Claim
Patent Images
1. A computer-implemented method comprising:
- parsing an event that was generated by a first device;
creating a normalized event based on the parsed event;
accessing a first machine-readable medium encoded with a plurality of software modules, wherein each software module is configured to receive a normalized event, to modify the normalized event, and to output the modified normalized event;
modifying the normalized event using a set of software modules, wherein the set of software modules comprises two or more software modules of the plurality of software modules and does not comprise all of the plurality of software modules; and
transmitting the modified normalized event to a second device;
wherein a configuration file indicates which software modules of the plurality of software modules are in the set of software modules, and wherein the configuration file is stored on a second machine-readable medium.
4 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides for the receipt of a request to modify a software agent'"'"'s configuration at a server-based manager. A determination of the modifications to the software agent is made at the server-based manager. The requested modifications are then delivered to the software agent. The software agent interprets the requested modifications and implements them.
92 Citations
23 Claims
-
1. A computer-implemented method comprising:
-
parsing an event that was generated by a first device; creating a normalized event based on the parsed event; accessing a first machine-readable medium encoded with a plurality of software modules, wherein each software module is configured to receive a normalized event, to modify the normalized event, and to output the modified normalized event; modifying the normalized event using a set of software modules, wherein the set of software modules comprises two or more software modules of the plurality of software modules and does not comprise all of the plurality of software modules; and transmitting the modified normalized event to a second device; wherein a configuration file indicates which software modules of the plurality of software modules are in the set of software modules, and wherein the configuration file is stored on a second machine-readable medium. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A system comprising:
-
a processor; and a first machine-readable medium encoded with; a plurality of software modules, wherein each software module is configured to receive a normalized event, to modify the normalized event, and to output the modified normalized event; and software agent instructions that cause the processor to perform instructions comprising; parsing an event that was generated by a first device; creating a normalized event based on the parsed event; modifying the normalized event using a set of software modules, wherein the set of software modules comprises two or more software modules of the plurality of software modules and does not comprise all of the plurality of software modules; and transmitting the modified normalized event to a second device; wherein a configuration file indicates which software modules of the plurality of software modules are in the set of software modules, and wherein the configuration file is stored on a second machine-readable medium.
-
-
23. A machine-readable medium encoded with:
-
a plurality of software modules, wherein each software module is configured to receive a normalized event, to modify the normalized event, and to output the modified normalized event; and software agent instructions that, when executed by a processor, cause the processor to perform instructions comprising; parsing an event that was generated by a first device; creating a normalized event based on the parsed event; modifying the normalized event using a set of software modules, wherein the set of software modules comprises two or more software modules of the plurality of software modules and does not comprise all of the plurality of software modules; and transmitting the modified normalized event to a second device; wherein a configuration file indicates which software modules of the plurality of software modules are in the set of software modules, and wherein the configuration file is stored on a second machine-readable medium.
-
Specification