摘要:
A computer system, device, computer software, and/or method performed by a computer system, is provided for determining a user name likely to be associated with an attack, a configuration, or a vulnerability. First data is obtained which associates user names with individual IP addresses onto which the user names were logged in. Second data is obtained which associates attacks, configurations, or vulnerabilities with individual IP addresses on which the attacks occurred or on which the configurations or vulnerabilities exist. The user names from the first data are associated with the attacks, configurations or vulnerabilities from the second data based on having the same IP address during a log-in. An individual user name is indicated as being associated with attacks which occurred while the individual user name was logged in or with configurations or vulnerabilities for an IP address onto which the user logs in.
摘要:
A packet transmitted on a network is read and decoded. A network device and its operating system are identified by analyzing the decoded packet. If more than one operating system is identified from the decoded packet, the operating system is selecting by comparing confidence values assigned to the operating systems identified. A service running on the network device is identified from the decoded packet or subsequent packets that are read, decoded and analyzed. The network topology of a network is determined by reading, decoding, and analyzing a plurality of packets. A flow between two network devices is determined by reading, decoding, and analyzing a plurality of packets. Vulnerabilities are assigned to operating systems and services identified by reading, decoding, and analyzing packets. Network configuration policy is enforced on operating systems and services identified by reading, decoding, and analyzing packets.
摘要:
A method performed in an intrusion detection/prevention system, a system or a device for analyzing segments in a transmission in a communication network. The transmission includes segments in the same transmission control protocol (TCP) session. Segments in a transmission are monitored. Data in the segments in the transmission are reassembled in an order indicated by a segment reassembly policy, the segment reassembly policy indicating an order specific to at least comprehensively overlapped segments.
摘要:
A hypertext transport protocol (HTTP) inspection engine for an intrusion detection system (IDS) includes an HTTP policy selection component, a request universal resource identifier (URI) discovery component, and a URI normalization module. The HTTP policy selection component identifies an HTTP intrusion detection policy using a packet. The request URI discovery component locates a URI within the packet. The URI normalization module decodes an obfuscation within the URI. In another embodiment, a packet transmitted on the network is intercepted. The packet is parsed. An Internet protocol (IP) address of the packet is identified. An HTTP intrusion detection policy for a network device is determined. A URI is located in the packet. A pattern from an intrusion detection system rule is compared to the located URI. In another embodiment, an IDS includes a packet acquisition system, network and transport reassembly modules, an HTTP inspection engine, a detection engine, and a logging system.
摘要:
A method performed in an intrusion detection/prevention system, a system or a device for analyzing segments in a transmission in a communication network. The transmission includes segments in the same transmission control protocol (TCP) session. Segments in a transmission are monitored. Data in the segments in the transmission are reassembled in an order indicated by a segment reassembly policy, the segment reassembly policy indicating an order specific to at least comprehensively overlapped segments.
摘要:
Performance of an intrusion detection system is enhanced with the addition of rule optimization, set-based rule inspection, and protocol flow analysis. During rule optimization, rule sets are created and selected in such a way that for every incoming packet only a single rule set has to be searched. Set-based rule inspection divides rules into content and non-content type rules. Only search patterns of content type rules are initially compared to a packet. Rules containing matched search patterns are validated with a parameterized search against the packet. Matches are recorded as events. Non-content rules are searched against a packet using a parameterized search. These matches are also recorded as an event. At least one event is selected per packet for logging. Protocol flow analysis determines the direction of flow of network traffic. Based on the direction of flow and the protocol, portions of packets can be eliminated from rule inspection.
摘要:
A system includes a processor. The processor is configured to receive network traffic that includes a data block. The processor will generate a unique identifier (UID) for the file that includes a hash value corresponding to the file. The processor will determine whether the file is indicated as good or bad with the previously-stored UID. The processor will call a file-type specific detection nugget corresponding to the file's file-type to perform a full file inspection to detect whether the file is good or bad and store a result of the inspection together with the UID of the file, when the file is determined to be not listed in the previously-stored UIDs. The processor will not call the file-type specific detection nugget when the file's indicator is “good” or “bad” in the previously-stored UIDs. The processor will issue an alert about the bad file when the file's indicator is “bad”.
摘要:
The disclosed systems and methods provide a user interface for modifying host configuration data that has been automatically and passively determined and for adding or modifying other parameters associated with a host. A host data table can store various parameters descriptive of a host including the applicability of specific vulnerabilities. If it is determined that one or more hosts should not be identified as associated with a specific vulnerability, a graphical user interface can be used to modify the vulnerability parameter.
摘要:
A system includes a sensor and a processor. The sensor is configured to passively read data in packets as the packets are in motion on a network. The processor is cooperatively operable with the sensor The processor is configured to receive the read data from the sensor; and originate real-time map profiles of files and file data, both from the read data from the sensor, as the passively read packets are in motion on the network.
摘要:
A system includes a processor device. The processor device is configured to detect a physical topology of a network comprising hosts and sensors in the network. The processor device is also configured to generate a sensor policy for assignment of the sensors to network blocks of the hosts, that balances a processing load and accuracy of the sensors in the network based on physical closeness of the sensors to different divisions of hosts within a same network block.