US2015033322A1PendingUtilityA1

Logging attack context data

53
Assignee: FORTINET INCPriority: Jul 24, 2013Filed: Jan 14, 2014Published: Jan 29, 2015
Est. expiryJul 24, 2033(~7 yrs left)· nominal 20-yr term from priority
H04L 63/0245H04L 63/145H04L 63/1425H04L 63/20H04L 63/1416H04L 63/0254H04L 63/14
53
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Methods and systems for improved attack context data logging are provided. According to one embodiment, configuration information is received by a firewall device from a network administrator. The configuration information includes a number (N) of packets to capture by the firewall device responsive to an event detected by the firewall device that is potentially indicative of a threat or undesired activity. Multiple packets are received by the firewall device. The firewall device applies an attack detection algorithm, including one or more of a set of intrusion detection signatures, a set of malware detection signatures and a set of security policies, to the received packets. Responsive to the firewall device determining that a trigger packet is associated with a potential threat or potential undesired activity, the firewall device causes information regarding N packets of the received packets, inclusive of the trigger packet, to be stored in a log.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method comprising:
 receiving, by a firewall device, configuration information from a network administrator, the configuration information including a number (N) of packets to capture by the firewall device responsive to an event detected by the firewall device that is potentially indicative of a threat or undesired activity;   receiving, by the firewall device, a plurality of packets;   applying, by the firewall device, at least one attack detection algorithm to the plurality of packets, wherein the at least one attack detection algorithm comprises one or more of a set of intrusion detection signatures, a set of malware detection signatures and a set of security policies; and   responsive to determining, by the firewall device, based on the at least one attack detection algorithm that a trigger packet of the plurality of packets is associated with a potential threat or potential undesired activity, causing information regarding N packets of the plurality of packets, inclusive of the trigger packet, to be stored in a log.   
     
     
         2 . The method of  claim 1 , wherein the information comprises headers of the N packets. 
     
     
         3 . The method of  claim 1 , wherein the information comprises entire contents of the N packets. 
     
     
         4 . The method of  claim 1 , further comprising at least temporarily storing the received packets to a circular buffer having a size based at least in part on N. 
     
     
         5 . The method of  claim 1 , wherein at least one packet of the N packets was received by the firewall device prior to the trigger packet. 
     
     
         6 . The method of  claim 1 , wherein the plurality of packets includes packets associated with a plurality of sessions. 
     
     
         7 . The method of  claim 1 , further comprising causing, by the firewall device, a logging system to analyze the log to determine context of the potential threat or the potential undesired activity by sending the log to the logging system. 
     
     
         8 . A non-transitory computer-readable storage medium tangibly embodying a set of instructions, which when executed by one or more processors of a firewall device, cause the one or more processors to perform a method comprising:
 receiving configuration information from a network administrator, the configuration information including a number (N) of packets to capture by the firewall device responsive to an event detected by the firewall device that is potentially indicative of a threat or undesired activity;   receiving a plurality of packets;   applying at least one attack detection algorithm to the plurality of packets, wherein the at least one attack detection algorithm comprises one or more of a set of intrusion detection signatures, a set of malware detection signatures and a set of security policies; and   responsive to determining based on the at least one attack detection algorithm that a trigger packet of the plurality of packets is associated with a potential threat or potential undesired activity, causing information regarding N packets of the plurality of packets, inclusive of the trigger packet, to be stored in a log.   
     
     
         9 . The non-transitory computer-readable storage medium of  claim 8 , wherein the information comprises headers of the N packets. 
     
     
         10 . The non-transitory computer-readable storage medium of  claim 8 , wherein the information comprises entire contents of the N packets. 
     
     
         11 . The non-transitory computer-readable storage medium of  claim 8 , wherein the method further comprises at least temporarily storing the received packets to a circular buffer having a size based at least in part on N. 
     
     
         12 . The non-transitory computer-readable storage medium of  claim 8 , wherein at least one packet of the N packets was received by the firewall device prior to the trigger packet. 
     
     
         13 . The non-transitory computer-readable storage medium of  claim 8 , wherein the plurality of packets includes packets associated with a plurality of sessions. 
     
     
         14 . The non-transitory computer-readable storage medium of  claim 8 , wherein the method further comprises causing a logging system to analyze the log to determine context of the potential threat or the potential undesired activity by sending the log to the logging system.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.