US 11,838,329 B1
Curating actionable intrusion detection system rules
Luis Lopes, Galway (IE); Sarah Addis, Belfast (GB); Martin Hutchings, Belfast (GB); Ralph McTeggart, Belfast (GB); and Niall Cochrane, Belfast (GB)
Assigned to Rapid7, Inc., Boston, MA (US)
Filed by Rapid7, Inc., Boston, MA (US)
Filed on Aug. 11, 2021, as Appl. No. 17/399,385.
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/205 (2013.01) 18 Claims
OG exemplary drawing
 
1. A computer-implemented method, comprising:
accessing new intrusion detection system (IDS) rules to be deployed on an IDS that generates a plurality of alerts based on an applied ruleset;
starting a trial window comprising incorporating the new IDS rules into a candidate list to enable summarization and filtering of the plurality of alerts;
supplementing the applied ruleset that comprises existing IDS rules with the candidate list that comprises the new IDS rules;
upon the supplementation, transmitting the applied ruleset to a network sensor associated with the IDS;
receiving, from the IDS, the plurality of alerts generated based on network events implicated by both the existing IDS rules and the new IDS rules in the applied ruleset;
designating a set of alerts of the plurality of alerts generated only by the new IDS rules in the applied ruleset as suppressed alerts;
upon completion of the trial window, eliminating a set of new IDS rules of the new IDS rules from the applied ruleset upon determining that the set of new IDS rules generate a subset of alerts of the set of alerts that exceed an alert threshold; and
transmitting the applied ruleset to the network sensor associated with the IDS.