CPC H04L 63/0236 (2013.01) [H04L 63/1425 (2013.01); H04L 63/1458 (2013.01)] | 24 Claims |
1. A packet-filtering device comprising:
one or more processors; and
memory storing instructions that, when executed by the one or more processors, cause the packet-filtering device to perform:
receiving a plurality of packet-filtering rules configured to cause the packet-filtering device to identify packets corresponding to at least one of a plurality of threat indicators, wherein the plurality of packet-filtering rules was generated based on a plurality of cyber threat intelligence reports from one or more cyber threat intelligence providers, wherein the plurality of cyber threat intelligence reports comprises the plurality of threat indicators, and wherein the plurality of threat indicators comprises a plurality of network addresses;
receiving a first plurality of packets in a first plurality of flows;
based on determining that the first plurality of packets each match at least one of the plurality of packet-filtering rules, determining first flow log data for at least some of the first plurality of flows;
sending the first flow log data;
determining an incident associated with at least some of the first plurality of flows;
receiving a second plurality of packets in a second plurality of flows;
based on determining that the second plurality of packets each match at least one of the plurality of packet-filtering rules and that the second plurality of flows is associated with the incident, determining incident log data associated with at least some of the second plurality of flows;
determining connection information indicating a quantity of one or more transmission control protocol (TCP) connections that were made via at least one of the second plurality of flows during the incident and which one or more Internet Protocol (IP) addresses and ports allowed the one or more TCP connections; and
sending:
the incident log data in lieu of second flow log data for at least some of the second plurality of flows; and
the connection information.
|