CN103607313A - TCP (transmission control protocol) message matching method on Regular expression - Google Patents
TCP (transmission control protocol) message matching method on Regular expression Download PDFInfo
- Publication number
- CN103607313A CN103607313A CN201310659697.9A CN201310659697A CN103607313A CN 103607313 A CN103607313 A CN 103607313A CN 201310659697 A CN201310659697 A CN 201310659697A CN 103607313 A CN103607313 A CN 103607313A
- Authority
- CN
- China
- Prior art keywords
- field
- message
- tcp
- regular expression
- transmission control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides a TCP (transmission control protocol) message matching method based on Regular expression. The method comprises the following steps: reading all regular expression rules, and setting a matching rule list; sequentially matching TCP messages in a field-by-field mode according to a field sequence of the regular expression, namely traversing a corresponding matching rule list according to the current field content, removing matching rules which conflict with the current field content out of the matching rule list; if a corresponding matching rule is absent in the regular expression, the TCP message matching fails; if each field has a corresponding matching rule in the regular expression, the TCP message matching is successful, and the message is allowed to pass. The TCP message matching method has the advantages of high efficiency and high safety.
Description
Technical field
The present invention relates to the communications field, relate in particular to a kind of TCP message matching method based on regular expression.
Background technology
ICP/IP protocol is writing a Chinese character in simplified form of Transmission Control Protocol/Internet Protocol, middle translated name is transmission control protocol/Internet Interconnection agreement, have another name called network communication protocol, be the basis of the most basic agreement of Internet, Internet Internet, by the IP agreement of network layer and the Transmission Control Protocol of transport layer, formed.TCP/IP has defined electronic equipment and how to be connected into internet, and the standard how to transmit between them of data.Agreement has adopted the hierarchical structure of 4 layers, and the network that every one deck is all called out its lower one deck to be provided completes the demand of oneself.From protocol hierarchy model aspect, TCP/IP is comprised of four levels: network interface layer, network layer, transport layer, application layer.
At present, conventional TCP message matching method cannot be in network layer according to various symbols (such as sequence number, acknowledged sequence number etc.) carry out the control of TCP message, but allow simply all TCP messages pass through, by upper procedure, after receiving message, carry out secondary analysis again, transmitting-receiving efficiency and the cpu resource of system have been affected greatly, especially for the very high equipment of those network security requirements, can cause extremely serious consequence, even cause device damage or attacked, the problem such as cause that economic loss and individual privacy are revealed.
Summary of the invention
In order to solve the problems referred to above of prior art, be necessary to provide the TCP that a kind of efficiency is high, fail safe is good message filtering method.
The technical scheme that technical solution problem of the present invention provides is:
A TCP message matching method based on regular expression, it comprises:
Read all regular expression rules, be arranged to a matched rule list;
According to the order of the field of regular expression to TCP message one by one field mate successively: according to current field contents, travel through its corresponding matched rule list, the matched rule conflicting with current field contents removed to matched rule list;
If there is field there is no corresponding matched rule in regular expression, it fails to match to represent TCP message;
If each field has corresponding matched rule in regular expression, the match is successful to represent TCP message, allows message to pass through.
Wherein, described regular expression comprises the source address field of message, the port number field that the source address of message is used, the destination address field (DAF) of message, the port number field that message destination address is used, the sequence-number field of message, the confirmation sequence number field of message, urgent pointer field effective marker field whether in Transmission Control Protocol, confirmation field effective marker field whether in Transmission Control Protocol, in Transmission Control Protocol, whether current message needs to ask PUSH operation flag field, the TCP that whether needs in Transmission Control Protocol to reset connects attribute field, synchronous sequence number field used when setting up TCP in Transmission Control Protocol and connecting, transmit leg end mark field while discharging TCP connection in Transmission Control Protocol, the window size field that transmit leg need to be adjusted when receiving.
Further, described regular expression form is as follows:
tcpmatch?[src_ip:xx.xx.xx.xx][src_port:xx][dst_ip:xx.xx.xx.xx][dst_port:xx]?[sequene_number:xx][acknowledgment_number:xx][urg:x][ack:x][psh:x][rst:x][syn:x]?[fin:x]?[window:xx]
Wherein, tcpmatch represents the origin identification of regular expression; Src_ip represents the source address field of message, and xx.xx.xx.xx represents the address of appointment; Src_port represents the port number field that the source address of message is used, and xx represents the port numbers of appointment, and scope is 1-65535; Dst_ip represents the destination address field (DAF) of message, and xx.xx.xx.xx represents the IP address of appointment; Dst_port represents the port number field that message destination address is used, and xx represents the port numbers of appointment, and scope is 1-65535; Sequence_number represents the sequence-number field of message, and xx represents the sequence number of appointment, and scope is 1-2
32; Acknowledgment_number represents the confirmation sequence number field of message, and xx represents the sequence number of appointment, and scope is 1-2
32; Urg represents in Transmission Control Protocol whether effective marker field of urgent pointer field, and x represents this sign state, and scope is 0 or 1; Ack represents in Transmission Control Protocol whether effective marker field of confirmation field, and x represents this field status, and scope is 0 or 1; Psh represents in Transmission Control Protocol, whether current message needs to ask PUSH operation flag field, and x represents this field status, and scope is 0 or 1; Rst represents that the TCP that whether needs to reset in Transmission Control Protocol connects attribute field, and x represents this field status, and scope is 0 or 1; Syn represents synchronous sequence number field used when setting up TCP in Transmission Control Protocol connects, and x represents this field status, and scope is 0 or 1; Fin represents transmit leg end mark field when discharging TCP in Transmission Control Protocol connects, and x represents this field status, and scope is 0 or 1; Window represents the window size field that transmit leg need to be adjusted when receiving, and xx represents window size, and scope is 1-65535.
Further, a plurality of matched rules of each Related fields, for carrying out the message coupling of multiple format.
Further, the new matched rule list that the match is successful forms afterwards of first TCP message, mates for the TCP message to thereafter.
Compared with prior art, TCP message matching method of the present invention can accurately control to each sign and the field in Transmission Control Protocol in TCP matched rule, realized the TCP message match management based on regular expressions, for qualified TCP message, in network layer, control, prevent from not meeting rule or unreasonable message and enter next layer network, improved greatly equipment operating efficiency, saved the CPU time, lifting means fail safe.
Accompanying drawing explanation
Fig. 1 is the workflow diagram of TCP message coupling of the present invention.
Fig. 2 is the workflow diagram of regular expression to TCP message coupling that utilize of the present invention.
Embodiment
The regular expression form of the present invention's design is as follows:
tcpmatch?[src_ip:xx.xx.xx.xx][src_port:xx][dst_ip:xx.xx.xx.xx][dst_port:xx]?[sequene_number:xx][acknowledgment_number:xx][urg:x][ack:x][psh:x][rst:x][syn:x]?[fin:x]?[window:xx]
Wherein, tcpmatch represents the origin identification of regular expression; Src_ip represents the source address field of message, and xx.xx.xx.xx represents the address of appointment; Src_port represents the port number field that the source address of message is used, and xx represents the port numbers of appointment, and scope is 1-65535; Dst_ip represents the destination address field (DAF) of message, and xx.xx.xx.xx represents the IP address of appointment; Dst_port represents the port number field that message destination address is used, and xx represents the port numbers of appointment, and scope is 1-65535; Sequence_number represents the sequence-number field of message, and xx represents the sequence number of appointment, and scope is 1-2
32; Acknowledgment_number represents the confirmation sequence number field of message, and xx represents the sequence number of appointment, and scope is 1-2
32; Urg represents in Transmission Control Protocol whether effective marker field of urgent pointer field, and x represents this sign state, and scope is 0 or 1; Ack represents in Transmission Control Protocol whether effective marker field of confirmation field, and x represents this field status, and scope is 0 or 1; Psh represents in Transmission Control Protocol, whether current message needs to ask PUSH operation flag field, and x represents this field status, and scope is 0 or 1; Rst represents that the TCP that whether needs to reset in Transmission Control Protocol connects attribute field, and x represents this field status, and scope is 0 or 1; Syn represents synchronous sequence number field used when setting up TCP in Transmission Control Protocol connects, and x represents this field status, and scope is 0 or 1; Fin represents transmit leg end mark field when discharging TCP in Transmission Control Protocol connects, and x represents this field status, and scope is 0 or 1; Window represents the window size field that transmit leg need to be adjusted when receiving, and xx represents window size, and scope is 1-65535.
Above field is all option, but at least needs a field to be filled, otherwise expression formula mistake.If certain field is empty, represent that this field allows arbitrary value.A plurality of matched rules of each Related fields, for carrying out the message coupling of multiple format.
As shown in Figure 1, the working method of TCP message coupling of the present invention is as follows:
Step 1: the network equipment receives message, carries out forwarding step 2 to after basic message processing;
Step 2: analyze message, judge whether IPv4 message, if IPv4 message goes to step 3; Otherwise directly skip matching module, finish;
Step 3: judge whether TCP message, if it is go to step 4, otherwise directly skip matching module, finish;
Step 4: search and whether have matched rule file, to determine whether matched rule exists, if existed, go to step 5; Otherwise do not move TCP message matching module, finish;
Step 5: operation TCP message matching module, mates filtration to the message receiving according to matched rule.
As shown in Figure 2, in the present invention, utilize regular expression as follows to the process of TCP message coupling:
Step 1: read all regular expression rules, be arranged to a matched rule list, go to step 2;
Step 2: according to the order of src_ip, src_port, dst_ip, dst_port, sequence_number, acknowledgment_number, urg, ack, psh, rst, syn, fin, window, matching field order is set, goes to step 3;
Step 3: read first matching field, go to step 4;
Step 4: read respective field content in TCP message according to current matching field, go to step 5;
Step 5: according to the list of current field contents traversal matched rule, the matched rule conflicting with current field contents is removed to list, go to step 6;
Step 6: judge in matched rule list whether also have matched rule, if go to step 7; Otherwise go to step 10;
Step 7: judge whether it is last matching field, if go to step 8; Otherwise go to step 11;
Step 8: judge in matched rule list whether also have matched rule, if go to step 9; Otherwise go to step 10;
Step 9: the match is successful, finishes;
Step 10: it fails to match, finishes;
Step 11: switch next matching field, return to step 4.
After the match is successful, TCP message is allowed through; Formed in addition a new matched rule list, to TCP message thereafter, can mate rapidly.
Compared with prior art, TCP message matching method of the present invention can accurately control to each sign and the field in Transmission Control Protocol in TCP matched rule, realized the TCP message match management based on regular expressions, for qualified TCP message, in network layer, control, prevent from not meeting rule or unreasonable message and enter next layer network, improved greatly equipment operating efficiency, saved the CPU time, lifting means fail safe.
Above content is in conjunction with concrete preferred implementation further description made for the present invention, can not assert that specific embodiment of the invention is confined to these explanations.For general technical staff of the technical field of the invention, without departing from the inventive concept of the premise, can also make some simple deduction or replace, all should be considered as belonging to protection scope of the present invention.
Claims (5)
1. the TCP message matching method based on regular expression, is characterized in that, comprising:
Read all regular expression rules, be arranged to a matched rule list;
According to the order of the field of regular expression to TCP message one by one field mate successively: according to current field contents, travel through its corresponding matched rule list, the matched rule conflicting with current field contents removed to matched rule list;
If there is field there is no corresponding matched rule in regular expression, it fails to match to represent TCP message;
If each field has corresponding matched rule in regular expression, the match is successful to represent TCP message, allows message to pass through.
2. the TCP message matching method based on regular expression according to claim 1, it is characterized in that, described regular expression comprises the source address field of message, the port number field that the source address of message is used, the destination address field (DAF) of message, the port number field that message destination address is used, the sequence-number field of message, the confirmation sequence number field of message, urgent pointer field effective marker field whether in Transmission Control Protocol, confirmation field effective marker field whether in Transmission Control Protocol, in Transmission Control Protocol, whether current message needs to ask PUSH operation flag field, the TCP that whether needs in Transmission Control Protocol to reset connects attribute field, synchronous sequence number field used when setting up TCP in Transmission Control Protocol and connecting, transmit leg end mark field while discharging TCP connection in Transmission Control Protocol, the window size field that transmit leg need to be adjusted when receiving.
3. the TCP message matching method based on regular expression according to claim 2, is characterized in that, described regular expression form is as follows:
tcpmatch?[src_ip:xx.xx.xx.xx][src_port:xx][dst_ip:xx.xx.xx.xx][dst_port:xx]?[sequene_number:xx][acknowledgment_number:xx][urg:x][ack:x][psh:x][rst:x][syn:x]?[fin:x]?[window:xx]
Wherein, tcpmatch represents the origin identification of regular expression; Src_ip represents the source address field of message, and xx.xx.xx.xx represents the address of appointment; Src_port represents the port number field that the source address of message is used, and xx represents the port numbers of appointment, and scope is 1-65535; Dst_ip represents the destination address field (DAF) of message, and xx.xx.xx.xx represents the IP address of appointment; Dst_port represents the port number field that message destination address is used, and xx represents the port numbers of appointment, and scope is 1-65535; Sequence_number represents the sequence-number field of message, and xx represents the sequence number of appointment, and scope is 1-2
32; Acknowledgment_number represents the confirmation sequence number field of message, and xx represents the sequence number of appointment, and scope is 1-2
32; Urg represents in Transmission Control Protocol whether effective marker field of urgent pointer field, and x represents this sign state, and scope is 0 or 1; Ack represents in Transmission Control Protocol whether effective marker field of confirmation field, and x represents this field status, and scope is 0 or 1; Psh represents in Transmission Control Protocol, whether current message needs to ask PUSH operation flag field, and x represents this field status, and scope is 0 or 1; Rst represents that the TCP that whether needs to reset in Transmission Control Protocol connects attribute field, and x represents this field status, and scope is 0 or 1; Syn represents synchronous sequence number field used when setting up TCP in Transmission Control Protocol connects, and x represents this field status, and scope is 0 or 1; Fin represents transmit leg end mark field when discharging TCP in Transmission Control Protocol connects, and x represents this field status, and scope is 0 or 1; Window represents the window size field that transmit leg need to be adjusted when receiving, and xx represents window size, and scope is 1-65535.
4. the TCP message matching method based on regular expression according to claim 2, is characterized in that, a plurality of matched rules of each Related fields, for carrying out the message coupling of multiple format.
5. the TCP message matching method based on regular expression according to claim 1, is characterized in that, the new matched rule list that the match is successful forms afterwards of first TCP message, mates for the TCP message to thereafter.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310659697.9A CN103607313B (en) | 2013-12-09 | 2013-12-09 | TCP (transmission control protocol) message matching method on Regular expression |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310659697.9A CN103607313B (en) | 2013-12-09 | 2013-12-09 | TCP (transmission control protocol) message matching method on Regular expression |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103607313A true CN103607313A (en) | 2014-02-26 |
| CN103607313B CN103607313B (en) | 2017-04-19 |
Family
ID=50125514
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310659697.9A Expired - Fee Related CN103607313B (en) | 2013-12-09 | 2013-12-09 | TCP (transmission control protocol) message matching method on Regular expression |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103607313B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101459660A (en) * | 2007-12-13 | 2009-06-17 | 国际商业机器公司 | Method for integrating multi-threat security service |
| CN101557329A (en) * | 2009-05-27 | 2009-10-14 | 杭州迪普科技有限公司 | Application layer-based data segmenting method and device thereof |
| WO2009128881A1 (en) * | 2008-04-17 | 2009-10-22 | Sourcefire, Inc. | Intrusion detection system (ids) and intrusion prevention system (ips) rule processing |
| CN102082762A (en) * | 2009-11-30 | 2011-06-01 | 华为技术有限公司 | Protocol identification method and device and system for same |
| CN102201948A (en) * | 2011-05-27 | 2011-09-28 | 北方工业大学 | Quick matching method for network intrusion detection system |
| CN102420750A (en) * | 2011-11-28 | 2012-04-18 | 曙光信息产业(北京)有限公司 | Single packet regular matching device and method thereof |
-
2013
- 2013-12-09 CN CN201310659697.9A patent/CN103607313B/en not_active Expired - Fee Related
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101459660A (en) * | 2007-12-13 | 2009-06-17 | 国际商业机器公司 | Method for integrating multi-threat security service |
| WO2009128881A1 (en) * | 2008-04-17 | 2009-10-22 | Sourcefire, Inc. | Intrusion detection system (ids) and intrusion prevention system (ips) rule processing |
| CN101557329A (en) * | 2009-05-27 | 2009-10-14 | 杭州迪普科技有限公司 | Application layer-based data segmenting method and device thereof |
| CN102082762A (en) * | 2009-11-30 | 2011-06-01 | 华为技术有限公司 | Protocol identification method and device and system for same |
| CN102201948A (en) * | 2011-05-27 | 2011-09-28 | 北方工业大学 | Quick matching method for network intrusion detection system |
| CN102420750A (en) * | 2011-11-28 | 2012-04-18 | 曙光信息产业(北京)有限公司 | Single packet regular matching device and method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103607313B (en) | 2017-04-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105491017B (en) | The more equipment multi-protocol analysis method and system of RS485 buses | |
| CN110401624A (en) | The detection method and system of source net G system mutual message exception | |
| CN104363231A (en) | Network security isolation and information exchange method and system based on one-way channel | |
| CN105871666A (en) | Method and device for adding ZigBee device | |
| CN103401850A (en) | Message filtering method and device | |
| EP2530958A1 (en) | M2m platform communication system and method | |
| CN105791269A (en) | Information security gateway based on data white list | |
| CN102035738A (en) | Method and device for acquiring routing information | |
| CN104639390B (en) | The test method and device of system | |
| CN104680277A (en) | Method and system for negotiating and signing electronic contract online | |
| CN106452954B (en) | HTTP data characteristics analysis method and system | |
| CN104462322B (en) | Character string comparison method and device | |
| CN106850559A (en) | A kind of expansible procotol analysis system and method | |
| CN104484619B (en) | It is a kind of to solve the method that client multi-logical channel accesses PKCS#15 file conflicts | |
| CN104518568B (en) | The implementation method that network message is selected in a kind of intelligent substation | |
| CN104767744A (en) | Protocol state machine active inference method based on protocol knowledge | |
| CN102710491A (en) | Lossless real-time line-rate filtering using pcap style filters and hardware assisted patricia trees | |
| CN103607313A (en) | TCP (transmission control protocol) message matching method on Regular expression | |
| CN105049437A (en) | Method for filtering network application layer data | |
| CN105745878A (en) | Network control device, network control method, and program | |
| CN103763150A (en) | Data acquisition system | |
| CN103873474A (en) | Network transmission method for TCP/IP protocol based on Windows | |
| CN103795705A (en) | Time-locked network and nodes for exchanging secure data packets | |
| CN103117883B (en) | A kind of packet equipment running status synchronous method | |
| CN103067394B (en) | A kind of TCP connection establishment method and device based on one-way data bag |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170419 Termination date: 20201209 |