CN108268774B - Method and device for judging attack request - Google Patents
Method and device for judging attack request Download PDFInfo
- Publication number
- CN108268774B CN108268774B CN201710005255.0A CN201710005255A CN108268774B CN 108268774 B CN108268774 B CN 108268774B CN 201710005255 A CN201710005255 A CN 201710005255A CN 108268774 B CN108268774 B CN 108268774B
- Authority
- CN
- China
- Prior art keywords
- request
- file
- attack
- security detection
- detection program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides a method and a device for judging an attack request, wherein the method is applied to a server and comprises the following steps: receiving requests aiming at different files in a website, and redirecting the requests pointing to the different files to a script-based security detection program; and analyzing parameters of the request based on the security detection program, and judging whether the request is an attack request based on an analysis result. According to the technical scheme, the problem that attack requests for backdoor files cannot be effectively identified in the prior art is solved, automatic identification of all received requests can be achieved, interception is carried out when the attack requests are judged, file codes do not need to be modified, and therefore attacks of the attack requests on websites are avoided.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for determining an attack request.
Background
In the prior art, a Waf (Web Application Firewall) can protect and intercept an attack request received in a Web Application, and is a Firewall that detects and intercepts a Http (hypertext Transfer Protocol) request and a response flowing through based on a known attack characteristic rule.
The Waf based on the script is written by using the same scripting language as that of the current Web application, for example, php (Hypertext Preprocessor), asp (Active Server Page) and other languages, the written Waf script file is written into a global file which is referred by most other files, and the self code is injected into the application to be protected to filter and intercept the attack request, but for the backdoor file sent by an attacker, because the backdoor file does not refer to the global file, the Waf cannot identify the request aiming at the backdoor file based on the Waf script file, and cannot intercept the request.
Disclosure of Invention
The application provides a method and a device for judging an attack request, which are used for solving the problems that a backdoor file cannot be effectively identified and intercepted in the prior art and the like.
According to a first aspect of the embodiments of the present application, there is provided a method for determining an attack request, applied to a server, including:
receiving requests aiming at different files in a website, and redirecting the requests pointing to the different files to a script-based security detection program;
and analyzing parameters of the request based on the security detection program, and judging whether the request is an attack request based on an analysis result.
According to a second aspect of embodiments of the present application, there is provided a server, including:
the system comprises a global request capturing module, a script-based security detection program and a script-based security detection module, wherein the global request capturing module is used for capturing requests for different files in a website and redirecting the requests pointing to the different files to the script-based security detection program; when the file is operated under the fastcgi mode, scanning a first configuration file under a directory where the file requested by the request is located; loading the configuration items in the first configuration file, and acquiring the specified script files in the paths specified by the configuration items; introducing the specified script file into the head of the target file requested by the request; redirecting the request to a specified script file when operating in a non-fastcgi mode;
and the attack judgment module is used for analyzing the parameters of the request based on the safety detection program, comparing the parameters of the request with preset parameters, and judging whether the request is an attack request based on a comparison result.
According to a third aspect of the embodiments of the present application, there is provided an attack request determining apparatus, applied to a server, including:
the redirection unit is used for receiving requests aiming at different files in the website and redirecting the requests aiming at the different files to the script-based security detection program;
and the judging unit is used for analyzing the parameters of the request based on the safety detection program and judging whether the request is an attack request based on the analysis result.
According to a fourth aspect of the embodiments of the present application, there is provided a device for determining an attack request, where the device is a server, and the device includes: a processor; a memory for storing the processor-executable instructions; wherein the processor is configured to:
receiving requests aiming at different files in a website, and redirecting the requests pointing to the different files to a script-based security detection program;
and analyzing parameters of the request based on the security detection program, and judging whether the request is an attack request based on an analysis result.
According to a fifth aspect of the present invention, there is provided a computer storage medium having stored therein program instructions, the instructions comprising:
receiving requests aiming at different files in a website, and redirecting the requests pointing to the different files to a script-based security detection program;
and analyzing parameters of the request based on the security detection program, and judging whether the request is an attack request based on an analysis result.
As can be seen from the above technical solutions, in the embodiments of the present application, when the server operates in the fastcgi mode, a specified script file is introduced into the header of the target file requested by the received request; when the system runs in a non-fastcgi mode, the request is redirected to a specified script file by utilizing the redirection characteristic of a configuration file, all received requests including the automatic identification of the request of a backdoor file can be realized, the file code does not need to be modified, the non-invasiveness is realized, and the attack of an attack request on a website is avoided; and the method and the device can be deployed under low authority to be effective, and light weight is realized.
Drawings
FIG. 1 is a schematic view of a scenario of a determination method for an attack request according to the present application;
FIG. 2 is a flow chart of an embodiment of a method for determining an attack request according to the present application;
FIG. 3 is a flow chart of an embodiment of a method for determining an attack request according to the present application;
FIG. 4 is a block diagram of one embodiment of a server of the present application;
fig. 5 is a hardware structure diagram of a device in which the determination apparatus of the attack request is located according to the present application;
fig. 6 is a block diagram of an embodiment of a determination device for an attack request according to the present application.
Detailed Description
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
In the prior art, a script-based application firewall needs to find a global file that is referenced by most files, and then write a Waf code in the global file to detect whether a received request is a malicious attack request. One disadvantage of this approach is that the code of the global file needs to be edited manually, which may result in editing errors, or render the global file unusable, etc. Another disadvantage is that: if an isolated file which does not refer to the global file exists, the isolated file needs to be edited besides the global file, so that the complexity of manual processing is increased, and the isolated file cannot be identified without being edited; moreover, for the backdoor file uploaded by an attacker, because the backdoor file does not refer to the global file, the backdoor file cannot be identified and edited, so that the server cannot capture the request sent to the isolated file or the backdoor file, and cannot judge and intercept the request.
The embodiment of the application provides a method and a device for judging an attack request, wherein when a server runs in a fastcgi (Common Gateway Interface) mode, a designated Waf script file is written into a received first request, so that automatic identification and interception of the first request can be realized; when the system runs in a non-fastcgi mode, the received second request is redirected to a specified Waf script file for identification and interception by utilizing the redirection characteristic of the configuration file, the file code does not need to be modified, all the received second requests can be identified, and the protection of all the script files is realized. The embodiments of the present application can be applied to a server, where the server may be one physical or logical server, or two or more physical or logical servers sharing different responsibilities and cooperate with each other to implement various functions of the server in the embodiments of the present application. The embodiment of the application does not limit the types of the servers, the types, protocols and the like of the communication networks between the servers.
Referring to fig. 1, which is a scene schematic diagram of a method for determining an attack request according to an embodiment of the present application, fig. 1 includes: the first server, for example, a Web server, the Web server is configured to parse the Http protocol, process a received request, where the request is a request sent by a user through a second server, for example, a browser server, for different files in a website, the number of the second servers may be multiple, only three of the second servers are shown in fig. 1 for explanation, the request received by the Web server at a script entry comes from the second server, and then the request is determined and processed based on a Waf script program on the Web server, and if the received request is determined to be a malicious attack, the attack request is processed without passing the request to a target file requested by the request, so as to avoid the target file being subjected to the malicious attack. Specifically, when the Web server operates in the fastcgi mode, if it is determined that the request is an attack request, setting processing such as interception and omission is performed, and if it is determined that the request is not an attack request, the Web server continues to execute the request in a target file requested by the request. When the Web server operates in the non-fastcgi mode, if the request is determined to be an attack request, setting processing such as interception, omission and the like is performed, and if the request is determined not to be an attack request, the request is continuously executed in a target file to which the request is transmitted.
Fig. 2 shows a flow of a method for determining an attack request applied to a first server, which includes the following steps:
In the embodiment of the application, the first server needs to determine whether each request from the second server is a malicious attack request, so as to ensure the security of the network. The request includes various requests submitted in get or post, etc., such as Http requests. Where the server receives the request may also be understood as capturing all requests directed to different files.
In the embodiment of the present application, the server can operate in a fastcgi mode (first mode) and a non-fastcgi mode (second mode). Since the first profile is only in effect when the server is operating in fastcgi mode and the second profile is only in effect when the server is operating in non-fastcgi mode, the application discusses how to identify received requests in these two modes separately. And the embodiment shown in fig. 2 is mainly used to illustrate how to identify the received first request in the first mode.
In step 201, a specified script file is introduced to the header of the target file requested by the first request when operating in fastcgi mode.
Specifically, step 201 may be implemented by:
first, the server scans a first configuration file in a directory where a target file requested by the first request is located.
Then, after the server scans the first configuration file, the server loads the configuration item in the first configuration file and acquires the specified Waf script file in the path specified by the configuration item.
Finally, the server imports the specified Waf script file in the configuration item into the header of the target file requested by the received first request.
In the embodiment of the application, the Web script languages include php, asp and the like, and the Web script files support dynamic inclusion of another script file, that is, codes in the another script file are copied to a current position to be run. In the php configuration file, there is a dynamically loadable user. ini configuration file, i.e. the first configuration file mentioned above, when the server operates in fastcgi mode, the server scans the directory where the currently executed script file is located, i.e. the directory where the target file requested by the received first request is located, which is referred to as the current directory, and the server scans the user. ini configuration file in the current directory and loads the configuration item of the user. ini configuration file, whose function is to specify a path that automatically contains the specified file auto _ append _ file (the file automatically contained in the file header), so that all script files in the current directory automatically contain the file specified in auto _ append _ file in the file header before being parsed by the server, i.e. the specified file is written into the first request. The designated file may be, for example, a Waf script file, which is used as a security detection program of the present application, and in which filtering and intercepting of global requests can be implemented based on the Waf script file.
Since the configuration item is used to introduce the specified file into the file header, in the embodiment of the present application, the specified Waf script file is introduced into the header of the target file requested by the received first request, so that the first request enters the Waf script program, and the Waf script file is executed to determine whether the request is an attack request.
In step 202, the server may extract parameters in the first request based on the specified Waf script file.
Wherein the server parses the URL of the file to which the first request is directed in the specified Waf script file, thereby extracting parameters, which may include: file name of request, source IP address, submitted data, get/post/cookie data, Http request header, etc
Then, the server compares the extracted first parameter with a preset parameter.
The preset parameters can also be understood as preset rules. For example, the file name requested by the first request is aux.asp, shell.asp, shell.php, the source IP address is a preset address, for example, the user may set an IP blacklist, the GET/POST/COOKIE data is data with an SQL (Structured Query Language) injection request, and the Http request header is a request header time-hit rule submitted by a put method or a head method. Thus, it may be determined whether the first request is a malicious attack request. The malicious attack request comprises the following steps: SQL injection vulnerabilities, file upload vulnerabilities, file inclusion vulnerabilities, and xss (Cross Site Scripting) vulnerabilities. Based on statistics of different vulnerability types, corresponding request characteristics can be sorted out and converted into rules, and the rules are preset in the server so that the server can identify the first request. And when the comparison result shows that the at least two parameters are consistent with the preset parameters, determining that the first request is an attack request.
Because the first requests are all initiated aiming at the files, the first requests are all transmitted into the requested files, and the malicious attack requests aiming at the backdoor files are transmitted into the backdoor files to be operated. The backdoor file is a static file, and cannot generate any attack effect, and the backdoor file can be operated only when being triggered by a malicious attack request to generate the attack effect, such as acquiring information wanted by a hacker. In the embodiment of the application, the malicious attack request is set, for example, an attack path is intercepted, ignored or tracked, so that the malicious attack request is not transmitted into the back door file, the back door file is not operated, and any attack effect is not generated.
In the embodiment of the application, the determined malicious attack request is intercepted, the first request is prevented from executing the original program, an attack prompt is output to remind that the current attack is received, and the information of the current attack behavior is recorded.
Following step 202, if it is determined that the first request is not an attack request, execution of the first request continues in the target file while operating in fastcgi mode.
In the application, when the user. ini mode is used for calling the Waf script program, the Waf code is essentially introduced into the current position, namely the head of the target file for execution, so that the subsequent code can be automatically executed after the Waf script file is specified to be executed.
According to the attack request judging method provided by the embodiment of the application, when the server runs in a fastcgi mode, the configuration item auto _ allowed _ file of the user. ini configuration file is utilized, the designated Waf script file can be introduced into the head of the target file requested by the first request, so that the firewall code can be processed before the original code is executed by the first request, and the determined malicious attack request is filtered and intercepted, so that the malicious attack request does not enter a subsequent execution program, and the attack is avoided. Compared with the prior art, the method and the device can detect any request and process an attack request because the designated Waf script file is introduced into the head of the target file requested by the first request, and can introduce the designated Waf script file into the head of the isolated file and the head of the backdoor file to process the attack request even if the target file requested by the first request is the isolated file and the backdoor file, so that any request for the isolated file and the backdoor file is not missed, and the safety of a network is effectively ensured. On the other hand, in the prior art, the application firewall needs to be installed by using administrator permission during deployment, the implementation method is complex, and the flexibility is poor, but the method provided by the application only needs to have file writing permission on the Web directory, so that the deployment is easy, the deployment can be effective under low permission, and the lightweight is realized; and is non-intrusive in that the original code does not need to be modified and the Web server does not need to be restarted.
In an embodiment, a server receives a first request, transmits the first request to a target file index.php requested by the first request, retrieves a user.ini configuration file under a current directory when the index.php is to be executed, automatically introduces a code of a designated Waf script file to the head of the target file index.php by loading a configuration item in the configuration file, then starts to sequentially execute the code of the designated Waf script file, and the designated Waf script file finds that a username parameter of the first request contains an attack feature (preset parameter), and if a rule is hit, judges that the first request is an attack request, stops continuously executing the original code of the target file index.php, and returns an interception message to an accessor. And if the designated Waf script file checks the parameters of the first request and the preset parameters are not found, starting to execute the original codes of the target file index.
Another embodiment of the method for determining an attack request applied to a first server is shown in fig. 3, and includes the following steps:
In the embodiment of the application, the first server needs to determine whether each request from the second server is a malicious attack request, so as to ensure the security of the network. The request includes various requests submitted in get or post, etc., such as Http requests. Where the server receives the request may also be understood as capturing all requests directed to different files.
And step 302, when the device runs in the non-fastcgi mode, analyzing parameters of the second request based on the security detection program, and judging whether the second request is an attack request or not based on the analysis result.
In an embodiment of the application, when the server operates in the non-fastcgi mode, the second configuration file in the root directory is scanned.
In the configuration file of the apache, a configuration file with a file name of htaccess, namely a second configuration file, is placed in a Web root directory, and URL rewriting of various requests can be realized, namely, a specified request is redirected to another script file. Based on the characteristic, the server can redirect the second requests of all executable scripts to the specified Waf script file through the htaccess configuration file, namely, the specified Waf script file in the embodiment shown in FIG. 2 for processing, so as to determine whether the second requests are malicious attack requests.
The server then obtains configuration information for the second configuration file and redirects the second request to the specified Waf script file based on the configuration information.
In the embodiment of the present application, a second request sent to a dynamic file, that is, a second request including a parameter input by a user, is redirected to a Waf script program, where data in the second request includes: the file name of the request, the parameters of the request.
The configuration information of the htaccess configuration file has many functions, including no processing, redirection, modification, forwarding, etc., but only the redirection function is used in the embodiment of the present application.
And when the second request is judged to be not the attack request, sending the Web request to the requested target file to continue executing.
In the embodiment of the present disclosure, when the htaccessc configuration file is used to redirect the second request, since the second request is redirected to the Waf script, when it is determined that the received second request is not an attack request, after the Waf script processing is finished, the second request needs to be returned to the target file to be sent, and the original application returns to continue to execute the subsequent code.
According to the attack request judging method provided by the embodiment of the application, when the server runs in a non-fastcgi mode, the second request can be redirected to the specified Web script file by using the redirection function of the configuration information of the htaccess configuration file, so that the firewall code can be processed before the second request executes the original code, and the second request is filtered and intercepted when being determined to be a malicious attack request, so that the second request does not enter a subsequent executive program, and the attack is avoided. Compared with the prior art, the method can detect any second request and process the attack request, and can redirect the target file requested by the second request to the specified script file to perform the processing even if the target file is an isolated file and the backdoor file, so that the second request can be accurately and comprehensively detected and identified, any second request for the backdoor file cannot be omitted, and the safety of the network is effectively ensured. On the other hand, in the prior art, the application firewall needs to be installed by using administrator authority during deployment, the implementation method is complex and poor in flexibility, and the method provided by the application firewall can be deployed under low authority to be effective, so that lightweight is realized; and is non-intrusive in that the original code does not need to be modified and the Web server does not need to be restarted.
In an embodiment, when the server receives the second request, the parameter of the second request is redirected to a specified Waf script file, such as the Waf. php, and a code of the specified Waf script file is executed to judge whether the parameter of the second request contains a predetermined parameter, when the specified Waf script file identifies that the user name parameter contains an attack feature, the rule is hit by the second request, and the server stops the operation of redirecting the second request back to the target file index. php of the request, and returns an interception message to an attacker. If the designated Waf script file checks the parameters of the second request and the attack features are not found to be contained, the second request is redirected back to the target file index.
Referring to fig. 4, which is a schematic block diagram of a server according to an embodiment of the present application, fig. 4 includes: a global request capture module 11, an attack decision module 12, and an execution module 13.
The global request capture module 11 is configured to capture requests for different files in a website, and redirect the requests directed to the different files to a script-based security detection program.
Specifically, when the global request capture module 11 operates in the fastcgi mode, it scans the first configuration file in the directory where the file requested by the request is located; loading the configuration items in the first configuration file, and acquiring the specified script files in the paths specified by the configuration items; and introducing the specified script file to the head of the target file requested by the request. When operating in non-fastcgi mode, the request is redirected to a specified script file.
The attack determination module 12 is configured to analyze a parameter of the request based on the security detection program, compare the parameter of the request with a preset parameter, and determine whether the request is an attack request based on a comparison result.
In an embodiment, the server may further include: an execution module 13, configured to perform setting processing on the attack request when the attack determination module 12 determines that the request is the attack request, where the setting processing includes: one or more of intercepting, tracing attack paths, ignoring.
Corresponding to the embodiment of the determination method of the attack request, the application also provides embodiments of a determination device and equipment of the attack request.
The embodiment of the determination device for the attack request can be applied to the server. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. The software implementation is taken as an example, and is formed by reading corresponding computer program instructions in the nonvolatile memory into the memory for operation through the processor of the device where the software implementation is located as a logical means. From a hardware aspect, as shown in fig. 5, a hardware structure diagram of a device in which the determination apparatus for an attack request is located is shown in fig. 5, except for the processor 510, the memory 520, the network interface 530, and the nonvolatile memory 540 shown in fig. 5, in an embodiment, the device in which the determination apparatus 550 for an attack request is located may also include other hardware according to an actual function of the device, and is not shown in fig. 5 one by one.
Referring to fig. 6, a block diagram of an embodiment of an apparatus for determining an attack request according to the present application, the apparatus may be applied to a server, and the apparatus includes: a redirection unit 610 and a decision unit 620.
The redirection unit 610 is configured to receive requests for different files in a website, and redirect the requests for the different files to a script-based security detection program;
a determining unit 620, configured to analyze parameters of the request based on the security detection program, and determine whether the request is an attack request based on the analysis result.
In an alternative implementation, redirection unit 610 may include (not shown in fig. 6):
the first processing subunit is used for introducing a specified script file into the head of the target file requested by the request when the first processing subunit runs in the first mode.
In an alternative implementation, the first processing subunit may include (not shown in fig. 6):
the first scanning module is used for scanning a first configuration file under a directory where the file requested by the request is located;
the acquisition module is used for loading the configuration items in the first configuration file and acquiring the specified script files in the paths specified by the configuration items;
and the introducing module is used for introducing the specified script file into the head of the target file requested by the request.
In another alternative implementation, the apparatus may further include (not shown in fig. 6):
and the first execution unit is used for continuously executing the request in the target file requested by the request when the request is operated in the first mode if the request is not an attack request.
In an alternative implementation, redirection unit 610 may include (not shown in fig. 6):
and the second processing subunit is used for redirecting the request to the specified script file when the second processing subunit runs in the second mode.
In another alternative implementation, the second processing subunit includes (not shown in fig. 6):
the second scanning module is used for scanning a second configuration file under the root directory;
a redirection module for redirecting the request to a specified script file based on the configuration information of the second configuration file.
In another alternative implementation, the apparatus may further include (not shown in fig. 6):
and the second execution unit is used for sending the request to the requested target file to continue executing when the request is operated in the second mode if the request is not the attack request.
In another alternative implementation, the determining unit 620 may include (not shown in fig. 6):
an extraction subunit, configured to extract, based on the specified script file, a parameter in the request under the security detection program;
the comparison subunit is used for comparing the extracted website parameters with preset parameters;
and the judging subunit is used for judging the request as an attack request when the comparison result shows that the at least two parameters are consistent with the preset parameters.
In a further alternative implementation form of the invention,
the extracted parameters include: one or more of a file name of the request, a source Internet Protocol (IP) address, the submission data, and an http request header.
In another alternative implementation, the apparatus may further include (not shown in fig. 6):
a processing unit, configured to perform setting processing on the attack request when it is determined that the request is an attack request, where the setting processing includes: one or more of intercepting, tracing attack paths, ignoring.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
As can be seen from the above embodiments, the server, when operating in fastcgi mode, performs the function of creating a target file by importing a specified script file into the header of the target file requested by the received request; when the Web server runs in a non-fastcgi mode, the request is redirected to a specified script file by utilizing the redirection characteristic of the configuration file, all received Web requests can be automatically identified, and the Web requests are intercepted when the Web requests are judged to be attack requests without modifying file codes, so that the attack of the attack requests on websites is avoided.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.
Claims (20)
1. A method for judging an attack request is applied to a server, and is characterized by comprising the following steps:
receiving requests for different files in a website, introducing a script file of a security detection program into the head of a target file requested by the requests when the request runs in a fastcgi mode, and redirecting the requests to the script file of the security detection program when the request runs in a non-fastcgi mode;
and analyzing parameters of the request based on the security detection program, and judging whether the request is an attack request based on an analysis result.
2. The method of claim 1, wherein introducing a script file of a security detection program into a header of a target file requested by the request comprises:
scanning a first configuration file under a directory where the file requested by the request is located;
loading the configuration items in the first configuration file, and acquiring script files of the security detection programs in the paths specified by the configuration items;
and introducing a script file of the security detection program into the head of the target file requested by the request.
3. The method of claim 1, wherein after determining whether the request is an attack request based on the analysis result, the method further comprises:
if the request is not an attack request, when operating in the fastcgi mode, continuing to execute the request in a target file requested by the request.
4. The method of claim 1, wherein redirecting the request to a script file of a security detection program comprises:
scanning a second configuration file under the root directory;
redirecting the request to a script file of a security detection program based on configuration information of the second configuration file.
5. The method of claim 1, wherein after determining whether the request is an attack request based on the analysis result, the method further comprises:
and if the request is not an attack request, transmitting the request to the requested target file for continuous execution when the request operates in the non-fastcgi mode.
6. The method according to claim 1, wherein the analyzing the parameters of the request based on the security detection program and determining whether the request is an attack request based on the analysis result comprises:
extracting parameters in the request under a security detection program based on a script file of the security detection program;
comparing the extracted parameters with preset parameters;
and when the comparison result shows that at least two parameters are consistent with the preset parameters, judging that the request is an attack request.
7. The method of claim 6, wherein the extracted parameters comprise: one or more of a file name of the request, a source Internet Protocol (IP) address, the submitted data, and a hypertext transfer protocol (http) request header.
8. The method according to any one of claims 1-7, wherein after determining whether the request is an attack request based on the analysis result, the method further comprises:
when the request is judged to be an attack request, setting processing is carried out on the attack request, and the setting processing comprises the following steps: one or more of intercepting, tracing attack paths, ignoring.
9. A server, comprising:
the system comprises a global request capturing module, a script-based security detection program and a script-based security detection module, wherein the global request capturing module is used for capturing requests for different files in a website and redirecting the requests pointing to the different files to the script-based security detection program; when the file is operated under the fastcgi mode, scanning a first configuration file under a directory where the file requested by the request is located; loading the configuration items in the first configuration file, and acquiring script files of the security detection programs in the paths specified by the configuration items; introducing a script file of the security detection program into the head of the target file requested by the request; when the security detection program runs in a non-fastcgi mode, redirecting the request to a script file of the security detection program;
and the attack judgment module is used for analyzing the parameters of the request based on the safety detection program, comparing the parameters of the request with preset parameters, and judging whether the request is an attack request based on a comparison result.
10. The server of claim 9, further comprising:
an execution module, configured to perform setting processing on the attack request when the attack determination module determines that the request is the attack request, where the setting processing includes: one or more of intercepting, tracing attack paths, ignoring.
11. An interception apparatus of attack request, applied to a server, comprising:
the redirection unit is used for receiving requests aiming at different files in the website and redirecting the requests aiming at the different files to the script-based security detection program;
a determination unit configured to analyze a parameter of the request based on the security detection program, and determine whether the request is an attack request based on an analysis result;
wherein the redirection unit comprises a first processing subunit and a second processing subunit;
the first processing subunit is configured to, when running in a fastcgi mode, introduce a script file of a security detection program into a header of the target file requested by the request;
and the second processing subunit is used for redirecting the request to a script file of the security detection program when the second processing subunit runs in a non-fastcgi mode.
12. The apparatus of claim 11, wherein the first processing subunit comprises:
the first scanning module is used for scanning a first configuration file under a directory where the file requested by the request is located;
the acquisition module is used for loading the configuration items in the first configuration file and acquiring script files of the security detection programs in the paths specified by the configuration items;
and the introducing module is used for introducing the script file of the security detection program into the head of the target file requested by the request.
13. The apparatus of claim 11, further comprising:
a first execution unit, configured to, if the request is not an attack request, continue executing the request in a target file requested by the request when the request operates in the fastcgi mode.
14. The apparatus of claim 11, wherein the second processing subunit comprises:
the second scanning module is used for scanning a second configuration file under the root directory;
and the redirection module is used for redirecting the request to a script file of a security detection program based on the configuration information of the second configuration file.
15. The apparatus of claim 11, further comprising:
and the second execution unit is used for sending the request to the requested target file for continuous execution when the request is not an attack request and operates in the non-fastcgi mode.
16. The apparatus according to claim 11, wherein the determination unit comprises:
an extraction subunit, configured to extract, under a security detection program, a parameter in the request based on a script file of the security detection program;
the comparison subunit is used for comparing the extracted parameters with preset parameters;
and the judging subunit is used for judging the request as an attack request when the comparison result shows that the at least two parameters are consistent with the preset parameters.
17. The apparatus of claim 16, wherein the extracted parameters comprise: one or more of a file name of the request, a source Internet Protocol (IP) address, the submitted data, and a hypertext transfer protocol (http) request header.
18. The apparatus according to any one of claims 11-17, further comprising:
a processing unit, configured to perform setting processing on the attack request when it is determined that the request is an attack request, where the setting processing includes: one or more of intercepting, tracing attack paths, ignoring.
19. An interception device for an attack request, wherein the device is a server, comprising: a processor; a memory for storing the processor-executable instructions; wherein the processor is configured to:
receiving requests for different files in a website, introducing a script file of a security detection program into the head of a target file requested by the requests when the request runs in a fastcgi mode, and redirecting the requests to the script file of the security detection program when the request runs in a non-fastcgi mode;
and analyzing parameters of the request based on the security detection program, and judging whether the request is an attack request based on an analysis result.
20. A computer storage medium having program instructions stored therein, the instructions comprising:
receiving requests for different files in a website, introducing a script file of a security detection program into the head of a target file requested by the requests when the request runs in a fastcgi mode, and redirecting the requests to the script file of the security detection program when the request runs in a non-fastcgi mode;
and analyzing parameters of the request based on the security detection program, and judging whether the request is an attack request based on an analysis result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710005255.0A CN108268774B (en) | 2017-01-04 | 2017-01-04 | Method and device for judging attack request |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710005255.0A CN108268774B (en) | 2017-01-04 | 2017-01-04 | Method and device for judging attack request |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108268774A CN108268774A (en) | 2018-07-10 |
| CN108268774B true CN108268774B (en) | 2021-07-23 |
Family
ID=62770707
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710005255.0A Active CN108268774B (en) | 2017-01-04 | 2017-01-04 | Method and device for judging attack request |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108268774B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111428237B (en) * | 2020-03-06 | 2022-08-12 | 支付宝(杭州)信息技术有限公司 | Attack risk identification method, system and device and electronic equipment |
| CN113329032B (en) * | 2021-06-23 | 2023-02-03 | 深信服科技股份有限公司 | Attack detection method, device, equipment and medium |
| CN113626106A (en) * | 2021-08-19 | 2021-11-09 | 吉林亿联银行股份有限公司 | Method and system for realizing data interception |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101789947A (en) * | 2010-02-21 | 2010-07-28 | 成都市华为赛门铁克科技有限公司 | Method and firewall for preventing HTTP POST flooding attacks |
| CN102316087A (en) * | 2010-07-05 | 2012-01-11 | 潘塔安全系统公司 | The detection method that network application is attacked |
| CN103916389A (en) * | 2014-03-19 | 2014-07-09 | 汉柏科技有限公司 | Method for preventing HttpFlood attack and firewall |
| US9443012B2 (en) * | 2012-01-31 | 2016-09-13 | Ncr Corporation | Method of determining http process information |
-
2017
- 2017-01-04 CN CN201710005255.0A patent/CN108268774B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101789947A (en) * | 2010-02-21 | 2010-07-28 | 成都市华为赛门铁克科技有限公司 | Method and firewall for preventing HTTP POST flooding attacks |
| CN102316087A (en) * | 2010-07-05 | 2012-01-11 | 潘塔安全系统公司 | The detection method that network application is attacked |
| US9443012B2 (en) * | 2012-01-31 | 2016-09-13 | Ncr Corporation | Method of determining http process information |
| CN103916389A (en) * | 2014-03-19 | 2014-07-09 | 汉柏科技有限公司 | Method for preventing HttpFlood attack and firewall |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108268774A (en) | 2018-07-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9654494B2 (en) | Detecting and marking client devices | |
| US9973531B1 (en) | Shellcode detection | |
| US9344446B2 (en) | Systems and methods for malware detection and scanning | |
| US9558355B2 (en) | Security scan based on dynamic taint | |
| Wurzinger et al. | SWAP: Mitigating XSS attacks using a reverse proxy | |
| JP6441957B2 (en) | Systems, devices, and methods that automatically validate exploits on suspicious objects and highlight display information associated with the proven exploits | |
| CN106998335B (en) | Vulnerability detection method, gateway equipment, browser and system | |
| US10083322B2 (en) | Obscuring user web usage patterns | |
| Stasinopoulos et al. | Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications | |
| CN103617395A (en) | Method, device and system for intercepting advertisement programs based on cloud security | |
| CN107566420B (en) | Method and equipment for positioning host infected by malicious code | |
| US9998482B2 (en) | Automated network interface attack response | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| CN103685294A (en) | Method and device for identifying attack sources of denial of service attack | |
| CN105471912A (en) | Security defense method and system of monitoring system | |
| CN108268774B (en) | Method and device for judging attack request | |
| Djanali et al. | SQL injection detection and prevention system with raspberry Pi honeypot cluster for trapping attacker | |
| CN110909350B (en) | Method for remotely and accurately identifying WebShell backdoor | |
| CN110602134B (en) | Method, device and system for identifying illegal terminal access based on session label | |
| CN108322420B (en) | Method and device for detecting backdoor file | |
| CN108512805B (en) | Network security defense method and network security defense device | |
| Koo et al. | Malicious website detection based on honeypot systems | |
| US10757118B2 (en) | Method of aiding the detection of infection of a terminal by malware | |
| CN116781331A (en) | Reverse proxy-based honeypot trapping network attack tracing method and device | |
| Siewert et al. | On the Security of Parsing Security-Relevant HTTP Headers in Modern Browsers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |