CN113872964A - Vulnerability rule generation method and related device - Google Patents
Vulnerability rule generation method and related device Download PDFInfo
- Publication number
- CN113872964A CN113872964A CN202111130122.9A CN202111130122A CN113872964A CN 113872964 A CN113872964 A CN 113872964A CN 202111130122 A CN202111130122 A CN 202111130122A CN 113872964 A CN113872964 A CN 113872964A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- rule
- data packet
- attack data
- linked list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 230000006399 behavior Effects 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 10
- 230000000694 effects Effects 0.000 abstract description 4
- 238000001514 detection method Methods 0.000 description 11
- 230000009471 action Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 239000000284 extract Substances 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a vulnerability rule generation method, which comprises the following steps: capturing a vulnerability attack data packet; analyzing the vulnerability attack data packet to obtain the characteristic information of the vulnerability attack data packet; matching the characteristic information with parameters in a preset rule linked list; and generating a corresponding vulnerability rule according to the characteristic information matched with the parameters in the preset rule linked list. By applying the method, the rule generation efficiency and accuracy can be effectively improved. The application also discloses a vulnerability rule generation device, equipment and a computer readable storage medium, which all have the technical effects.
Description
Technical Field
The application relates to the technical field of network security, in particular to a vulnerability rule generation method; it also relates to a vulnerability rule generation device, a device and a computer readable storage medium.
Background
With the rapid development of network technologies, information security vulnerabilities have also become ubiquitous. Interception of vulnerability attacks is mainly based on rule packages. The security vulnerabilities are continuously updated, and the rule packets required for intercepting the vulnerability attacks also need to be continuously updated. However, most of the currently required rule packets can only rely on the manual concatenation rule of the network traffic packet messages captured by security analysts according to the pcap packet and the vulnerability attack to generate the rule packet. The mode of generating the rule packet not only takes a long time, but also is easy to make mistakes. Therefore, how to improve the rule generation efficiency and accuracy has become a technical problem to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide a vulnerability rule generation method, which can effectively improve rule generation efficiency and accuracy. Another object of the present application is to provide a vulnerability rule generation apparatus, a device and a computer readable storage medium, all of which have the above technical effects.
In order to solve the above technical problem, the present application provides a vulnerability rule generation method, including:
capturing a vulnerability attack data packet;
analyzing the vulnerability attack data packet to obtain the characteristic information of the vulnerability attack data packet;
matching the characteristic information with parameters in a preset rule linked list;
and generating a corresponding vulnerability rule according to the characteristic information matched with the parameters in the preset rule linked list.
Optionally, the analyzing the vulnerability attack data packet to obtain the characteristic information of the vulnerability attack data packet includes:
and analyzing the vulnerability attack data packet to obtain protocol information and state information of the vulnerability attack data packet.
Optionally, the matching the feature information with the parameters in the preset rule linked list includes:
matching the characteristic information with parameters of each layer of a preset three-dimensional rule linked list; the preset three-dimensional rule linked list comprises a behavior layer, an information layer and an option layer.
Optionally, the generating a corresponding vulnerability rule according to the feature information matched with the parameter in the preset rule linked list includes:
and filling the characteristic information matched with the parameters in the preset rule linked list to the corresponding position of a preset rule template to obtain the vulnerability rule.
Optionally, before matching the feature information with parameters in a preset rule linked list, the method further includes:
and storing the characteristic information in a table structure.
In order to solve the above technical problem, the present application further provides a vulnerability rule generation apparatus, including:
the grabbing module is used for grabbing the vulnerability attack data packet;
the analysis module is used for analyzing the vulnerability attack data packet to obtain the characteristic information of the vulnerability attack data packet;
the matching module is used for matching the characteristic information with parameters in a preset rule linked list;
and the generating module is used for generating a corresponding vulnerability rule according to the characteristic information matched with the parameters in the preset rule linked list.
Optionally, the parsing module is specifically configured to parse the vulnerability attack data packet to obtain protocol information and state information of the vulnerability attack data packet.
Optionally, the matching module is specifically configured to match the feature information with parameters of each layer of a preset three-dimensional rule linked list; the preset three-dimensional rule linked list comprises a behavior layer, an information layer and an option layer.
In order to solve the above technical problem, the present application further provides a vulnerability rule generation device, including:
a memory for storing a computer program;
a processor configured to implement the steps of the vulnerability rule generation method as described in any one of the above when the computer program is executed.
In order to solve the above technical problem, the present application further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the steps of the vulnerability rule generation method are implemented as described in any one of the above.
The vulnerability rule generation method provided by the application comprises the following steps: capturing a vulnerability attack data packet; analyzing the vulnerability attack data packet to obtain the characteristic information of the vulnerability attack data packet; matching the characteristic information with parameters in a preset rule linked list; and generating a corresponding vulnerability rule according to the characteristic information matched with the parameters in the preset rule linked list.
Compared with the traditional technical scheme of manually analyzing the message and the splicing rule, the vulnerability rule generation method provided by the application realizes automatic generation of the vulnerability rule by capturing the vulnerability attack data packet, analyzing the vulnerability attack data packet, performing feature matching and generating the vulnerability rule according to the matched features, can effectively cope with continuously updated vulnerability attacks, has high vulnerability rule generation efficiency and low error probability, and better solves the problem that security personnel analyze the message and splice the rule.
The vulnerability rule generation device, the equipment and the computer readable storage medium provided by the application have the technical effects.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed in the prior art and the embodiments are briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic flowchart of a vulnerability rule generation method according to an embodiment of the present application;
fig. 2 is a schematic diagram of a rule chain table provided in the embodiment of the present application;
fig. 3 is a schematic diagram of a vulnerability rule generation apparatus according to an embodiment of the present application;
fig. 4 is a schematic diagram of vulnerability rule generation equipment provided in an embodiment of the present application.
Detailed Description
The core of the application is to provide a vulnerability rule generation method, which can effectively improve the rule generation efficiency and accuracy. Another core of the present application is to provide a vulnerability rule generation apparatus, a device and a computer-readable storage medium, all of which have the above technical effects.
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a schematic flow chart of a vulnerability rule generation method provided in an embodiment of the present application, and referring to fig. 1, the method mainly includes:
s101: capturing a vulnerability attack data packet;
specifically, the vulnerability environment constructs vulnerability attack data, and various vulnerability attack data packets from the network and the host are captured by the data acquisition unit. For example, vulnerability attack packets are captured by Wireshark.
S102: analyzing the vulnerability attack data packet to obtain the characteristic information of the vulnerability attack data packet;
specifically, on the basis of capturing the vulnerability attack data packet, a data packet analysis function is called to analyze the vulnerability attack data packet, and the characteristic information of the vulnerability attack data is obtained.
In a specific implementation manner, the analyzing the vulnerability attack data packet to obtain the characteristic information of the vulnerability attack data packet includes:
and analyzing the vulnerability attack data packet to obtain protocol information and state information of the vulnerability attack data packet.
Specifically, the protocol information of the vulnerability attack data packet refers to a communication protocol used by the vulnerability attack data packet, such as a TCP protocol, a UDP protocol, and the like. The state information of the vulnerability attack data packet may include a source address, a source port, a destination address, a destination port, a host address, a request address, etc. And after the vulnerability attack data packet is captured, further analyzing the vulnerability attack data packet to obtain the characteristic information of the vulnerability attack data packet, such as a communication protocol, a source address, a source port, a destination address, a destination port, a host address, a request address and the like.
Further, after the vulnerability attack data packet is analyzed, the characteristic information of the vulnerability attack data packet obtained through analysis can be stored in a table structure.
S103: matching the characteristic information with parameters in a preset rule linked list;
specifically, after the vulnerability attack data packet is analyzed, the rule detection engine is started, the characteristic information of the vulnerability attack data packet obtained through analysis stored in the table structure is matched with the parameters in the preset rule linked list one by one, and the characteristic information matched with the parameters in the preset rule linked list is stored.
In a specific embodiment, the matching the feature information with the parameters in the preset rule linked list includes:
matching the characteristic information with parameters of each layer of a preset three-dimensional rule linked list; the preset three-dimensional rule linked list comprises a behavior layer, an information layer and an option layer.
Specifically, referring to fig. 2, the preset three-dimensional rule chain table mainly includes three parts, namely a behavior layer, an information layer and an option layer. The behavior layer of the three-dimensional rule linked list comprises two attributes of rule behavior and rule protocol. For example, the rule behavior is Alert and the rule protocol is TCP. The information layer mainly comprises a protocol, a source address, a source port, a destination address, a destination port and the like. The option layer mainly comprises a detection attribute option. The detection attribute options include rule direction, rule content, and the like. Flow in FIG. 2 indicates the regular direction; content denotes rule content.
And the rule detection engine only detects options in the three-dimensional rule linked list set by the rule resolver, when the vulnerability attack data packet reaches the rule detection engine, navigation is carried out according to the behavior layer of the three-dimensional rule linked list, after the specific protocol type is determined, the information layer of the three-dimensional rule linked list is traversed, and whether the source address, the source port, the destination address, the destination port and the like of the vulnerability attack data packet are matched with parameters in the information layer of the three-dimensional rule linked list is judged. And when a matched feature information is found, continuing to operate downwards, and searching the matched feature information in the option layer of each three-dimensional rule linked list. And once the rule detection engine searches that one detection attribute is matched with the feature information obtained by analysis, triggering a defined rule action and returning the matched feature information. And if no matched characteristic information exists, directly returning.
The content contained in each layer in the three-dimensional rule linked list can be set by the user according to the message characteristics concerned by the user.
S104: and generating a corresponding vulnerability rule according to the characteristic information matched with the parameters in the preset rule linked list.
Specifically, the rule base extracts feature information matched with parameters in a preset rule linked list, describes and stores corresponding vulnerability rules, and divides corresponding sub-rule bases according to different classification features. And the generated vulnerability rules are recorded into a rule base by a rule base platform. In addition, the rule base platform is also responsible for performing routine maintenance such as rule base updating and backup and rule base packaging on the rule base.
Each vulnerability rule may be divided into two logical parts, a rule header and a rule option. The rule header may contain information such as rule action, protocol, source and destination addresses, subnet mask, source and destination ports, etc.; the rule options may include alert information and packet zone location information used to determine whether to trigger a rule response action to be checked.
In a specific embodiment, the generating a corresponding vulnerability rule according to the feature information matched with the parameters in the preset rule linked list includes:
and filling the characteristic information matched with the parameters in the preset rule linked list to the corresponding position of a preset rule template to obtain the vulnerability rule.
Specifically, a rule template is preset, and after characteristic information matched with parameters in a preset rule linked list is obtained, the matched characteristic information is automatically filled in a corresponding position in a rule module, so that a vulnerability rule is obtained.
Wherein a rule template may include the following elements: sid number, rule name, cve and cnnvd vulnerability number, session direction, threat type, hazard level, rule content, inside and outside direction, attack direction, vulnerability description, and the like.
For example, according to the matched feature information, the following vulnerability rules are generated:
alert tcp$EXTERNAL_NET any->$HOME_NET 21(msg:"FTP invalid MDTM command attempt";flow:to_server,established;content:"MDTM";nocase;pcre:"/^MDTM/d+[-+]/D/smi";reference:bugtraq,9751;reference:cve,2001-1021;reference:cve,2004-0330;classtype:attempted-admin;sid:2416;rev:5;)
the message characteristics described by the vulnerability rules are as follows:
1. the message is a TCP packet with a target port of 21;
2. the message contains an MDTM command;
3. the parameters in the message begin with one or more numbers;
4. the numeric string in the message is followed by a "+" or "-" character;
5. the "+" or "-" character in the message is followed by at least one non-numeric character.
In summary, the vulnerability rule generating method provided by the present application includes: capturing a vulnerability attack data packet; analyzing the vulnerability attack data packet to obtain the characteristic information of the vulnerability attack data packet; matching the characteristic information with parameters in a preset rule linked list; and generating a corresponding vulnerability rule according to the characteristic information matched with the parameters in the preset rule linked list. Compared with the traditional technical scheme of manually analyzing the message and the splicing rule, the vulnerability rule generation method provided by the application realizes automatic generation of the vulnerability rule by capturing the vulnerability attack data packet, analyzing the vulnerability attack data packet, performing feature matching and generating the vulnerability rule according to the matched features, can effectively cope with continuously updated vulnerability attacks, has high vulnerability rule generation efficiency and low error probability, and better solves the problem that security personnel analyze the message and splice the rule.
The application also provides a vulnerability rule generating device, and the device described below can be referred to with the method described above correspondingly. Referring to fig. 3, fig. 3 is a schematic diagram of a vulnerability rule generating apparatus according to an embodiment of the present application, and with reference to fig. 3, the apparatus includes:
the grabbing module 10 is used for grabbing the vulnerability attack data packet;
the analysis module 20 is configured to analyze the vulnerability attack data packet to obtain feature information of the vulnerability attack data packet;
the matching module 30 is used for matching the characteristic information with parameters in a preset rule linked list;
and the generating module 40 is configured to generate a corresponding vulnerability rule according to the feature information matched with the parameters in the preset rule linked list.
Specifically, the vulnerability environment constructs vulnerability attack data, and various vulnerability attack data packets from the network and the host are captured by the capture module 10. On the basis that the grabbing module 10 grabs the vulnerability attack data packet, the analyzing module 20 calls a data packet analyzing function to analyze the vulnerability attack data packet, so as to obtain the characteristic information of the vulnerability attack data. Further, after the vulnerability attack data packet is analyzed, the matching module 30 matches the feature information of the vulnerability attack data packet stored in the table structure and obtained through analysis with the parameters in the preset rule linked list one by one, and stores the feature information matched with the parameters in the preset rule linked list. Finally, the generating module 40 extracts feature information matched with parameters in the preset rule linked list, describes and stores corresponding vulnerability rules, and divides corresponding sub-rule bases according to different classification features.
Each vulnerability rule may be divided into two logical parts, a rule header and a rule option. The rule header may contain information such as rule action, protocol, source and destination addresses, subnet mask, source and destination ports, etc.; the rule options may include alert information and packet zone location information used to determine whether to trigger a rule response action to be checked.
On the basis of the foregoing embodiment, as a specific implementation manner, the analysis module 20 is specifically configured to analyze the vulnerability attack data packet to obtain protocol information and state information of the vulnerability attack data packet.
In a specific implementation manner, the analyzing the vulnerability attack data packet to obtain the characteristic information of the vulnerability attack data packet includes:
and analyzing the vulnerability attack data packet to obtain protocol information and state information of the vulnerability attack data packet.
Specifically, the protocol information of the vulnerability attack data packet refers to a communication protocol used by the vulnerability attack data packet, such as a TCP protocol, a UDP protocol, and the like. The state information of the vulnerability attack data packet may include a source address, a source port, a destination address, a destination port, a host address, a request address, etc. And after the vulnerability attack data packet is captured, further analyzing the vulnerability attack data packet to obtain the characteristic information of the vulnerability attack data packet, such as a communication protocol, a source address, a source port, a destination address, a destination port, a host address, a request address and the like.
On the basis of the foregoing embodiment, as a specific implementation manner, the matching module 30 is specifically configured to match the feature information with parameters of each layer of a preset three-dimensional rule linked list; the preset three-dimensional rule linked list comprises a behavior layer, an information layer and an option layer.
Specifically, the preset three-dimensional rule linked list mainly comprises a behavior layer, an information layer and an option layer. The behavior layer of the three-dimensional rule linked list comprises two attributes of rule behavior and rule protocol. For example, the rule behavior is Alert and the rule protocol is TCP. The information layer mainly comprises a protocol, a source address, a source port, a destination address, a destination port and the like. The option layer mainly comprises a detection attribute option. The detection attribute options include rule direction, rule content, and the like.
The matching module 30 performs navigation according to the behavior layer of the three-dimensional rule linked list, and after determining the specific protocol type, traverses the information layer of the three-dimensional rule linked list to determine whether the source address, the source port, the destination address, the destination port, and the like of the vulnerability attack data packet are matched with the parameters in the information layer of the three-dimensional rule linked list. And when a matched feature information is found, continuing to operate downwards, and searching the matched feature information in the option layer of each three-dimensional rule linked list. And once the rule detection engine searches that one detection attribute is matched with the feature information obtained by analysis, triggering a defined rule action and returning the matched feature information. And if no matched characteristic information exists, directly returning.
On the basis of the foregoing embodiment, as a specific implementation manner, the generating module 40 is specifically configured to:
and filling the characteristic information matched with the parameters in the preset rule linked list to the corresponding position of a preset rule template to obtain the vulnerability rule.
Specifically, a rule template is preset, and after characteristic information matched with parameters in a preset rule linked list is obtained, the matched characteristic information is automatically filled in a corresponding position in a rule module, so that a vulnerability rule is obtained.
Wherein a rule template may include the following elements: sid number, rule name, cve and cnnvd vulnerability number, session direction, threat type, hazard level, rule content, inside and outside direction, attack direction, vulnerability description, and the like.
On the basis of the above embodiment, as a specific implementation manner, the method further includes:
and the storage module is used for storing the characteristic information in a table structure before matching the characteristic information with parameters in a preset rule linked list.
Specifically, after the feature information of the vulnerability attack data packet is obtained through analysis, the storage module stores the feature information of the vulnerability attack data packet obtained through analysis in a table structure.
The vulnerability rule generation device provided by the application realizes automatic generation of vulnerability rules by grabbing a vulnerability attack data packet, analyzing the vulnerability attack data packet, performing feature matching and generating the vulnerability rules according to matched features, can effectively cope with continuously updated vulnerability attacks, has high vulnerability rule generation efficiency and low error probability, and better solves the complex problems of message analysis and splicing rules of security personnel.
The application also provides a vulnerability rule generation device, which is shown in fig. 4 and comprises a memory 1 and a processor 2.
A memory 1 for storing a computer program;
a processor 2 for executing a computer program to implement the steps of:
capturing a vulnerability attack data packet;
analyzing the vulnerability attack data packet to obtain the characteristic information of the vulnerability attack data packet;
matching the characteristic information with parameters in a preset rule linked list;
and generating a corresponding vulnerability rule according to the characteristic information matched with the parameters in the preset rule linked list.
For the introduction of the device provided in the present application, please refer to the above method embodiment, which is not described herein again.
The present application further provides a computer readable storage medium having a computer program stored thereon, which when executed by a processor, performs the steps of:
capturing a vulnerability attack data packet;
analyzing the vulnerability attack data packet to obtain the characteristic information of the vulnerability attack data packet;
matching the characteristic information with parameters in a preset rule linked list;
and generating a corresponding vulnerability rule according to the characteristic information matched with the parameters in the preset rule linked list.
The computer-readable storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
For the introduction of the computer-readable storage medium provided in the present application, please refer to the above method embodiments, which are not described herein again.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device, the apparatus and the computer-readable storage medium disclosed by the embodiments correspond to the method disclosed by the embodiments, so that the description is simple, and the relevant points can be referred to the description of the method.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The vulnerability rule generating method, device, equipment and computer readable storage medium provided by the present application are described in detail above. The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
Claims (10)
1. A vulnerability rule generation method is characterized by comprising the following steps:
capturing a vulnerability attack data packet;
analyzing the vulnerability attack data packet to obtain the characteristic information of the vulnerability attack data packet;
matching the characteristic information with parameters in a preset rule linked list;
and generating a corresponding vulnerability rule according to the characteristic information matched with the parameters in the preset rule linked list.
2. The vulnerability rule generation method of claim 1, wherein the parsing the vulnerability attack data packet to obtain the characteristic information of the vulnerability attack data packet comprises:
and analyzing the vulnerability attack data packet to obtain protocol information and state information of the vulnerability attack data packet.
3. The vulnerability rule generation method of claim 1, wherein the matching the feature information with parameters in a preset rule linked list comprises:
matching the characteristic information with parameters of each layer of a preset three-dimensional rule linked list; the preset three-dimensional rule linked list comprises a behavior layer, an information layer and an option layer.
4. The vulnerability rule generation method of claim 1, wherein the generating corresponding vulnerability rules according to the feature information matched with the parameters in the preset rule linked list comprises:
and filling the characteristic information matched with the parameters in the preset rule linked list to the corresponding position of a preset rule template to obtain the vulnerability rule.
5. The vulnerability rule generation method according to claim 1, wherein before matching the feature information with parameters in a preset rule linked list, the method further comprises:
and storing the characteristic information in a table structure.
6. A vulnerability rule generation apparatus, comprising:
the grabbing module is used for grabbing the vulnerability attack data packet;
the analysis module is used for analyzing the vulnerability attack data packet to obtain the characteristic information of the vulnerability attack data packet;
the matching module is used for matching the characteristic information with parameters in a preset rule linked list;
and the generating module is used for generating a corresponding vulnerability rule according to the characteristic information matched with the parameters in the preset rule linked list.
7. The vulnerability rule generation device of claim 6, wherein the parsing module is specifically configured to parse the vulnerability attack data packet to obtain protocol information and status information of the vulnerability attack data packet.
8. The vulnerability rule generation device of claim 7, wherein the matching module is specifically configured to match the feature information with parameters of each layer of a preset three-dimensional rule linked list; the preset three-dimensional rule linked list comprises a behavior layer, an information layer and an option layer.
9. A vulnerability rule generation device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the vulnerability rule generation method of any of claims 1 to 5 when executing the computer program.
10. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the vulnerability rule generation method according to any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111130122.9A CN113872964A (en) | 2021-09-26 | 2021-09-26 | Vulnerability rule generation method and related device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111130122.9A CN113872964A (en) | 2021-09-26 | 2021-09-26 | Vulnerability rule generation method and related device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113872964A true CN113872964A (en) | 2021-12-31 |
Family
ID=78994696
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111130122.9A Pending CN113872964A (en) | 2021-09-26 | 2021-09-26 | Vulnerability rule generation method and related device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113872964A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116611077A (en) * | 2023-07-20 | 2023-08-18 | 北京升鑫网络科技有限公司 | Virtual patch protection method and system based on host network packet capturing and analyzing |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104079545A (en) * | 2013-03-29 | 2014-10-01 | 西门子公司 | Method, device and system for extracting data package filtering rules |
| US20200213359A1 (en) * | 2018-12-28 | 2020-07-02 | Imperva, Inc. | Generating collection rules based on security rules |
| CN111740923A (en) * | 2020-06-22 | 2020-10-02 | 北京神州泰岳智能数据技术有限公司 | Method and device for generating application identification rule, electronic equipment and storage medium |
| CN112328468A (en) * | 2020-10-18 | 2021-02-05 | 苏州浪潮智能科技有限公司 | Code security scanning method and device |
-
2021
- 2021-09-26 CN CN202111130122.9A patent/CN113872964A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104079545A (en) * | 2013-03-29 | 2014-10-01 | 西门子公司 | Method, device and system for extracting data package filtering rules |
| US20200213359A1 (en) * | 2018-12-28 | 2020-07-02 | Imperva, Inc. | Generating collection rules based on security rules |
| CN111740923A (en) * | 2020-06-22 | 2020-10-02 | 北京神州泰岳智能数据技术有限公司 | Method and device for generating application identification rule, electronic equipment and storage medium |
| CN112328468A (en) * | 2020-10-18 | 2021-02-05 | 苏州浪潮智能科技有限公司 | Code security scanning method and device |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116611077A (en) * | 2023-07-20 | 2023-08-18 | 北京升鑫网络科技有限公司 | Virtual patch protection method and system based on host network packet capturing and analyzing |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109474575B (en) | DNS tunnel detection method and device | |
| Wang et al. | SymTCP: Eluding stateful deep packet inspection with automated discrepancy discovery | |
| EP1710978A1 (en) | Method and apparatus for reducing firewall rules | |
| CN110808879B (en) | Protocol identification method, device, equipment and readable storage medium | |
| US9411957B2 (en) | Method and device for optimizing and configuring detection rule | |
| US20110271348A1 (en) | Portable program for generating attacks on communication protocols and channels | |
| US20100235917A1 (en) | System and method for detecting server vulnerability | |
| CN108111466A (en) | A kind of attack detection method and device | |
| JP2009516265A (en) | Method and system for modifying network map attributes | |
| CN107612890B (en) | Network monitoring method and system | |
| CA3159619A1 (en) | Packet processing method and apparatus, device, and computer-readable storage medium | |
| CN113783885B (en) | Honeypot network proxy method and related device | |
| CN103701816A (en) | Scanning method and scanning device of server executing DOS (Denial Of service) | |
| CN105577670A (en) | Warning system of database-hit attack | |
| CN113872965A (en) | SQL injection detection method based on Snort engine | |
| CN113872964A (en) | Vulnerability rule generation method and related device | |
| CN113746781A (en) | Network security detection method, device, equipment and readable storage medium | |
| CN112217777A (en) | Attack backtracking method and equipment | |
| CN106911649A (en) | A kind of method and apparatus for detecting network attack | |
| CN113098852A (en) | Log processing method and device | |
| CN112769739A (en) | Database operation violation processing method, device and equipment | |
| CN113282932B (en) | POC (Point of sale) generation method and device, electronic equipment and storage medium | |
| CN112640392B (en) | Trojan horse detection method, device and equipment | |
| CN114389863A (en) | Honeypot interaction method and device, honeypot network, honeypot equipment and storage medium | |
| CN110392129B (en) | IPv6 client and method for IPv6 client to communicate with server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |