The content of the invention
The technical problem to be solved in the present invention is to provide a kind of method and apparatus of test intrusion prevention properties of product, its
Test result can reflect handling capacity of the IPS products in true environment.
The technical solution used in the present invention is, the method for the test intrusion prevention properties of product, including:
Step one, IPS products forward pure application layer traffic while add attack message;
Step 2, according to forwarding situation of the IPS products to pure application layer traffic and the identification situation to attack message, really
Make the currently active application layer handling capacity of IPS products.
Further, the pure application layer traffic is:The theoretical maximum application layer handling capacity of IPS products.
Further, the addition attack message, specifically includes:
The attack message of Transmission Control Protocol used in crawl actual environment;
The attack message for grabbing is reset in IPS products, playback time guarantee the source IP address of each attack message with
Purpose IP address are different from other attack messages.
Further, forwarding situation and the identification to attack message according to IPS products to pure application layer traffic
Situation, determines the currently active application layer handling capacity of IPS products, specifically includes:
If it is successfully first condition that IPS products are all forwarded to pure application layer traffic, IPS products are to attack message all knowledges
It is not successfully second condition;
Judge first condition and second condition whether while satisfaction, if so, then reads the current application layer of IPS product accountings
The currently active application layer handling capacity of flow, i.e. IPS products;The numerical value of pure application layer traffic is cut down otherwise after, repeat step
One, till first condition and second condition meet simultaneously.
Further, the method also includes:
Step 3, the identification situation according to IPS products to attack message, determine the attack message verification and measurement ratio of IPS products.
The present invention also provides a kind of device of test intrusion prevention properties of product, including following ingredient:
Test equipment, for constructing the pure application layer traffic forwarded in IPS products;
Reproducing device, for, while IPS products forward pure application layer traffic, sending attack message to IPS products;
Test result determines equipment, for according to IPS products to the forwarding situation of pure application layer traffic and to attack report
The identification situation of text, determines the currently active application layer handling capacity of IPS products.
Further, the pure application layer traffic is:The theoretical maximum application layer handling capacity of IPS products.
Further, the reproducing device, specifically includes:
Packet capturing module, for capturing the attack message of Transmission Control Protocol used in actual environment;
Import modul, for the attack message for grabbing is reset in IPS products, playback time guarantees each attack message
Source IP address it is different with other attack messages from purpose IP address.
Further, if it is successfully first condition that IPS products are all forwarded to pure application layer traffic, IPS products are to attacking
Message all to recognize be successfully second condition;
The test result determines equipment, specifically includes:
Whether judge module, for judging first condition and second condition while satisfaction, if so, then calls read module;
Adjusting module is called otherwise;
Adjusting module, for cutting down after the numerical value of pure application layer traffic, test equipment and reproducing device are called in repetition, until
Till first condition and second condition meet simultaneously, read module is called;
Read module, for reading the current application laminar flow amount of IPS product accountings, the i.e. the currently active application layer of IPS products
Handling capacity.
Further, described device also includes:
Verification and measurement ratio computing module, for the identification situation according to IPS products to attack message, determines attacking for IPS products
Hit packet check rate.
Using above-mentioned technical proposal, the method and apparatus of test intrusion prevention properties of product of the present invention has following excellent
Point:
1st, for intrusion prevention product the characteristics of, using detecting and alarm of the flow of application layer protocol to intrusion prevention product
Larger pressure is produced, goes to verify the true handling capacity of such product with the flow for being close to such product actual working environment
Energy.
2nd, appropriate attack traffic is also added into while application layer traffic is applied, to verify under such handling capacity
Whether intrusion prevention product can also normally detect all attack messages, to ensure the normal execution of its security functions.This
The normal use flow of sample more presses close to flow of the intrusion prevention product in actual working environment with reference to the situation of attack traffic
Composition, is able to verify that out the true application layer showed on the basis of its security functions is ensured by intrusion prevention product
Throughput performance value.
3rd, the ability of intrusion prevention product blocking aggressive behavior is tested out on the basis of certain application layer traffic.
Specific embodiment
For further illustrating the present invention for reaching technological means and effect that predetermined purpose is taken, below in conjunction with accompanying drawing
And preferred embodiment, technical scheme is described in detail as after.
First embodiment of the invention, as shown in Fig. 2 a kind of method of test intrusion prevention properties of product, including following tool
Body step:
Step S101, in test period, adds attack message while IPS products forward pure application layer traffic.It is preferred that
, pure application layer traffic is:The theoretical maximum application layer handling capacity of IPS products.
Specifically, the process of attack message in step S101, is added, including:
A1, captures attack message in the attack process of use Transmission Control Protocol once complete from actual environment;
A2, the attack message for grabbing is reset in IPS products, and playback time guarantees the source IP address of each attack message
It is different from other attack messages with purpose IP address.
Step S102, if it is successfully first condition that IPS products are all forwarded to pure application layer traffic, IPS products are to attacking
Message all recognize successfully as second condition, whether judges first condition and second condition while satisfaction, if so, then execution step
S104;Otherwise execution step S103;
Step S103, after cutting down the numerical value of pure application layer traffic, repeats step S101 and starts follow-up test period,
Till first condition and second condition meet simultaneously, execution step S104;If the numerical value of pure application layer traffic be cut to 0 it
Before, first condition and second condition still can not meet simultaneously, then illustrate that IPS products break down exception, unavailable.
Step S104, reads the current application laminar flow amount of IPS product accountings, i.e. the currently active application layer of IPS products is handled up
Amount.
Step S105, the identification situation according to IPS products to attack message, determine the attack message detection of IPS products
Rate.Specifically, on the basis of certain application layer traffic, the attack message quantity that IP available S products have been detected is divided by step
The attack message quantity reset in S101, draws verification and measurement ratio of the IPS products to attack message.
Second embodiment of the invention, as shown in figure 3, a kind of device of test intrusion prevention properties of product, including such as the following group
Into part:
Test equipment 10, within the test period, constructing the pure application layer traffic forwarded in IPS products.Preferably,
Pure application layer traffic is:The theoretical maximum application layer handling capacity of IPS products.
Reproducing device 20, for, while IPS products forward pure application layer traffic, sending attack message to IPS products.
Reproducing device 20, specifically includes:
Packet capturing module 21, attacks for crawl in the attack process of once complete use Transmission Control Protocol from actual environment
Message;
Import modul 22, for the attack message for grabbing is reset in IPS products, playback time guarantees that each attacks report
The source IP address of text is different with other attack messages from purpose IP address.
Test result determines equipment 30, for according to IPS products to the forwarding situation of pure application layer traffic and to attack
The identification situation of message, determines the currently active application layer handling capacity of IPS products and the verification and measurement ratio to attack message.
Specifically, if it is successfully first condition that IPS products are all forwarded to pure application layer traffic, IPS products are to attacking report
Literary all identification be successfully second condition.Test result determines equipment 30, specifically includes:
Whether judge module 31, for judging first condition and second condition while satisfaction, if so, then calls read module
33;Adjusting module 32 is called otherwise;
Adjusting module 32, for cutting down after the numerical value of pure application layer traffic, test equipment 10 and reproducing device are called in repetition
Import modul 22 in 20 starts follow-up test period, till first condition and second condition meet simultaneously, calls reading
Delivery block 33;If before the numerical value of pure application layer traffic is cut to 0, first condition and second condition still can not meet simultaneously,
Then illustrate that IPS products break down exception, it is unavailable.
Read module 33, for reading the current application laminar flow amount of IPS product accountings, the i.e. the currently active application of IPS products
Layer handling capacity.
Verification and measurement ratio computing module 34, for the identification situation according to IPS products to attack message, determines IPS products
Attack message verification and measurement ratio.Specifically, judge first condition and second condition whether while when meeting in judge module 31, i.e.
On the basis of certain application layer traffic, the attack message quantity that the IPS products of verification and measurement ratio computing module 34 have been detected is divided by leading
Enter the attack message quantity of the playback of module 22, draw verification and measurement ratio of the IPS products to attack message.
Third embodiment of the invention, introduces a test IPS products application layer on the basis of first and second embodiment and handles up
The example of amount and blocking attacking ability.
Network topology situation is as shown in figure 4, necessary hardware equipment:One or more is used for sending the test of application layer traffic
Equipment, a playback PC (Personal Computer) for being used for Replay Attack message.If test equipment selects BPS testers
Table, the then function can with Replay Attack message simultaneously need not adopt special reproducing device;If test equipment is selected
AVALANCHE test instrumentations, then only have the function of sending application layer traffic, now can be using double netcard playback PC as weight
Equipment is put, the flow of Replay Attack message is provided.Message playback software is installed, under LINUX system on reproducing device
Tcpreplay softwares or other playback softwares etc., double netcard be for the interaction of the simulated strike both sides in message playback procedure,
One network interface card sends the message of " attacker → by attacker ", and another network interface card sends the message " by attacker → attacker ".
In test process, while test equipment is constructed and sends application layer traffic, start Replay Attack message on reproducing device,
And playback software can all change source IP address and the purpose IP address in message every time, to ensure the attack process of each playback
With other attack processes using source IP address and purpose IP address be different from.Also, message is controlled on reproducing device
The speed of playback, it is ensured that how many times attack message process of resetting each second, and control the general offensive message weight of whole test process
Put number of times.
Test topology is described:Using a pair of test interfaces of test equipment, should if desired for multiple stage test equipment co-manufactured
Use laminar flow amount, then then need the interface of all simulant-clients in these test equipments is connected on switch 1, to collect
All flows for simulant-client sent from these interfaces, by an interface connection of these flows by switch 1
To on an interface of IPS products.Meanwhile, the interface at these test equipments all emulating server ends is connected to into switch 2
On, to collect all flows for emulating server end sent from these interfaces, these flows are passed through into the one of switch 2
Individual interface is connected on another interface of IPS products.The position worked due to IPS products is generally in user's Intranet and outer net
Between, so the overwhelming majority is accessed using transparent communication mode, in this test, also using transparent mode as communication pattern
Tested.
The configuration of IPS products:IPS product neededs load default configuration, and the default configuration should be IPS product manufacturer's recommendeds
To the basic configuration of user, the rule of the attack detecting comprising the recommendation for having loaded, that is, configuration is varied without, IPS products are
Test can be started.
As shown in figure 5, test equipment and reproducing device are as follows to the test process of IPS products application layer handling capacities:
Step S1, test equipment is using pure HTTP (Hyper Text Transfer Protocol, Hyper text transfer association
View) flow rate test goes out the theoretical maximum application layer handling capacity of IPS products.The purpose of this step test is, by the maximum for testing out
Initial value X of the theoretical application layer handling capacity as follow-up test.
Step S2, within this test period, constructs HTTP flows in IPS products by handling capacity basic value of initial value X
Upper forwarding, while add the attack message that reproducing device is captured from true attack process, the process of this addition attack message
Can also be referred to as resetting, general offensive message playback number of times is recorded as A.
Preferred playback speed is 150~200 times per second, should not select too small, so can not make what pressure to IPS products
Power;Should not also select excessive, because in generally normal network environment, not having too many attack each second and occurring, select
In the range of this, compare to press close to the frequency of attack message generation in true environment.General offensive message playback number of times A is equal to per second heavy
Put the time that number of times is multiplied by test period.The time span of test period is preferably 60 seconds.
Step S3, after the completion of the test of this test period, judges the HTTP flows squeezed into as index with initial value X whether
All normally forwarded by IPS products, in this way, then execution step S4, otherwise execution step S6.
Specifically, can be judged according to the statistical information in test equipment, as the HTTP flows of application layer are bases
In the TCP connection transmission set up, connect if all of TCP and all normally open, after transmission HTTP data, normally can close
Close, then think with the HTTP flows that initial value X is squeezed into as index all successfully to forward;If seeing statistics letter in test equipment
There is the TCP connections of failure in breath, then think with the HTTP flows that initial value X is squeezed into as index successfully to forward without whole.
Step S4, judges whether the whole A attack messages reset all are gone out by IPS Product checkings, if so, then proves
On the basis of equipment under test successfully forwards whole HTTP flows, whole attack messages are have identified, execution step S8 is otherwise held
Row step S5.
Specifically, watch on IPS products the same attack message that IPS Product checkings are arrived in this test period time
Number, is recorded as A1 time.Judge whether the attack message number of times A1 that general offensive message playback number of times A and IPS Product checking goes out is equal,
If equal, prove that IPS products, on the basis of successfully whole HTTP flows are forwarded, identify whole attack messages;Such as
It is really unequal, then prove IPS products on the basis of current HTTP flows, it is impossible to the whole attack message of identification, occur in that missing inspection
The phenomenon of attack message.
Step S5, the attack message number of times A1 gone out with IPS Product checkings are obtained divided by general offensive message playback number of times A
In the case that forwarding HTTP flows are X, IPS products are to attacking packet check rate.
Whether step S6, the HTTP flows Y actually forwarded in judging current test period are more than the 10% of initial value X, if
It is, then execution step S7, otherwise end of test.
Because whole testing scheme is to approach the true handling capacity being devices under by the way of step is near, set whenever tested
When for whole HTTP flows cannot be forwarded or cannot detect that all attack causes test crash, it is required for test
HTTP flow-reductions, so needing to judge, if Y more than X 10%, then can start to test next time;If Y is little
If the 10% of X, then after illustrating to add attack traffic, the true application layer handling capacity of IPS products is less than initial value X's
10%, it is now it is believed that the IPS products have serious problems, substantially unavailable, record the tested intrusion prevention product and exist
Serious problems, it is impossible to complete test, end of test.
Stepping 10% in the present invention can be flexibly selected according to the projected throughput of IPS products, such as, for design is gulped down
IPS product of the amount of telling for gigabit, stepping can elect 10%~20%, preferably 10% as;For projected throughput is 100,000,000
IPS products, stepping can elect 5%~10%, preferably 5% as.
Step S7, initial value X is deducted the value obtained by the 10% of initial value X as new initial value X, step is re-executed
Rapid S2 starts subsequent test cycles.
Step S8, it is the real application layer handling capacity of IPS products directly to record the initial value X used in this test period
Performance number result.
The method and apparatus of test intrusion prevention properties of product of the present invention has following advantages:
1st, for intrusion prevention product the characteristics of, using detecting and alarm of the flow of application layer protocol to intrusion prevention product
Larger pressure is produced, goes to verify the true handling capacity of such product with the flow for being close to such product actual working environment
Energy.
2nd, appropriate attack traffic is also added into while application layer traffic is applied, to verify under such handling capacity
Whether intrusion prevention product can also normally detect all attack messages, to ensure the normal execution of its security functions.This
The normal use flow of sample more presses close to flow of the intrusion prevention product in actual working environment with reference to the situation of attack traffic
Composition, is able to verify that out the true application layer showed on the basis of its security functions is ensured by intrusion prevention product
Throughput performance value.
3rd, the ability of intrusion prevention product blocking aggressive behavior is tested out on the basis of certain application layer traffic.
By the explanation of specific embodiment, should to the present invention for reach technological means that predetermined purpose is taken and
Effect is able to more go deep into and specific understanding, but appended diagram is only to provide reference and purposes of discussion, not for originally
Invention is any limitation as.