CN106789863A - A kind of matched rule upgrade method and device - Google Patents

A kind of matched rule upgrade method and device Download PDF

Info

Publication number
CN106789863A
CN106789863A CN201610265811.3A CN201610265811A CN106789863A CN 106789863 A CN106789863 A CN 106789863A CN 201610265811 A CN201610265811 A CN 201610265811A CN 106789863 A CN106789863 A CN 106789863A
Authority
CN
China
Prior art keywords
matched rule
upgrading message
rule
memory consumption
predetermined threshold
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610265811.3A
Other languages
Chinese (zh)
Other versions
CN106789863B (en
Inventor
邹文宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201610265811.3A priority Critical patent/CN106789863B/en
Publication of CN106789863A publication Critical patent/CN106789863A/en
Application granted granted Critical
Publication of CN106789863B publication Critical patent/CN106789863B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

A kind of matched rule upgrade method and device are the embodiment of the invention provides, any business board of distributed fire wall is applied to, methods described includes:Receive the first matched rule upgrading message that main control board sends;Judge itself current memory consumption whether more than predetermined threshold;If, ignore the first matched rule upgrading message, and detect itself current memory consumption whether more than predetermined threshold at set time intervals, when itself current memory consumption no more than predetermined threshold is detected, the request for obtaining matched rule is sent to the main control board, the second matched rule upgrading message that the main control board sends is received, the local original matched rule for preserving is deleted, and preserve the matched rule included in the second matched rule upgrading message;If not, deleting the local original matched rule for preserving, and preserve the matched rule for receiving.The embodiment of the present invention ensure that each business board all normally carries out flow detection.

Description

A kind of matched rule upgrade method and device
Technical field
The present invention relates to computer defense technique field, more particularly to a kind of matched rule upgrade method and dress Put.
Background technology
Fire wall is generally deployed between the network egress of large and medium-sized enterprise, Intranet or data center Outlet, the purpose that protection intranet security is realized in detection is carried out to the flow of extranet access Intranet, Intranet is visited Ask that the flow of outer net carries out detecting the control for realizing enterprise's sensitive information.For example, fire wall can be according to user Configuration and predefined feature database in carry matched rule carry out flow detection, realize flow identification and Control function.
In practical application, for the consideration of high availability, distributed fire wall can be typically disposed.Distribution is anti- Wall with flues generally includes multiple master control borads and multiple business boards, wherein, a master can be included in multiple master control borads With master control borad and multiple slave control board.Main control board is the control centre of whole fire wall, by it to each Master control borad and business board realize control function and list item synchronizing function.
In actual applications, each master control borad and business board of distributed fire wall can preserve same matching rule Then, flow detection is carried out with according to the matched rule.Also, in order to improve the accuracy of flow detection, respectively The matched rule preserved in master control borad and business board can be upgraded.
Existing matched rule upgrade method, main control board can first from given server download features storehouse File, and parse feature library file and obtain newest matched rule, and newest matched rule can be sent out Give each business board.After each business board receives the matched rule of main control board transmission, delete first local Original matched rule, then preserves newest matched rule.And then the upgrading of completion matched rule, so that Each business board can continue follow-up flow detection using newest matched rule.
In actual applications, for distributed fire wall, flow be by which business board it is uncertain, Therefore, the flow pressure of each business board is different, that is to say, that the business board flow that there may be Pressure is smaller, and the larger situation of some business board flow pressures.Therefore, when each business board receive it is primary The newest matched rule that master control borad sends, original matched rule is deleted, when carrying out matched rule upgrading, For the larger business board of flow pressure, it may be due to reasons such as low memories, it is impossible to correct to preserve Newest matched rule, fails so as to cause the business board matched rule to be upgraded.And because it deletes original Some matched rules, subsequently with regard to also cannot normally carry out flow detection.
The content of the invention
The purpose of the embodiment of the present invention is to provide a kind of matched rule upgrade method and device, to ensure each industry Business plate all successfully completes the upgrading of matched rule, and then ensures that each business board all normally carries out flow inspection Survey.Concrete technical scheme is as follows:
In a first aspect, the embodiment of the invention provides a kind of matched rule upgrade method, it is applied to distributed anti- Any business board of wall with flues, methods described includes:
The first matched rule upgrading message that main control board sends is received, wherein, first matched rule Upgrading message includes matched rule;
Judge itself current memory consumption whether more than predetermined threshold;
If it is, ignoring the first matched rule upgrading message, and detect at set time intervals certainly Whether the current memory consumption of body is more than predetermined threshold, and when detecting, itself current memory consumption is little When predetermined threshold, the request for obtaining matched rule is sent to the main control board, receive the primary master The second matched rule upgrading message that control plate sends, deletes the local original matched rule for preserving, and preserve institute State the matched rule included in the second matched rule upgrading message;
If not, deleting the local original matched rule for preserving, and preserve the first matching rule for receiving The matched rule for then being included in upgrading message.
Second aspect, the embodiment of the invention provides a kind of matched rule upgrade method, be applied to distributed anti- The main control board of wall with flues, methods described includes:
Obtain matched rule;
The first matched rule upgrading message is sent to each business board, wherein, in the matched rule upgrading message Including the matched rule;
When the request of the acquisition matched rule that any business board sends is received, sent to the business board The second matched rule upgrading message comprising the matched rule, wherein, the acquisition matched rule Request is that any business board judges that itself is current when receiving the first matched rule upgrading message Memory consumption detects itself current memory consumption at set time intervals more than after predetermined threshold Whether it is more than predetermined threshold, is sent when itself current memory consumption no more than predetermined threshold is detected 's.
The third aspect, the embodiment of the invention provides a kind of matched rule update device, be applied to distributed anti- Any business board of wall with flues, described device includes:
Receiver module, the first matched rule upgrading message for receiving main control board transmission, wherein, institute Stating the first matched rule upgrading message includes matched rule;
Judge module, for judging itself current memory consumption whether more than predetermined threshold;
First processing module, for when the judge module judged result is to be, ignoring first matching Regular upgrading message, and detect itself current memory consumption whether more than pre- at set time intervals Threshold value is determined, when itself current memory consumption no more than predetermined threshold is detected, to the primary master control Plate sends the request for obtaining matched rule, and the second matched rule upgrading for receiving the main control board transmission disappears Breath, deletes the local original matched rule for preserving, and preserves and include in the second matched rule upgrading message Matched rule;
Second processing module, for when the judge module judged result is no, deleting the local original for preserving There is matched rule, and preserve the matched rule included in the first matched rule upgrading message for receiving.
Fourth aspect, the embodiment of the invention provides a kind of matched rule update device, be applied to distributed anti- The main control board of wall with flues, described device includes:
Acquisition module, for obtaining matched rule;
First sending module, for sending the first matched rule upgrading message to each business board, wherein, it is described Matched rule upgrading message includes the matched rule;
Second sending module, for when the request for receiving the acquisition matched rule that any business board sends When, the second matched rule upgrading message comprising the matched rule is sent to the business board, wherein, it is described The request for obtaining the matched rule is that any business board receives first matched rule upgrading and disappears Judge that itself current memory consumption, more than after predetermined threshold, is detected certainly at set time intervals during breath Whether the current memory consumption of body is more than predetermined threshold, and when detecting, itself current memory consumption is little Sent when predetermined threshold.
A kind of matched rule upgrade method and device are the embodiment of the invention provides, each business board can be according to certainly The current memory consumption of body decides whether to carry out matched rule upgrading, when itself current memory consumption is big When predetermined threshold, the business board may not successfully preserve matched rule, in this case, the business Plate can carry out matched rule upgrading, and periodically detect itself current memory consumption, work as inspection When measuring itself current memory consumption less than or equal to predetermined threshold, then the liter for carrying out matched rule Level, ensure that each business board all successfully completes the upgrading of matched rule, and then ensure each business board all just Often carry out flow detection.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to implementing Example or the accompanying drawing to be used needed for description of the prior art are briefly described, it should be apparent that, describe below In accompanying drawing be only some embodiments of the present invention, for those of ordinary skill in the art, do not paying On the premise of going out creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of flow chart of matched rule upgrade method provided in an embodiment of the present invention;
Fig. 2 is the flow chart of another matched rule upgrade method provided in an embodiment of the present invention;
Fig. 3 is a kind of structural representation of matched rule update device provided in an embodiment of the present invention;
Fig. 4 is the structural representation of another matched rule update device provided in an embodiment of the present invention;
Fig. 5 (a), 5 (b) are matched rule escalation process provided in an embodiment of the present invention.
Specific embodiment
In order to ensure that each business board all successfully completes the upgrading of matched rule, and then ensure each business board all just Flow detection often is carried out, a kind of matched rule upgrade method and device is the embodiment of the invention provides.
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clearly Chu, it is fully described by, it is clear that described embodiment is only a part of embodiment of the invention, rather than Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creation Property work under the premise of the every other embodiment that is obtained, belong to the scope of protection of the invention.
It should be noted that in the case where not conflicting, the embodiment in the present invention and the feature in embodiment Can be mutually combined.Describe the present invention in detail below with reference to the accompanying drawings and in conjunction with the embodiments.
In order to ensure that each business board all successfully completes the upgrading of matched rule, and then ensure each business board all just Flow detection often is carried out, a kind of matched rule upgrade method process, the process is the embodiment of the invention provides Comprise the following steps:
S101, receives the first matched rule upgrading message that main control board sends, wherein, described first Include matched rule with regular upgrading message.
The method that the present embodiment is provided can apply to any business board of distributed fire wall, of the invention real Apply in example, for the ease of description, can will carry out the business board referred to as target service plate of matched rule upgrading.
In actual applications, each business board in distributed fire wall can be carried out the upgrading of matched rule. Specifically, each business board can receive the matched rule of main control board transmission, and be replaced using the matched rule Original matched rule of local preservation is changed, so as to complete the upgrading of matched rule.
In embodiments of the present invention, target service plate can receive the first matched rule of main control board transmission Upgrading message, wherein, matched rule can be included in the first matched rule upgrading message, so that target industry Business plate can carry out the upgrading of matched rule according to the matched rule.
Whether S102, judge itself current memory consumption more than predetermined threshold;If it is, performing step S103;Otherwise, step S104 is performed.
In embodiments of the present invention, when target service plate receives the first matched rule of main control board transmission During upgrading message, whether it may determine that itself current memory consumption more than predetermined threshold, such as 70%, 80%th, 85% etc., according to judged result, to perform corresponding operation.
Specifically, target service plate can obtain itself current memory consumption, and the internal memory of acquisition is disappeared Whether consumption is compared with predetermined threshold, to determine itself current memory consumption more than the predetermined threshold Value.
In embodiments of the present invention, target service plate obtains the process of itself current memory consumption and can adopt With prior art, the embodiment of the present invention is not repeated this process.
S103, ignores the first matched rule upgrading message, and detect itself at set time intervals Whether current memory consumption is more than predetermined threshold, is not more than when itself current memory consumption is detected During predetermined threshold, the request for obtaining matched rule is sent to the main control board, receive the primary master control The second matched rule upgrading message that plate sends, deletes the local original matched rule for preserving, and preserve described The matched rule included in second matched rule upgrading message.
When target service plate judges to obtain itself current memory consumption more than predetermined threshold, if target industry Business plate carries out the upgrading of matched rule at once, may be due to reasons such as low memories, it is impossible to correct preservation With rule, fail so as to cause target service plate matched rule to be upgraded, further, cause the target service Plate can not carry out normal flow detection.
Therefore, in embodiments of the present invention, when target service plate judges to obtain itself current memory consumption During more than predetermined threshold, it can ignore the first matched rule upgrading message.That is, target service Plate does not replace the original of local preservation using the matched rule included in the first matched rule upgrading message at once Matched rule, carries out the upgrading of matched rule.
After the first matched rule upgrading message is ignored, it can be according between the time of setting for target service plate Every such as 1 second, 2 seconds, 3 seconds, detecting itself current memory consumption whether more than predetermined threshold.When Detect itself current memory consumption no more than predetermined threshold when, target service plate may just can be correct Matched rule is preserved to carry out the upgrading of matched rule.
Specifically, target service plate can send the request for obtaining matched rule to main control board, with again Matched rule is obtained to carry out the upgrading of itself matched rule.
In embodiments of the present invention, when main control board receives the acquisition matched rule of target service plate transmission Request after, its can to target service plate send the second matched rule upgrading message, wherein, this second With matched rule can be included in regular upgrading message.
Therefore, target service plate can receive the second matched rule upgrading message of main control board transmission, delete Except the local original matched rule for preserving, and preserve the matching rule included in the second matched rule upgrading message Then, so as to complete the upgrading of itself matched rule.
S104, deletes the local original matched rule for preserving, and preserve first matched rule for receiving The matched rule included in upgrading message.
When target service plate judges to obtain itself current memory consumption less than or equal to predetermined threshold, can Currently more idle to show target service plate, it has enough internal memories to carry out the upgrading of matched rule.This In the case of kind, target service plate can directly carry out the upgrading of matched rule.
Specifically, target service plate can delete original matched rule of local preservation, and preserve what is received The matched rule included in first matched rule upgrading message, so as to complete the upgrading of matched rule.
A kind of matched rule upgrade method is the embodiment of the invention provides, each business board can be current according to itself Memory consumption decide whether to carry out matched rule upgrading, when itself current memory consumption is more than predetermined During threshold value, the business board may not successfully preserve matched rule, and in this case, the business board can be with Matched rule upgrading wouldn't be carried out, and periodically detects itself current memory consumption, when detecting When itself current memory consumption is less than or equal to predetermined threshold, then the upgrading of matched rule is carried out, can Ensure that each business board all successfully completes the upgrading of matched rule, and then ensure that each business board is all normally carried out Flow detection.
Further, in embodiments of the present invention, in order that target service plate more accurately carries out matching rule Then upgrade, when target service plate receives the first matched rule upgrading message, it is current interior that judgement obtains itself Consumption is deposited more than predetermined threshold, when ignoring the first matched rule upgrading message, its can according to this first There is overmatching rule upgrade event in matched rule upgrading message, record.
Also, when it detects itself current memory consumption no more than predetermined threshold, can examine simultaneously Whether survey there is overmatching rule upgrade request, if it is, send obtaining matched rule to main control board Request.
It is appreciated that under other trigger conditions, target service plate is likely to that itself current memory can be carried out to disappear The detection of consumption.Therefore, by recording generation overmatching rule upgrade event, when target service plate is detected Itself current memory consumption is not more than predetermined threshold, and detects generation overmatching rule upgrade event When, the request for obtaining matched rule is just sent to main control board, it is possible to increase it is accurate that matched rule is upgraded Property, it is to avoid in the case that main control board does not send the first matched rule upgrading message to target service plate, Target service plate sends the request for obtaining matched rule to main control board.
Further, in embodiments of the present invention, the first matching that main control board sends to target service plate The matched rule included in regular upgrading message, can be that main control board parsing is downloaded from given server Feature library file is obtained.
Further, the embodiment of the present invention additionally provides another matched rule upgrade method, is applied to distribution The main control board of formula fire wall, the process is comprised the following steps:
S201, obtains matched rule.
In embodiments of the present invention, the main control board in distributed fire wall can obtain matched rule, with Complete the matched rule upgrading of each business board in itself and the distributed fire wall.
Specifically, main control board from given server download features library file, and can parse this feature storehouse File, obtains the matched rule that this feature library file includes.
S202, the first matched rule upgrading message is sent to each business board, wherein, the matched rule upgrading Message includes the matched rule.
After main control board obtains matched rule, it can send the first matched rule and upgrade to each business board Message, wherein, the matched rule upgrading message includes the matched rule, so that each business board is according to this With rule, the upgrading of the matched rule of itself is completed.
Specifically, can be sent to for the first matched rule upgrading message by multicast mode by main control board Each business board.
S203, when the request of the acquisition matched rule that any business board sends is received, to the business Plate sends the second matched rule upgrading message comprising the matched rule, wherein, it is described to obtain the matching The request of rule is that any business board judges itself when receiving the first matched rule upgrading message Current memory consumption detects itself current internal memory at set time intervals more than after predetermined threshold Whether consumption is more than predetermined threshold, when itself current memory consumption no more than predetermined threshold is detected Send.
In embodiments of the present invention, the upgrading of matched rule is all successfully completed in order to ensure each business board, is entered And ensureing that each business board all normally carries out flow detection, each business board receives the of main control board transmission During one matched rule upgrading message, it can be determined that whether itself current memory consumption is more than predetermined threshold. If it is, the business board can ignore the first matched rule upgrading message, and at set time intervals, Such as 1 second, 2 seconds, 3 seconds, detect itself current memory consumption whether more than predetermined threshold.
When itself current memory consumption no more than predetermined threshold is detected, the business board can be to primary Master control borad sends the request for obtaining matched rule, and itself matched rule is carried out to obtain matched rule again Upgrading.
In embodiments of the present invention, when main control board receives the acquisition matched rule that any business board sends Request after, its can to the business board send the second matched rule upgrading message, wherein, this second matching Matched rule can be included in regular upgrading message.
So as to the business board can receive the second matched rule upgrading message of main control board transmission, delete The local original matched rule for preserving, and preserve the matching rule included in the second matched rule upgrading message Then, the upgrading of itself matched rule is completed.
A kind of matched rule upgrade method is the embodiment of the invention provides, each business board can be current according to itself Memory consumption decide whether to carry out matched rule upgrading, when itself current memory consumption is more than predetermined During threshold value, the business board may not successfully preserve matched rule, and in this case, the business board can be with Matched rule upgrading wouldn't be carried out, and periodically detects itself current memory consumption, when detecting When itself current memory consumption is less than or equal to predetermined threshold, then the upgrading of matched rule is carried out, can Ensure that each business board all successfully completes the upgrading of matched rule, and then ensure that each business board is all normally carried out Flow detection.
Further, in embodiments of the present invention, main control board can also disappear the upgrading of the first matched rule Breath is sent to each slave control board, the matched rule that itself is preserved so that each slave control board is upgraded.
It is appreciated that in actual applications, in fact it could happen that the situation of masterslave switchover.That is distributed fire wall Main control board may cause to restart due to reasons such as failure or user inputs, and in this case, one standby Master control borad will quickly upgrade to new main control board to control whole fire wall to continue normal operation.
Therefore, when main control board carries out matched rule upgrades, matched rule is sent to each standby master control Plate, the matched rule that itself is preserved so that each slave control board is upgraded, after there is masterslave switchover, Neng Goubao What is preserved in the new main control board of card is also the matched rule after upgrading, so as to ensure distributed fire wall Flow detection business is normally carried out.
Corresponding to above method embodiment, the embodiment of the present invention additionally provides corresponding device embodiment.
Fig. 3 is a kind of matched rule update device provided in an embodiment of the present invention, is applied to distributed fire wall Any business board, described device includes:
Receiver module 310, the first matched rule upgrading message for receiving main control board transmission, wherein, The first matched rule upgrading message includes matched rule;
Judge module 320, for judging itself current memory consumption whether more than predetermined threshold;
First processing module 330, for when the judged result of the judge module 320 is to be, ignoring described the One matched rule upgrading message, and whether itself current memory consumption is detected at set time intervals More than predetermined threshold, when itself current memory consumption no more than predetermined threshold is detected, to the master The request for obtaining matched rule is sent with master control borad, the second matched rule that the main control board sends is received Upgrading message, deletes the local original matched rule for preserving, and preserve the second matched rule upgrading message In the matched rule that includes;
Second processing module 340, for when the judged result of the judge module 320 is no, deleting local guarantor The original matched rule deposited, and preserve the matching included in the first matched rule upgrading message for receiving Rule.
A kind of matched rule update device is the embodiment of the invention provides, each business board can be current according to itself Memory consumption decide whether to carry out matched rule upgrading, when itself current memory consumption is more than predetermined During threshold value, the business board may not successfully preserve matched rule, and in this case, the business board can be with Matched rule upgrading wouldn't be carried out, and periodically detects itself current memory consumption, when detecting When itself current memory consumption is less than or equal to predetermined threshold, then the upgrading of matched rule is carried out, can Ensure that each business board all successfully completes the upgrading of matched rule, and then ensure that each business board is all normally carried out Flow detection.
Further, described device also includes:
Logging modle (not shown), for according to the first matched rule upgrading message, record hair Raw overmatching rule upgrade event;
The first processing module 330, is not more than specifically for that ought detect itself current memory consumption Predetermined threshold, and when detecting generation overmatching rule upgrade event, sent to the main control board and obtained The request of matched rule.
Further, the matched rule is the feature that the main control board parsing is downloaded from given server What library file was obtained.
Fig. 4 is another matched rule update device provided in an embodiment of the present invention, is applied to distributed fire prevention The main control board of wall, described device includes:
Acquisition module 410, for obtaining matched rule;
First sending module 420, for sending the first matched rule upgrading message to each business board, wherein, The matched rule upgrading message includes the matched rule;
Second sending module 430, for when the acquisition matched rule for receiving any business board transmission During request, the second matched rule upgrading message comprising the matched rule is sent to the business board, wherein, The request for obtaining the matched rule is that any business board receives the first matched rule liter Judge that itself current memory consumption, more than after predetermined threshold, is examined at set time intervals during level message Survey whether itself current memory consumption is more than predetermined threshold, when detecting itself current memory consumption No more than predetermined threshold when send.
A kind of matched rule update device is the embodiment of the invention provides, each business board can be current according to itself Memory consumption decide whether to carry out matched rule upgrading, when itself current memory consumption is more than predetermined During threshold value, the business board may not successfully preserve matched rule, and in this case, the business board can be with Matched rule upgrading wouldn't be carried out, and periodically detects itself current memory consumption, when detecting When itself current memory consumption is less than or equal to predetermined threshold, then the upgrading of matched rule is carried out, can Ensure that each business board all successfully completes the upgrading of matched rule, and then ensure that each business board is all normally carried out Flow detection.
Further, first sending module 420, specifically for by multicast mode, by described first Matched rule upgrading message is sent to each business board.
Further, the acquisition module 410 includes:
Submodule (not shown) is downloaded, for from given server download features library file;
Analyzing sub-module (not shown), for resolving the features as library file, obtains the feature database The matched rule that file includes.
Further, described device also includes:
3rd sending module (not shown), for the first matched rule upgrading message to be sent to Each slave control board, the matched rule that itself is preserved so that each slave control board is upgraded.
The matched rule escalation process that the present invention is provided is carried out in detail with reference to a specific embodiment Explanation.
As shown in Fig. 5 (a), the distributed fire wall of the present embodiment can include main control board, standby master Control plate and multiple business board (business board 1, business board 2 ... business board n).In the present embodiment, with Business board 1 and business board 2 illustrate as a example by matched rule upgrading the matched rule liter of the embodiment of the present invention Level process.
As shown in Fig. 5 (b), main control board from given server download features library file, and can be parsed This feature library file, obtains the matched rule that this feature library file includes.
Then, main control board can send the first matched rule and upgrade to the first business board and the second business board Message, comprising the matched rule of its acquisition in the first matched rule upgrading message.
After business board 1 receives the first matched rule upgrading message, judgement obtains itself current memory consumption More than predetermined threshold, therefore, it ignores the first matched rule upgrading message, and periodically detects itself Current memory consumption, when itself current memory consumption no more than predetermined threshold is detected, business Plate 1 can send the request for obtaining matched rule to main control board.
After main control board receives the request of acquisition matched rule of the transmission of business board 1, can be to business board 1 sends the second matched rule upgrading message, comprising the matching of its acquisition in the second matched rule upgrading message Rule.
After business board 1 receives the second matched rule upgrading message, original matching of local preservation can be deleted Rule, and the matched rule included in the second matched rule upgrading message is preserved, so as to complete itself matching rule Upgrading then.
After business board 2 receives the first matched rule upgrading message, judgement obtains itself current memory consumption No more than predetermined threshold, therefore, its upgrading that can directly carry out matched rule.I.e. business board 2 can be deleted Except the local original matched rule for preserving, and preserve the matching rule included in the first matched rule upgrading message Then, so as to complete the upgrading of itself matched rule.
A kind of matched rule upgrade method and device are the embodiment of the invention provides, each business board can be according to certainly The current memory consumption of body decides whether to carry out matched rule upgrading, when itself current memory consumption is big When predetermined threshold, the business board may not successfully preserve matched rule, in this case, the business Plate can carry out matched rule upgrading, and periodically detect itself current memory consumption, work as inspection When measuring itself current memory consumption less than or equal to predetermined threshold, then the liter for carrying out matched rule Level, ensure that each business board all successfully completes the upgrading of matched rule, and then ensure each business board all just Often carry out flow detection.
It should be noted that herein, such as first and second or the like relational terms be used merely to by One entity or operation make a distinction with another entity or operation, and not necessarily require or imply these There is any this actual relation or order between entity or operation.And, term " including ", " bag Containing " or any other variant thereof is intended to cover non-exclusive inclusion, so that including a series of key elements Process, method, article or equipment not only include those key elements, but also including being not expressly set out Other key elements, or it is this process, method, article or the intrinsic key element of equipment also to include. In the case of there is no more limitations, the key element limited by sentence "including a ...", it is not excluded that including Also there is other identical element in the process of the key element, method, article or equipment.
Each embodiment in this specification is described by the way of correlation, identical phase between each embodiment As part mutually referring to, what each embodiment was stressed be it is different from other embodiment it Place.For especially for system embodiment, because it is substantially similar to embodiment of the method, so description Fairly simple, the relevent part can refer to the partial explaination of embodiments of method.
Presently preferred embodiments of the present invention is the foregoing is only, protection model of the invention is not intended to limit Enclose.All any modification, equivalent substitution and improvements made within the spirit and principles in the present invention etc., wrap Containing within the scope of the present invention.

Claims (14)

1. a kind of matched rule upgrade method, it is characterised in that be applied to any industry of distributed fire wall Business plate, methods described includes:
The first matched rule upgrading message that main control board sends is received, wherein, first matched rule Upgrading message includes matched rule;
Judge itself current memory consumption whether more than predetermined threshold;
If it is, ignoring the first matched rule upgrading message, and detect at set time intervals certainly Whether the current memory consumption of body is more than predetermined threshold, and when detecting, itself current memory consumption is little When predetermined threshold, the request for obtaining matched rule is sent to the main control board, receive the primary master The second matched rule upgrading message that control plate sends, deletes the local original matched rule for preserving, and preserve institute State the matched rule included in the second matched rule upgrading message;
If not, deleting the local original matched rule for preserving, and preserve the first matching rule for receiving The matched rule for then being included in upgrading message.
2. method according to claim 1, it is characterised in that described to ignore first matched rule After upgrading message, methods described also includes:
According to the first matched rule upgrading message, there is overmatching rule upgrade event in record;
It is described when itself current memory consumption no more than predetermined threshold is detected, to the primary master control The request that plate sends acquisition matched rule includes:
When detecting itself current memory consumption no more than predetermined threshold, and detect generation overmatching rule Then during upgrade event, the request for obtaining matched rule is sent to the main control board.
3. method according to claim 1 and 2, it is characterised in that the matched rule is the master Parse what the feature library file downloaded from given server was obtained with master control borad.
4. a kind of matched rule upgrade method, it is characterised in that be applied to the primary master of distributed fire wall Control plate, methods described includes:
Obtain matched rule;
The first matched rule upgrading message is sent to each business board, wherein, in the matched rule upgrading message Including the matched rule;
When the request of the acquisition matched rule that any business board sends is received, sent to the business board The second matched rule upgrading message comprising the matched rule, wherein, the acquisition matched rule Request is that any business board judges that itself is current when receiving the first matched rule upgrading message Memory consumption detects itself current memory consumption at set time intervals more than after predetermined threshold Whether it is more than predetermined threshold, is sent when itself current memory consumption no more than predetermined threshold is detected 's.
5. method according to claim 4, it is characterised in that described to send first to each business board Include with regular upgrading message:
By multicast mode, the first matched rule upgrading message is sent to each business board.
6. the method according to claim 4 or 5, it is characterised in that the acquisition matched rule includes:
From given server download features library file;
Library file is resolved the features as, the matched rule that the feature library file includes is obtained.
7. the method according to claim 4 or 5, it is characterised in that methods described also includes:
The first matched rule upgrading message is sent to each slave control board, so that each slave control board liter The matched rule that level is preserved itself.
8. a kind of matched rule update device, it is characterised in that be applied to any industry of distributed fire wall Business plate, described device includes:
Receiver module, the first matched rule upgrading message for receiving main control board transmission, wherein, institute Stating the first matched rule upgrading message includes matched rule;
Judge module, for judging itself current memory consumption whether more than predetermined threshold;
First processing module, for when the judge module judged result is to be, ignoring first matching Regular upgrading message, and detect itself current memory consumption whether more than pre- at set time intervals Threshold value is determined, when itself current memory consumption no more than predetermined threshold is detected, to the primary master control Plate sends the request for obtaining matched rule, and the second matched rule upgrading for receiving the main control board transmission disappears Breath, deletes the local original matched rule for preserving, and preserves and include in the second matched rule upgrading message Matched rule;
Second processing module, for when the judge module judged result is no, deleting the local original for preserving There is matched rule, and preserve the matched rule included in the first matched rule upgrading message for receiving.
9. device according to claim 8, it is characterised in that described device also includes:
Logging modle, for according to the first matched rule upgrading message, record to occur overmatching rule and rises Level event;
The first processing module, specifically for when detect itself current memory consumption be not more than it is predetermined Threshold value, and when detecting generation overmatching rule upgrade event, sent to the main control board and obtain matching The request of rule.
10. device according to claim 8 or claim 9, it is characterised in that the matched rule is the master Parse what the feature library file downloaded from given server was obtained with master control borad.
11. a kind of matched rule update devices, it is characterised in that be applied to the primary master of distributed fire wall Control plate, described device includes:
Acquisition module, for obtaining matched rule;
First sending module, for sending the first matched rule upgrading message to each business board, wherein, it is described Matched rule upgrading message includes the matched rule;
Second sending module, for when the request for receiving the acquisition matched rule that any business board sends When, the second matched rule upgrading message comprising the matched rule is sent to the business board, wherein, it is described The request for obtaining the matched rule is that any business board receives first matched rule upgrading and disappears Judge that itself current memory consumption, more than after predetermined threshold, is detected certainly at set time intervals during breath Whether the current memory consumption of body is more than predetermined threshold, and when detecting, itself current memory consumption is little Sent when predetermined threshold.
12. devices according to claim 11, it is characterised in that first sending module, specifically For by multicast mode, the first matched rule upgrading message being sent into each business board.
13. device according to claim 11 or 12, it is characterised in that the acquisition module includes:
Submodule is downloaded, for from given server download features library file;
Analyzing sub-module, for resolving the features as library file, obtains the institute that the feature library file includes State matched rule.
14. device according to claim 11 or 12, it is characterised in that described device also includes:
3rd sending module, for the first matched rule upgrading message to be sent into each slave control board, The matched rule that itself is preserved so that each slave control board is upgraded.
CN201610265811.3A 2016-04-25 2016-04-25 Matching rule upgrading method and device Active CN106789863B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610265811.3A CN106789863B (en) 2016-04-25 2016-04-25 Matching rule upgrading method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610265811.3A CN106789863B (en) 2016-04-25 2016-04-25 Matching rule upgrading method and device

Publications (2)

Publication Number Publication Date
CN106789863A true CN106789863A (en) 2017-05-31
CN106789863B CN106789863B (en) 2020-06-26

Family

ID=58972186

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610265811.3A Active CN106789863B (en) 2016-04-25 2016-04-25 Matching rule upgrading method and device

Country Status (1)

Country Link
CN (1) CN106789863B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110162314A (en) * 2018-02-12 2019-08-23 华为技术有限公司 A kind of method, server, terminal, device and the storage medium of software upgrading management
CN113965367A (en) * 2021-10-15 2022-01-21 杭州安恒信息技术股份有限公司 Policy object upper limit control method, system, computer and storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101719105A (en) * 2009-12-31 2010-06-02 中国科学院计算技术研究所 Optimization method and optimization system for memory access in multi-core system
CN101753362A (en) * 2010-02-10 2010-06-23 中兴通讯股份有限公司 Configuring method and device of stacking virtual local area network of distributed network device
CN101930375A (en) * 2010-08-26 2010-12-29 深圳市共进电子有限公司 Self-adaptive program data updating method of memory space in single user optical network unit
US20100333165A1 (en) * 2009-06-24 2010-12-30 Vmware, Inc. Firewall configured with dynamic membership sets representing machine attributes
CN102594620A (en) * 2012-02-20 2012-07-18 南京邮电大学 Linkable distributed network intrusion detection method based on behavior description
CN103631937A (en) * 2013-12-06 2014-03-12 北京趣拿信息技术有限公司 Method, device and system for establishing column storage indexes
CN104320475A (en) * 2014-10-31 2015-01-28 杭州华三通信技术有限公司 Equipment upgrading method and device
CN104424116A (en) * 2013-08-19 2015-03-18 中国科学院声学研究所 Disk caching method and system for embedded browser
US9098434B2 (en) * 2012-09-11 2015-08-04 Ciena Corporation Load balancing systems and methods of MAC learning in multi-slot architectures

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100333165A1 (en) * 2009-06-24 2010-12-30 Vmware, Inc. Firewall configured with dynamic membership sets representing machine attributes
CN101719105A (en) * 2009-12-31 2010-06-02 中国科学院计算技术研究所 Optimization method and optimization system for memory access in multi-core system
CN101753362A (en) * 2010-02-10 2010-06-23 中兴通讯股份有限公司 Configuring method and device of stacking virtual local area network of distributed network device
CN101930375A (en) * 2010-08-26 2010-12-29 深圳市共进电子有限公司 Self-adaptive program data updating method of memory space in single user optical network unit
CN102594620A (en) * 2012-02-20 2012-07-18 南京邮电大学 Linkable distributed network intrusion detection method based on behavior description
US9098434B2 (en) * 2012-09-11 2015-08-04 Ciena Corporation Load balancing systems and methods of MAC learning in multi-slot architectures
CN104424116A (en) * 2013-08-19 2015-03-18 中国科学院声学研究所 Disk caching method and system for embedded browser
CN103631937A (en) * 2013-12-06 2014-03-12 北京趣拿信息技术有限公司 Method, device and system for establishing column storage indexes
CN104320475A (en) * 2014-10-31 2015-01-28 杭州华三通信技术有限公司 Equipment upgrading method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王震: "透析分布式防火墙架构", 《信息安全与技术》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110162314A (en) * 2018-02-12 2019-08-23 华为技术有限公司 A kind of method, server, terminal, device and the storage medium of software upgrading management
US11645063B2 (en) 2018-02-12 2023-05-09 Huawei Cloud Computing Technologies Co., Ltd. Software upgrade management method, server, terminal, apparatus, and storage medium
US11809855B2 (en) 2018-02-12 2023-11-07 Huawei Cloud Computing Technologies Co., Ltd. Software upgrade management method, server, terminal, apparatus, and storage medium
CN113965367A (en) * 2021-10-15 2022-01-21 杭州安恒信息技术股份有限公司 Policy object upper limit control method, system, computer and storage medium
CN113965367B (en) * 2021-10-15 2024-05-28 杭州安恒信息技术股份有限公司 Policy object upper limit control method, system, computer and storage medium

Also Published As

Publication number Publication date
CN106789863B (en) 2020-06-26

Similar Documents

Publication Publication Date Title
CN111262759B (en) Internet of things platform testing method, device, equipment and storage medium
CN106484606A (en) Method and apparatus submitted to by a kind of code
CN109376078B (en) Mobile application testing method, terminal equipment and medium
US8813229B2 (en) Apparatus, system, and method for preventing infection by malicious code
CN104506522A (en) Method and device for scanning vulnerability
KR20120078018A (en) System and method for detecting malwares in a file based on genetic map of the file
US10331439B2 (en) Source code transfer control method, computer program therefor, and recording medium therefor
CN112182588A (en) Operating system vulnerability analysis and detection method and system based on threat intelligence
CN105095769A (en) Information service software vulnerability detection method
CN107589951A (en) A kind of cluster upgrade method and device
CN107844409A (en) Test example executing method and device
US10635575B2 (en) Testing of enterprise resource planning systems
CN112883342A (en) Component management and control method, device and equipment
CN106789863A (en) A kind of matched rule upgrade method and device
CN107819758A (en) A kind of IP Camera leak remote detecting method and device
CN111212055A (en) Non-invasive website remote detection system and detection method
US20200202005A1 (en) Automated Software Vulnerability Determination
CN111966630B (en) File type detection method, device, equipment and medium
CN116302964A (en) Safety test method, test equipment and medium of software system
CN111309584A (en) Data processing method and device, electronic equipment and storage medium
CN115499240A (en) Data processing method, device, equipment and medium
KR101990998B1 (en) System and method for protecting font copyrights
CN108021951A (en) A kind of method of document detection, server and computer-readable recording medium
CN114546799A (en) Point burying log checking method and device, electronic equipment, storage medium and product
CN109165127B (en) Problem interface positioning method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant