CN106789863A - A kind of matched rule upgrade method and device - Google Patents
A kind of matched rule upgrade method and device Download PDFInfo
- Publication number
- CN106789863A CN106789863A CN201610265811.3A CN201610265811A CN106789863A CN 106789863 A CN106789863 A CN 106789863A CN 201610265811 A CN201610265811 A CN 201610265811A CN 106789863 A CN106789863 A CN 106789863A
- Authority
- CN
- China
- Prior art keywords
- matched rule
- upgrading message
- rule
- memory consumption
- predetermined threshold
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
A kind of matched rule upgrade method and device are the embodiment of the invention provides, any business board of distributed fire wall is applied to, methods described includes:Receive the first matched rule upgrading message that main control board sends;Judge itself current memory consumption whether more than predetermined threshold;If, ignore the first matched rule upgrading message, and detect itself current memory consumption whether more than predetermined threshold at set time intervals, when itself current memory consumption no more than predetermined threshold is detected, the request for obtaining matched rule is sent to the main control board, the second matched rule upgrading message that the main control board sends is received, the local original matched rule for preserving is deleted, and preserve the matched rule included in the second matched rule upgrading message;If not, deleting the local original matched rule for preserving, and preserve the matched rule for receiving.The embodiment of the present invention ensure that each business board all normally carries out flow detection.
Description
Technical field
The present invention relates to computer defense technique field, more particularly to a kind of matched rule upgrade method and dress
Put.
Background technology
Fire wall is generally deployed between the network egress of large and medium-sized enterprise, Intranet or data center
Outlet, the purpose that protection intranet security is realized in detection is carried out to the flow of extranet access Intranet, Intranet is visited
Ask that the flow of outer net carries out detecting the control for realizing enterprise's sensitive information.For example, fire wall can be according to user
Configuration and predefined feature database in carry matched rule carry out flow detection, realize flow identification and
Control function.
In practical application, for the consideration of high availability, distributed fire wall can be typically disposed.Distribution is anti-
Wall with flues generally includes multiple master control borads and multiple business boards, wherein, a master can be included in multiple master control borads
With master control borad and multiple slave control board.Main control board is the control centre of whole fire wall, by it to each
Master control borad and business board realize control function and list item synchronizing function.
In actual applications, each master control borad and business board of distributed fire wall can preserve same matching rule
Then, flow detection is carried out with according to the matched rule.Also, in order to improve the accuracy of flow detection, respectively
The matched rule preserved in master control borad and business board can be upgraded.
Existing matched rule upgrade method, main control board can first from given server download features storehouse
File, and parse feature library file and obtain newest matched rule, and newest matched rule can be sent out
Give each business board.After each business board receives the matched rule of main control board transmission, delete first local
Original matched rule, then preserves newest matched rule.And then the upgrading of completion matched rule, so that
Each business board can continue follow-up flow detection using newest matched rule.
In actual applications, for distributed fire wall, flow be by which business board it is uncertain,
Therefore, the flow pressure of each business board is different, that is to say, that the business board flow that there may be
Pressure is smaller, and the larger situation of some business board flow pressures.Therefore, when each business board receive it is primary
The newest matched rule that master control borad sends, original matched rule is deleted, when carrying out matched rule upgrading,
For the larger business board of flow pressure, it may be due to reasons such as low memories, it is impossible to correct to preserve
Newest matched rule, fails so as to cause the business board matched rule to be upgraded.And because it deletes original
Some matched rules, subsequently with regard to also cannot normally carry out flow detection.
The content of the invention
The purpose of the embodiment of the present invention is to provide a kind of matched rule upgrade method and device, to ensure each industry
Business plate all successfully completes the upgrading of matched rule, and then ensures that each business board all normally carries out flow inspection
Survey.Concrete technical scheme is as follows:
In a first aspect, the embodiment of the invention provides a kind of matched rule upgrade method, it is applied to distributed anti-
Any business board of wall with flues, methods described includes:
The first matched rule upgrading message that main control board sends is received, wherein, first matched rule
Upgrading message includes matched rule;
Judge itself current memory consumption whether more than predetermined threshold;
If it is, ignoring the first matched rule upgrading message, and detect at set time intervals certainly
Whether the current memory consumption of body is more than predetermined threshold, and when detecting, itself current memory consumption is little
When predetermined threshold, the request for obtaining matched rule is sent to the main control board, receive the primary master
The second matched rule upgrading message that control plate sends, deletes the local original matched rule for preserving, and preserve institute
State the matched rule included in the second matched rule upgrading message;
If not, deleting the local original matched rule for preserving, and preserve the first matching rule for receiving
The matched rule for then being included in upgrading message.
Second aspect, the embodiment of the invention provides a kind of matched rule upgrade method, be applied to distributed anti-
The main control board of wall with flues, methods described includes:
Obtain matched rule;
The first matched rule upgrading message is sent to each business board, wherein, in the matched rule upgrading message
Including the matched rule;
When the request of the acquisition matched rule that any business board sends is received, sent to the business board
The second matched rule upgrading message comprising the matched rule, wherein, the acquisition matched rule
Request is that any business board judges that itself is current when receiving the first matched rule upgrading message
Memory consumption detects itself current memory consumption at set time intervals more than after predetermined threshold
Whether it is more than predetermined threshold, is sent when itself current memory consumption no more than predetermined threshold is detected
's.
The third aspect, the embodiment of the invention provides a kind of matched rule update device, be applied to distributed anti-
Any business board of wall with flues, described device includes:
Receiver module, the first matched rule upgrading message for receiving main control board transmission, wherein, institute
Stating the first matched rule upgrading message includes matched rule;
Judge module, for judging itself current memory consumption whether more than predetermined threshold;
First processing module, for when the judge module judged result is to be, ignoring first matching
Regular upgrading message, and detect itself current memory consumption whether more than pre- at set time intervals
Threshold value is determined, when itself current memory consumption no more than predetermined threshold is detected, to the primary master control
Plate sends the request for obtaining matched rule, and the second matched rule upgrading for receiving the main control board transmission disappears
Breath, deletes the local original matched rule for preserving, and preserves and include in the second matched rule upgrading message
Matched rule;
Second processing module, for when the judge module judged result is no, deleting the local original for preserving
There is matched rule, and preserve the matched rule included in the first matched rule upgrading message for receiving.
Fourth aspect, the embodiment of the invention provides a kind of matched rule update device, be applied to distributed anti-
The main control board of wall with flues, described device includes:
Acquisition module, for obtaining matched rule;
First sending module, for sending the first matched rule upgrading message to each business board, wherein, it is described
Matched rule upgrading message includes the matched rule;
Second sending module, for when the request for receiving the acquisition matched rule that any business board sends
When, the second matched rule upgrading message comprising the matched rule is sent to the business board, wherein, it is described
The request for obtaining the matched rule is that any business board receives first matched rule upgrading and disappears
Judge that itself current memory consumption, more than after predetermined threshold, is detected certainly at set time intervals during breath
Whether the current memory consumption of body is more than predetermined threshold, and when detecting, itself current memory consumption is little
Sent when predetermined threshold.
A kind of matched rule upgrade method and device are the embodiment of the invention provides, each business board can be according to certainly
The current memory consumption of body decides whether to carry out matched rule upgrading, when itself current memory consumption is big
When predetermined threshold, the business board may not successfully preserve matched rule, in this case, the business
Plate can carry out matched rule upgrading, and periodically detect itself current memory consumption, work as inspection
When measuring itself current memory consumption less than or equal to predetermined threshold, then the liter for carrying out matched rule
Level, ensure that each business board all successfully completes the upgrading of matched rule, and then ensure each business board all just
Often carry out flow detection.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to implementing
Example or the accompanying drawing to be used needed for description of the prior art are briefly described, it should be apparent that, describe below
In accompanying drawing be only some embodiments of the present invention, for those of ordinary skill in the art, do not paying
On the premise of going out creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of flow chart of matched rule upgrade method provided in an embodiment of the present invention;
Fig. 2 is the flow chart of another matched rule upgrade method provided in an embodiment of the present invention;
Fig. 3 is a kind of structural representation of matched rule update device provided in an embodiment of the present invention;
Fig. 4 is the structural representation of another matched rule update device provided in an embodiment of the present invention;
Fig. 5 (a), 5 (b) are matched rule escalation process provided in an embodiment of the present invention.
Specific embodiment
In order to ensure that each business board all successfully completes the upgrading of matched rule, and then ensure each business board all just
Flow detection often is carried out, a kind of matched rule upgrade method and device is the embodiment of the invention provides.
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clearly
Chu, it is fully described by, it is clear that described embodiment is only a part of embodiment of the invention, rather than
Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creation
Property work under the premise of the every other embodiment that is obtained, belong to the scope of protection of the invention.
It should be noted that in the case where not conflicting, the embodiment in the present invention and the feature in embodiment
Can be mutually combined.Describe the present invention in detail below with reference to the accompanying drawings and in conjunction with the embodiments.
In order to ensure that each business board all successfully completes the upgrading of matched rule, and then ensure each business board all just
Flow detection often is carried out, a kind of matched rule upgrade method process, the process is the embodiment of the invention provides
Comprise the following steps:
S101, receives the first matched rule upgrading message that main control board sends, wherein, described first
Include matched rule with regular upgrading message.
The method that the present embodiment is provided can apply to any business board of distributed fire wall, of the invention real
Apply in example, for the ease of description, can will carry out the business board referred to as target service plate of matched rule upgrading.
In actual applications, each business board in distributed fire wall can be carried out the upgrading of matched rule.
Specifically, each business board can receive the matched rule of main control board transmission, and be replaced using the matched rule
Original matched rule of local preservation is changed, so as to complete the upgrading of matched rule.
In embodiments of the present invention, target service plate can receive the first matched rule of main control board transmission
Upgrading message, wherein, matched rule can be included in the first matched rule upgrading message, so that target industry
Business plate can carry out the upgrading of matched rule according to the matched rule.
Whether S102, judge itself current memory consumption more than predetermined threshold;If it is, performing step
S103;Otherwise, step S104 is performed.
In embodiments of the present invention, when target service plate receives the first matched rule of main control board transmission
During upgrading message, whether it may determine that itself current memory consumption more than predetermined threshold, such as 70%,
80%th, 85% etc., according to judged result, to perform corresponding operation.
Specifically, target service plate can obtain itself current memory consumption, and the internal memory of acquisition is disappeared
Whether consumption is compared with predetermined threshold, to determine itself current memory consumption more than the predetermined threshold
Value.
In embodiments of the present invention, target service plate obtains the process of itself current memory consumption and can adopt
With prior art, the embodiment of the present invention is not repeated this process.
S103, ignores the first matched rule upgrading message, and detect itself at set time intervals
Whether current memory consumption is more than predetermined threshold, is not more than when itself current memory consumption is detected
During predetermined threshold, the request for obtaining matched rule is sent to the main control board, receive the primary master control
The second matched rule upgrading message that plate sends, deletes the local original matched rule for preserving, and preserve described
The matched rule included in second matched rule upgrading message.
When target service plate judges to obtain itself current memory consumption more than predetermined threshold, if target industry
Business plate carries out the upgrading of matched rule at once, may be due to reasons such as low memories, it is impossible to correct preservation
With rule, fail so as to cause target service plate matched rule to be upgraded, further, cause the target service
Plate can not carry out normal flow detection.
Therefore, in embodiments of the present invention, when target service plate judges to obtain itself current memory consumption
During more than predetermined threshold, it can ignore the first matched rule upgrading message.That is, target service
Plate does not replace the original of local preservation using the matched rule included in the first matched rule upgrading message at once
Matched rule, carries out the upgrading of matched rule.
After the first matched rule upgrading message is ignored, it can be according between the time of setting for target service plate
Every such as 1 second, 2 seconds, 3 seconds, detecting itself current memory consumption whether more than predetermined threshold.When
Detect itself current memory consumption no more than predetermined threshold when, target service plate may just can be correct
Matched rule is preserved to carry out the upgrading of matched rule.
Specifically, target service plate can send the request for obtaining matched rule to main control board, with again
Matched rule is obtained to carry out the upgrading of itself matched rule.
In embodiments of the present invention, when main control board receives the acquisition matched rule of target service plate transmission
Request after, its can to target service plate send the second matched rule upgrading message, wherein, this second
With matched rule can be included in regular upgrading message.
Therefore, target service plate can receive the second matched rule upgrading message of main control board transmission, delete
Except the local original matched rule for preserving, and preserve the matching rule included in the second matched rule upgrading message
Then, so as to complete the upgrading of itself matched rule.
S104, deletes the local original matched rule for preserving, and preserve first matched rule for receiving
The matched rule included in upgrading message.
When target service plate judges to obtain itself current memory consumption less than or equal to predetermined threshold, can
Currently more idle to show target service plate, it has enough internal memories to carry out the upgrading of matched rule.This
In the case of kind, target service plate can directly carry out the upgrading of matched rule.
Specifically, target service plate can delete original matched rule of local preservation, and preserve what is received
The matched rule included in first matched rule upgrading message, so as to complete the upgrading of matched rule.
A kind of matched rule upgrade method is the embodiment of the invention provides, each business board can be current according to itself
Memory consumption decide whether to carry out matched rule upgrading, when itself current memory consumption is more than predetermined
During threshold value, the business board may not successfully preserve matched rule, and in this case, the business board can be with
Matched rule upgrading wouldn't be carried out, and periodically detects itself current memory consumption, when detecting
When itself current memory consumption is less than or equal to predetermined threshold, then the upgrading of matched rule is carried out, can
Ensure that each business board all successfully completes the upgrading of matched rule, and then ensure that each business board is all normally carried out
Flow detection.
Further, in embodiments of the present invention, in order that target service plate more accurately carries out matching rule
Then upgrade, when target service plate receives the first matched rule upgrading message, it is current interior that judgement obtains itself
Consumption is deposited more than predetermined threshold, when ignoring the first matched rule upgrading message, its can according to this first
There is overmatching rule upgrade event in matched rule upgrading message, record.
Also, when it detects itself current memory consumption no more than predetermined threshold, can examine simultaneously
Whether survey there is overmatching rule upgrade request, if it is, send obtaining matched rule to main control board
Request.
It is appreciated that under other trigger conditions, target service plate is likely to that itself current memory can be carried out to disappear
The detection of consumption.Therefore, by recording generation overmatching rule upgrade event, when target service plate is detected
Itself current memory consumption is not more than predetermined threshold, and detects generation overmatching rule upgrade event
When, the request for obtaining matched rule is just sent to main control board, it is possible to increase it is accurate that matched rule is upgraded
Property, it is to avoid in the case that main control board does not send the first matched rule upgrading message to target service plate,
Target service plate sends the request for obtaining matched rule to main control board.
Further, in embodiments of the present invention, the first matching that main control board sends to target service plate
The matched rule included in regular upgrading message, can be that main control board parsing is downloaded from given server
Feature library file is obtained.
Further, the embodiment of the present invention additionally provides another matched rule upgrade method, is applied to distribution
The main control board of formula fire wall, the process is comprised the following steps:
S201, obtains matched rule.
In embodiments of the present invention, the main control board in distributed fire wall can obtain matched rule, with
Complete the matched rule upgrading of each business board in itself and the distributed fire wall.
Specifically, main control board from given server download features library file, and can parse this feature storehouse
File, obtains the matched rule that this feature library file includes.
S202, the first matched rule upgrading message is sent to each business board, wherein, the matched rule upgrading
Message includes the matched rule.
After main control board obtains matched rule, it can send the first matched rule and upgrade to each business board
Message, wherein, the matched rule upgrading message includes the matched rule, so that each business board is according to this
With rule, the upgrading of the matched rule of itself is completed.
Specifically, can be sent to for the first matched rule upgrading message by multicast mode by main control board
Each business board.
S203, when the request of the acquisition matched rule that any business board sends is received, to the business
Plate sends the second matched rule upgrading message comprising the matched rule, wherein, it is described to obtain the matching
The request of rule is that any business board judges itself when receiving the first matched rule upgrading message
Current memory consumption detects itself current internal memory at set time intervals more than after predetermined threshold
Whether consumption is more than predetermined threshold, when itself current memory consumption no more than predetermined threshold is detected
Send.
In embodiments of the present invention, the upgrading of matched rule is all successfully completed in order to ensure each business board, is entered
And ensureing that each business board all normally carries out flow detection, each business board receives the of main control board transmission
During one matched rule upgrading message, it can be determined that whether itself current memory consumption is more than predetermined threshold.
If it is, the business board can ignore the first matched rule upgrading message, and at set time intervals,
Such as 1 second, 2 seconds, 3 seconds, detect itself current memory consumption whether more than predetermined threshold.
When itself current memory consumption no more than predetermined threshold is detected, the business board can be to primary
Master control borad sends the request for obtaining matched rule, and itself matched rule is carried out to obtain matched rule again
Upgrading.
In embodiments of the present invention, when main control board receives the acquisition matched rule that any business board sends
Request after, its can to the business board send the second matched rule upgrading message, wherein, this second matching
Matched rule can be included in regular upgrading message.
So as to the business board can receive the second matched rule upgrading message of main control board transmission, delete
The local original matched rule for preserving, and preserve the matching rule included in the second matched rule upgrading message
Then, the upgrading of itself matched rule is completed.
A kind of matched rule upgrade method is the embodiment of the invention provides, each business board can be current according to itself
Memory consumption decide whether to carry out matched rule upgrading, when itself current memory consumption is more than predetermined
During threshold value, the business board may not successfully preserve matched rule, and in this case, the business board can be with
Matched rule upgrading wouldn't be carried out, and periodically detects itself current memory consumption, when detecting
When itself current memory consumption is less than or equal to predetermined threshold, then the upgrading of matched rule is carried out, can
Ensure that each business board all successfully completes the upgrading of matched rule, and then ensure that each business board is all normally carried out
Flow detection.
Further, in embodiments of the present invention, main control board can also disappear the upgrading of the first matched rule
Breath is sent to each slave control board, the matched rule that itself is preserved so that each slave control board is upgraded.
It is appreciated that in actual applications, in fact it could happen that the situation of masterslave switchover.That is distributed fire wall
Main control board may cause to restart due to reasons such as failure or user inputs, and in this case, one standby
Master control borad will quickly upgrade to new main control board to control whole fire wall to continue normal operation.
Therefore, when main control board carries out matched rule upgrades, matched rule is sent to each standby master control
Plate, the matched rule that itself is preserved so that each slave control board is upgraded, after there is masterslave switchover, Neng Goubao
What is preserved in the new main control board of card is also the matched rule after upgrading, so as to ensure distributed fire wall
Flow detection business is normally carried out.
Corresponding to above method embodiment, the embodiment of the present invention additionally provides corresponding device embodiment.
Fig. 3 is a kind of matched rule update device provided in an embodiment of the present invention, is applied to distributed fire wall
Any business board, described device includes:
Receiver module 310, the first matched rule upgrading message for receiving main control board transmission, wherein,
The first matched rule upgrading message includes matched rule;
Judge module 320, for judging itself current memory consumption whether more than predetermined threshold;
First processing module 330, for when the judged result of the judge module 320 is to be, ignoring described the
One matched rule upgrading message, and whether itself current memory consumption is detected at set time intervals
More than predetermined threshold, when itself current memory consumption no more than predetermined threshold is detected, to the master
The request for obtaining matched rule is sent with master control borad, the second matched rule that the main control board sends is received
Upgrading message, deletes the local original matched rule for preserving, and preserve the second matched rule upgrading message
In the matched rule that includes;
Second processing module 340, for when the judged result of the judge module 320 is no, deleting local guarantor
The original matched rule deposited, and preserve the matching included in the first matched rule upgrading message for receiving
Rule.
A kind of matched rule update device is the embodiment of the invention provides, each business board can be current according to itself
Memory consumption decide whether to carry out matched rule upgrading, when itself current memory consumption is more than predetermined
During threshold value, the business board may not successfully preserve matched rule, and in this case, the business board can be with
Matched rule upgrading wouldn't be carried out, and periodically detects itself current memory consumption, when detecting
When itself current memory consumption is less than or equal to predetermined threshold, then the upgrading of matched rule is carried out, can
Ensure that each business board all successfully completes the upgrading of matched rule, and then ensure that each business board is all normally carried out
Flow detection.
Further, described device also includes:
Logging modle (not shown), for according to the first matched rule upgrading message, record hair
Raw overmatching rule upgrade event;
The first processing module 330, is not more than specifically for that ought detect itself current memory consumption
Predetermined threshold, and when detecting generation overmatching rule upgrade event, sent to the main control board and obtained
The request of matched rule.
Further, the matched rule is the feature that the main control board parsing is downloaded from given server
What library file was obtained.
Fig. 4 is another matched rule update device provided in an embodiment of the present invention, is applied to distributed fire prevention
The main control board of wall, described device includes:
Acquisition module 410, for obtaining matched rule;
First sending module 420, for sending the first matched rule upgrading message to each business board, wherein,
The matched rule upgrading message includes the matched rule;
Second sending module 430, for when the acquisition matched rule for receiving any business board transmission
During request, the second matched rule upgrading message comprising the matched rule is sent to the business board, wherein,
The request for obtaining the matched rule is that any business board receives the first matched rule liter
Judge that itself current memory consumption, more than after predetermined threshold, is examined at set time intervals during level message
Survey whether itself current memory consumption is more than predetermined threshold, when detecting itself current memory consumption
No more than predetermined threshold when send.
A kind of matched rule update device is the embodiment of the invention provides, each business board can be current according to itself
Memory consumption decide whether to carry out matched rule upgrading, when itself current memory consumption is more than predetermined
During threshold value, the business board may not successfully preserve matched rule, and in this case, the business board can be with
Matched rule upgrading wouldn't be carried out, and periodically detects itself current memory consumption, when detecting
When itself current memory consumption is less than or equal to predetermined threshold, then the upgrading of matched rule is carried out, can
Ensure that each business board all successfully completes the upgrading of matched rule, and then ensure that each business board is all normally carried out
Flow detection.
Further, first sending module 420, specifically for by multicast mode, by described first
Matched rule upgrading message is sent to each business board.
Further, the acquisition module 410 includes:
Submodule (not shown) is downloaded, for from given server download features library file;
Analyzing sub-module (not shown), for resolving the features as library file, obtains the feature database
The matched rule that file includes.
Further, described device also includes:
3rd sending module (not shown), for the first matched rule upgrading message to be sent to
Each slave control board, the matched rule that itself is preserved so that each slave control board is upgraded.
The matched rule escalation process that the present invention is provided is carried out in detail with reference to a specific embodiment
Explanation.
As shown in Fig. 5 (a), the distributed fire wall of the present embodiment can include main control board, standby master
Control plate and multiple business board (business board 1, business board 2 ... business board n).In the present embodiment, with
Business board 1 and business board 2 illustrate as a example by matched rule upgrading the matched rule liter of the embodiment of the present invention
Level process.
As shown in Fig. 5 (b), main control board from given server download features library file, and can be parsed
This feature library file, obtains the matched rule that this feature library file includes.
Then, main control board can send the first matched rule and upgrade to the first business board and the second business board
Message, comprising the matched rule of its acquisition in the first matched rule upgrading message.
After business board 1 receives the first matched rule upgrading message, judgement obtains itself current memory consumption
More than predetermined threshold, therefore, it ignores the first matched rule upgrading message, and periodically detects itself
Current memory consumption, when itself current memory consumption no more than predetermined threshold is detected, business
Plate 1 can send the request for obtaining matched rule to main control board.
After main control board receives the request of acquisition matched rule of the transmission of business board 1, can be to business board
1 sends the second matched rule upgrading message, comprising the matching of its acquisition in the second matched rule upgrading message
Rule.
After business board 1 receives the second matched rule upgrading message, original matching of local preservation can be deleted
Rule, and the matched rule included in the second matched rule upgrading message is preserved, so as to complete itself matching rule
Upgrading then.
After business board 2 receives the first matched rule upgrading message, judgement obtains itself current memory consumption
No more than predetermined threshold, therefore, its upgrading that can directly carry out matched rule.I.e. business board 2 can be deleted
Except the local original matched rule for preserving, and preserve the matching rule included in the first matched rule upgrading message
Then, so as to complete the upgrading of itself matched rule.
A kind of matched rule upgrade method and device are the embodiment of the invention provides, each business board can be according to certainly
The current memory consumption of body decides whether to carry out matched rule upgrading, when itself current memory consumption is big
When predetermined threshold, the business board may not successfully preserve matched rule, in this case, the business
Plate can carry out matched rule upgrading, and periodically detect itself current memory consumption, work as inspection
When measuring itself current memory consumption less than or equal to predetermined threshold, then the liter for carrying out matched rule
Level, ensure that each business board all successfully completes the upgrading of matched rule, and then ensure each business board all just
Often carry out flow detection.
It should be noted that herein, such as first and second or the like relational terms be used merely to by
One entity or operation make a distinction with another entity or operation, and not necessarily require or imply these
There is any this actual relation or order between entity or operation.And, term " including ", " bag
Containing " or any other variant thereof is intended to cover non-exclusive inclusion, so that including a series of key elements
Process, method, article or equipment not only include those key elements, but also including being not expressly set out
Other key elements, or it is this process, method, article or the intrinsic key element of equipment also to include.
In the case of there is no more limitations, the key element limited by sentence "including a ...", it is not excluded that including
Also there is other identical element in the process of the key element, method, article or equipment.
Each embodiment in this specification is described by the way of correlation, identical phase between each embodiment
As part mutually referring to, what each embodiment was stressed be it is different from other embodiment it
Place.For especially for system embodiment, because it is substantially similar to embodiment of the method, so description
Fairly simple, the relevent part can refer to the partial explaination of embodiments of method.
Presently preferred embodiments of the present invention is the foregoing is only, protection model of the invention is not intended to limit
Enclose.All any modification, equivalent substitution and improvements made within the spirit and principles in the present invention etc., wrap
Containing within the scope of the present invention.
Claims (14)
1. a kind of matched rule upgrade method, it is characterised in that be applied to any industry of distributed fire wall
Business plate, methods described includes:
The first matched rule upgrading message that main control board sends is received, wherein, first matched rule
Upgrading message includes matched rule;
Judge itself current memory consumption whether more than predetermined threshold;
If it is, ignoring the first matched rule upgrading message, and detect at set time intervals certainly
Whether the current memory consumption of body is more than predetermined threshold, and when detecting, itself current memory consumption is little
When predetermined threshold, the request for obtaining matched rule is sent to the main control board, receive the primary master
The second matched rule upgrading message that control plate sends, deletes the local original matched rule for preserving, and preserve institute
State the matched rule included in the second matched rule upgrading message;
If not, deleting the local original matched rule for preserving, and preserve the first matching rule for receiving
The matched rule for then being included in upgrading message.
2. method according to claim 1, it is characterised in that described to ignore first matched rule
After upgrading message, methods described also includes:
According to the first matched rule upgrading message, there is overmatching rule upgrade event in record;
It is described when itself current memory consumption no more than predetermined threshold is detected, to the primary master control
The request that plate sends acquisition matched rule includes:
When detecting itself current memory consumption no more than predetermined threshold, and detect generation overmatching rule
Then during upgrade event, the request for obtaining matched rule is sent to the main control board.
3. method according to claim 1 and 2, it is characterised in that the matched rule is the master
Parse what the feature library file downloaded from given server was obtained with master control borad.
4. a kind of matched rule upgrade method, it is characterised in that be applied to the primary master of distributed fire wall
Control plate, methods described includes:
Obtain matched rule;
The first matched rule upgrading message is sent to each business board, wherein, in the matched rule upgrading message
Including the matched rule;
When the request of the acquisition matched rule that any business board sends is received, sent to the business board
The second matched rule upgrading message comprising the matched rule, wherein, the acquisition matched rule
Request is that any business board judges that itself is current when receiving the first matched rule upgrading message
Memory consumption detects itself current memory consumption at set time intervals more than after predetermined threshold
Whether it is more than predetermined threshold, is sent when itself current memory consumption no more than predetermined threshold is detected
's.
5. method according to claim 4, it is characterised in that described to send first to each business board
Include with regular upgrading message:
By multicast mode, the first matched rule upgrading message is sent to each business board.
6. the method according to claim 4 or 5, it is characterised in that the acquisition matched rule includes:
From given server download features library file;
Library file is resolved the features as, the matched rule that the feature library file includes is obtained.
7. the method according to claim 4 or 5, it is characterised in that methods described also includes:
The first matched rule upgrading message is sent to each slave control board, so that each slave control board liter
The matched rule that level is preserved itself.
8. a kind of matched rule update device, it is characterised in that be applied to any industry of distributed fire wall
Business plate, described device includes:
Receiver module, the first matched rule upgrading message for receiving main control board transmission, wherein, institute
Stating the first matched rule upgrading message includes matched rule;
Judge module, for judging itself current memory consumption whether more than predetermined threshold;
First processing module, for when the judge module judged result is to be, ignoring first matching
Regular upgrading message, and detect itself current memory consumption whether more than pre- at set time intervals
Threshold value is determined, when itself current memory consumption no more than predetermined threshold is detected, to the primary master control
Plate sends the request for obtaining matched rule, and the second matched rule upgrading for receiving the main control board transmission disappears
Breath, deletes the local original matched rule for preserving, and preserves and include in the second matched rule upgrading message
Matched rule;
Second processing module, for when the judge module judged result is no, deleting the local original for preserving
There is matched rule, and preserve the matched rule included in the first matched rule upgrading message for receiving.
9. device according to claim 8, it is characterised in that described device also includes:
Logging modle, for according to the first matched rule upgrading message, record to occur overmatching rule and rises
Level event;
The first processing module, specifically for when detect itself current memory consumption be not more than it is predetermined
Threshold value, and when detecting generation overmatching rule upgrade event, sent to the main control board and obtain matching
The request of rule.
10. device according to claim 8 or claim 9, it is characterised in that the matched rule is the master
Parse what the feature library file downloaded from given server was obtained with master control borad.
11. a kind of matched rule update devices, it is characterised in that be applied to the primary master of distributed fire wall
Control plate, described device includes:
Acquisition module, for obtaining matched rule;
First sending module, for sending the first matched rule upgrading message to each business board, wherein, it is described
Matched rule upgrading message includes the matched rule;
Second sending module, for when the request for receiving the acquisition matched rule that any business board sends
When, the second matched rule upgrading message comprising the matched rule is sent to the business board, wherein, it is described
The request for obtaining the matched rule is that any business board receives first matched rule upgrading and disappears
Judge that itself current memory consumption, more than after predetermined threshold, is detected certainly at set time intervals during breath
Whether the current memory consumption of body is more than predetermined threshold, and when detecting, itself current memory consumption is little
Sent when predetermined threshold.
12. devices according to claim 11, it is characterised in that first sending module, specifically
For by multicast mode, the first matched rule upgrading message being sent into each business board.
13. device according to claim 11 or 12, it is characterised in that the acquisition module includes:
Submodule is downloaded, for from given server download features library file;
Analyzing sub-module, for resolving the features as library file, obtains the institute that the feature library file includes
State matched rule.
14. device according to claim 11 or 12, it is characterised in that described device also includes:
3rd sending module, for the first matched rule upgrading message to be sent into each slave control board,
The matched rule that itself is preserved so that each slave control board is upgraded.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610265811.3A CN106789863B (en) | 2016-04-25 | 2016-04-25 | Matching rule upgrading method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610265811.3A CN106789863B (en) | 2016-04-25 | 2016-04-25 | Matching rule upgrading method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106789863A true CN106789863A (en) | 2017-05-31 |
CN106789863B CN106789863B (en) | 2020-06-26 |
Family
ID=58972186
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610265811.3A Active CN106789863B (en) | 2016-04-25 | 2016-04-25 | Matching rule upgrading method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106789863B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110162314A (en) * | 2018-02-12 | 2019-08-23 | 华为技术有限公司 | A kind of method, server, terminal, device and the storage medium of software upgrading management |
CN113965367A (en) * | 2021-10-15 | 2022-01-21 | 杭州安恒信息技术股份有限公司 | Policy object upper limit control method, system, computer and storage medium |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101719105A (en) * | 2009-12-31 | 2010-06-02 | 中国科学院计算技术研究所 | Optimization method and optimization system for memory access in multi-core system |
CN101753362A (en) * | 2010-02-10 | 2010-06-23 | 中兴通讯股份有限公司 | Configuring method and device of stacking virtual local area network of distributed network device |
CN101930375A (en) * | 2010-08-26 | 2010-12-29 | 深圳市共进电子有限公司 | Self-adaptive program data updating method of memory space in single user optical network unit |
US20100333165A1 (en) * | 2009-06-24 | 2010-12-30 | Vmware, Inc. | Firewall configured with dynamic membership sets representing machine attributes |
CN102594620A (en) * | 2012-02-20 | 2012-07-18 | 南京邮电大学 | Linkable distributed network intrusion detection method based on behavior description |
CN103631937A (en) * | 2013-12-06 | 2014-03-12 | 北京趣拿信息技术有限公司 | Method, device and system for establishing column storage indexes |
CN104320475A (en) * | 2014-10-31 | 2015-01-28 | 杭州华三通信技术有限公司 | Equipment upgrading method and device |
CN104424116A (en) * | 2013-08-19 | 2015-03-18 | 中国科学院声学研究所 | Disk caching method and system for embedded browser |
US9098434B2 (en) * | 2012-09-11 | 2015-08-04 | Ciena Corporation | Load balancing systems and methods of MAC learning in multi-slot architectures |
-
2016
- 2016-04-25 CN CN201610265811.3A patent/CN106789863B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100333165A1 (en) * | 2009-06-24 | 2010-12-30 | Vmware, Inc. | Firewall configured with dynamic membership sets representing machine attributes |
CN101719105A (en) * | 2009-12-31 | 2010-06-02 | 中国科学院计算技术研究所 | Optimization method and optimization system for memory access in multi-core system |
CN101753362A (en) * | 2010-02-10 | 2010-06-23 | 中兴通讯股份有限公司 | Configuring method and device of stacking virtual local area network of distributed network device |
CN101930375A (en) * | 2010-08-26 | 2010-12-29 | 深圳市共进电子有限公司 | Self-adaptive program data updating method of memory space in single user optical network unit |
CN102594620A (en) * | 2012-02-20 | 2012-07-18 | 南京邮电大学 | Linkable distributed network intrusion detection method based on behavior description |
US9098434B2 (en) * | 2012-09-11 | 2015-08-04 | Ciena Corporation | Load balancing systems and methods of MAC learning in multi-slot architectures |
CN104424116A (en) * | 2013-08-19 | 2015-03-18 | 中国科学院声学研究所 | Disk caching method and system for embedded browser |
CN103631937A (en) * | 2013-12-06 | 2014-03-12 | 北京趣拿信息技术有限公司 | Method, device and system for establishing column storage indexes |
CN104320475A (en) * | 2014-10-31 | 2015-01-28 | 杭州华三通信技术有限公司 | Equipment upgrading method and device |
Non-Patent Citations (1)
Title |
---|
王震: "透析分布式防火墙架构", 《信息安全与技术》 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110162314A (en) * | 2018-02-12 | 2019-08-23 | 华为技术有限公司 | A kind of method, server, terminal, device and the storage medium of software upgrading management |
US11645063B2 (en) | 2018-02-12 | 2023-05-09 | Huawei Cloud Computing Technologies Co., Ltd. | Software upgrade management method, server, terminal, apparatus, and storage medium |
US11809855B2 (en) | 2018-02-12 | 2023-11-07 | Huawei Cloud Computing Technologies Co., Ltd. | Software upgrade management method, server, terminal, apparatus, and storage medium |
CN113965367A (en) * | 2021-10-15 | 2022-01-21 | 杭州安恒信息技术股份有限公司 | Policy object upper limit control method, system, computer and storage medium |
CN113965367B (en) * | 2021-10-15 | 2024-05-28 | 杭州安恒信息技术股份有限公司 | Policy object upper limit control method, system, computer and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN106789863B (en) | 2020-06-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111262759B (en) | Internet of things platform testing method, device, equipment and storage medium | |
CN106484606A (en) | Method and apparatus submitted to by a kind of code | |
CN109376078B (en) | Mobile application testing method, terminal equipment and medium | |
US8813229B2 (en) | Apparatus, system, and method for preventing infection by malicious code | |
CN104506522A (en) | Method and device for scanning vulnerability | |
KR20120078018A (en) | System and method for detecting malwares in a file based on genetic map of the file | |
US10331439B2 (en) | Source code transfer control method, computer program therefor, and recording medium therefor | |
CN112182588A (en) | Operating system vulnerability analysis and detection method and system based on threat intelligence | |
CN105095769A (en) | Information service software vulnerability detection method | |
CN107589951A (en) | A kind of cluster upgrade method and device | |
CN107844409A (en) | Test example executing method and device | |
US10635575B2 (en) | Testing of enterprise resource planning systems | |
CN112883342A (en) | Component management and control method, device and equipment | |
CN106789863A (en) | A kind of matched rule upgrade method and device | |
CN107819758A (en) | A kind of IP Camera leak remote detecting method and device | |
CN111212055A (en) | Non-invasive website remote detection system and detection method | |
US20200202005A1 (en) | Automated Software Vulnerability Determination | |
CN111966630B (en) | File type detection method, device, equipment and medium | |
CN116302964A (en) | Safety test method, test equipment and medium of software system | |
CN111309584A (en) | Data processing method and device, electronic equipment and storage medium | |
CN115499240A (en) | Data processing method, device, equipment and medium | |
KR101990998B1 (en) | System and method for protecting font copyrights | |
CN108021951A (en) | A kind of method of document detection, server and computer-readable recording medium | |
CN114546799A (en) | Point burying log checking method and device, electronic equipment, storage medium and product | |
CN109165127B (en) | Problem interface positioning method and device and electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |