CN107295009A - A kind of method for bypassing audit sqlserver link informations - Google Patents

A kind of method for bypassing audit sqlserver link informations Download PDF

Info

Publication number
CN107295009A
CN107295009A CN201710647099.8A CN201710647099A CN107295009A CN 107295009 A CN107295009 A CN 107295009A CN 201710647099 A CN201710647099 A CN 201710647099A CN 107295009 A CN107295009 A CN 107295009A
Authority
CN
China
Prior art keywords
audit
database
port
sqlserver
source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710647099.8A
Other languages
Chinese (zh)
Inventor
王飞飞
范渊
龙文洁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN201710647099.8A priority Critical patent/CN107295009A/en
Publication of CN107295009A publication Critical patent/CN107295009A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/308Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information retaining data, e.g. retaining successful, unsuccessful communication attempts, internet access, or e-mail, internet telephony, intercept related information or call content
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/302Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Evolutionary Computation (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention relates to network technology, database audit technical field, it is desirable to provide a kind of method of bypass audit sqlserver link informations.The method of this kind bypass audit sqlserver link informations, carries out bypass audit to the audit target using audit device, is realized by following step:Local IP access flow, analysis network access traffic bag is gathered to obtain client link information.The present invention solves the deficiencies in the prior art, realizes bypass audit normally audit to link informations such as user name, fastening means;The invention also achieves on the premise of not influenceing database to connect, the database linkage information of encryption is reviewed, audit objective is finally reached.

Description

A kind of method for bypassing audit sqlserver link informations
Technical field
The present invention is on network technology, database audit technical field, more particularly to a kind of bypass audit sqlserver The method of link information.
Background technology
SQL Server are a relational database management systems.
SQL Server2005 versions are a comprehensive database platforms, are carried using integrated business intelligence (BI) instrument The data management of enterprise-level is supplied.SQL Server database engines provide safer for relational data and structural data Reliable store function so that user can build and manage the High Availabitity and high performance data-application for business.
SQL Server2008 versions are a great versions, and it is proposed many new characteristics and crucial improvement, It is most powerful up to now and most comprehensive SQL Server versions.SQL Server2008 New function feature:Trusty, Efficiently, it is intelligent.
On past SQL Server 2005 basis, SQL Server 2008 have done simple encryption, external key Manage, enhance the enhancing such as examination to extend its security.
Whole database, data file and journal file can be encrypted by SQL Server 2008, without changing Dynamic application program.Be encrypted allow company meet in accordance with specification and and its focused data privacy requirement.Simple data The benefit of encryption searches for the data of encryption including the use of any scope or fuzzy query, strengthens Information Security to prevent unauthorized User access, also have data encryption.These can be carried out in the case where not changing existing application program.
Because SQL Server are encrypted to whole database, therefore the information of client connection database is such as used Name in an account book, fastening means etc., all employ the mode of encryption in communication process, and bypass audit will be unable to normal audit and arrive user The link informations such as name, fastening means.
The content of the invention
It is a primary object of the present invention to overcome of the prior art not enough there is provided one kind can bypass the sqlserver that audits The method for encrypting user connection information.In order to solve the above technical problems, the solution of the present invention is:
A kind of method for bypassing audit sqlserver link informations is provided, the audit target carried out using audit device other Road is audited, and the method for the bypass audit sqlserver link informations specifically includes following step:
Step A:Gather local IP access flow;Specifically include following sub-steps:
Step A1) in core switch, (core switch is that the network for referring to complete to encapsulate forwarding data packet function is set It is standby, the packet by the audit target be required for by the core switch forward) on mirror port is set, mirror image data is sent To audit device;
The pattern (audit device of independent development) that the audit device is disposed using bypass, for monitoring and recording user Hold the connection to database and all kinds of operation behaviors;Database is provided with audit device, for being used as the mirror image audit target;
Step A2) in audit device, the IP of configuration database, port are configured to IP, the port of the audit target;
Step A3) audit device is according to the database IP configured in step A2 and port, and crawl is from user terminal to data The network access traffic bag in storehouse;
Step B:Network access traffic bag is analyzed, client link information is obtained:
If the database communication process of the audit target does not use the cipher mode (version database before SQL Server2008 This):The network access traffic bag captured in step A3 is parsed, the link information with database is parsed, that is, obtain with The link information of the audit target, realizes bypass audit sqlserver link informations;Link information includes but is not limited to following:Source IP, source port, purpose IP, destination interface, connection user name, client fastening means;
If the database communication process of the audit target is using cipher mode, (SQL Server2008 database version is used The link informations such as name in an account book, client utility, all employ the mode of encryption in communication process), comprise the following steps that:
Step B1) the network access traffic bag captured in step A3 is parsed, parse the connection letter with database Breath;Link information includes but is not limited to following:Source IP, source port, purpose IP, destination interface;
Step B2) by inquiring about the database linkage information table of the audit target, (database linkage information table is SQL Client on-line joining process information is have recorded in the table that Server is carried, this table, is included but is not limited to following:Source IP, source port, Purpose IP, connection user name, client fastening means), obtain Query Result;Query Result includes but is not limited to following:Source IP, Source port, purpose IP, destination interface, connection user name, client fastening means;
Step B3) link information in associated steps B1, the Query Result in step B2, if link information and Query Result In source IP, source port, purpose IP, destination interface it is all identical, then can uniquely confirm connection user name in Query Result, client Fastening means is held, audit sqlserver encryption user connection informations are realized.
In the present invention, in the step A1, the mode that mirror port intercepts mirror image data on core switch is:Agency Service is according to local data base serve port, the locally applied connection data of filtering Hook Function interception.
Compared with prior art, the beneficial effects of the invention are as follows:
The present invention solves the deficiencies in the prior art, and realizing bypass audit, normally user name, fastening means are arrived in audit Etc. link information;The invention also achieves on the premise of not influenceing database to connect, the database linkage information of encryption is entered Row is reviewed, and is finally reached audit objective.
Brief description of the drawings
Fig. 1 is flow chart of the invention.
Fig. 2 is the main information block diagram that data are parsed.
Fig. 3 is data base querying FB(flow block).
Embodiment
It is computer technology in field of information security technology the present invention relates to database technology firstly the need of explanation A kind of application.In the implementation process of the present invention, the application of multiple software function modules can be related to.It is applicant's understanding that such as After application documents, the realization principle of the accurate understanding present invention and goal of the invention is read over, existing known technology is being combined In the case of, those skilled in the art can realize the present invention with the software programming technical ability of its grasp completely.
The present invention is described in further detail with embodiment below in conjunction with the accompanying drawings:
The method of a kind of bypass audit sqlserver link informations as shown in Figure 1, using audit device to the audit target Bypass audit is carried out, is comprised the steps:
Step A:Gather local IP access flow;Specifically include following sub-steps:
Step A1) mirror port is set on core switch, agency service can be filtered according to local data base serve port The locally applied connection data of Hook Function interception, then mirror image data is sent to audit device.
The core switch is the network equipment for referring to complete encapsulation forwarding data packet function, is particularly pointed out, herein Packet by the audit target is required for forwarding by core switch.
The audit device is the audit device of independent development, for monitor and record user terminal to the connection of database and All kinds of operation behaviors, using the pattern of bypass deployment;Database is provided with audit device, for being used as the mirror image audit target.
Step A2) in audit device, the IP of configuration database, port are configured to IP, the port of the audit target.
Step A3) audit device is according to the database IP configured in step A2 and port, and crawl is from user terminal to data The network access traffic bag in storehouse.
Step B:Network access traffic bag is analyzed, client link information is obtained, according to the difference of the audit target, there is following Two kinds of situations:
Situation 1) if the audit target be SQL Server2008 before database version, not using encryption in communication process Mode:
The network access traffic bag captured in step A3 is parsed, the link information with database is parsed, that is, obtains The link information with the audit target is obtained, bypass audit sqlserver link informations are realized.
Link information includes but is not limited to following:Source IP, source port, purpose IP, destination interface, connection user name, client Hold fastening means.
Situation 2) if the audit target is SQL Server2008 database version, the connection such as user name, client utility Information, all employ the mode of encryption in communication process, and bypass audit device can only parse source IP, source port, purpose IP, mesh The link information such as port, it is impossible to some important client-side informations such as normal parsing connection user name, client fastening means, Therefore, above-mentioned situation is needed to solve by following steps:
Step B1) the network access traffic bag captured in step A3 is parsed, parse the connection letter with database Breath;
Link information includes but is not limited to following:Source IP, source port, purpose IP, destination interface.
Step B2) by inquiring about database linkage information table, database linkage information table is the table that SQL Server are carried, The client on-line joining process letters such as source IP, source port, purpose IP, connection user name, client fastening means are have recorded in this table Breath;Obtain Query Result;Therefore, to obtain client on-line joining process information, the connection of database audit equipment query database is believed Table is ceased, Query Result is obtained;
Query Result includes but is not limited to following:Source IP, source port, purpose IP, destination interface, connection user name, client Hold fastening means.
Step B3) link information in associated steps B1, the Query Result in step B2, identical source IP, source port, mesh IP, destination interface can uniquely confirm connection user name, client utility so that realize audit sqlserver encryption user Link information.
The present invention is more fully understood in the professional and technical personnel that the following examples can make this professional, but not with any side The formula limitation present invention.
Assuming that user A is other by client utility sqlserver management studio (hereinafter referred to as sms) connections The audit target database of road audit device, now the on-line joining process information table of database can update a record, comprising but not It is limited to following:User A IP, client utility port, database IP, database port, client utility sms, user A.It is other The mirror port that road audit device is configured by core switch grabs the network access traffic of database and analyzed, for Using the database of unencryption communication mode, the analysis result that can normally obtain, including but not limited to following:User A IP, visitor Family ending tool port, database IP, database port, client utility, user A.For the data using coded communication mode Storehouse, obtained analysis result, including but not limited to following:User A IP, client utility port, database IP, database side Mouthful, do not include:Client utility sma, user A.Therefore further, inquiry database on-line continuous information table is needed, by using Family A IP, client utility port, database IP, database port, it is unique to confirm user A and client utility sms, so that Realize audit sqlserver link informations.
Fig. 2 illustrates the main information of data parsing, and Fig. 3 illustrates data base querying flow.
Finally it should be noted that listed above is only specific embodiment of the invention.It is clear that the invention is not restricted to Above example, can also there is many variations.One of ordinary skill in the art can directly lead from present disclosure All deformations for going out or associating, are considered as protection scope of the present invention.

Claims (2)

1. a kind of method for bypassing audit sqlserver link informations, bypass audit is carried out using audit device to the audit target, Characterized in that, the method for the bypass audit sqlserver link informations specifically includes following step:
Step A:Gather local IP access flow;Specifically include following sub-steps:
Step A1) mirror port is set on core switch, mirror image data is sent to audit device;
The pattern that the audit device is disposed using bypass, for monitoring and recording connection and all kinds of behaviour of the user terminal to database Make behavior;Database is provided with audit device, for being used as the mirror image audit target;
Step A2) in audit device, the IP of configuration database, port are configured to IP, the port of the audit target;
Step A3) audit device is according to the database IP configured in step A2 and port, and crawl arrives database from user terminal Network access traffic bag;
Step B:Network access traffic bag is analyzed, client link information is obtained:
If the database communication process of the audit target does not use cipher mode:The network access traffic bag captured in step A3 is entered Row parsing, parses the link information with database, that is, obtains the link information with the audit target, realize bypass audit Sqlserver link informations;Link information includes but is not limited to following:Source IP, source port, purpose IP, destination interface, connection are used Name in an account book, client fastening means;
If the database communication process of the audit target uses cipher mode, comprise the following steps that:
Step B1) the network access traffic bag captured in step A3 is parsed, parse the link information with database;Even Connect information include but is not limited to it is following:Source IP, source port, purpose IP, destination interface;
Step B2) by inquiring about the database linkage information table of the audit target, obtain Query Result;Query Result includes but not limited In following:Source IP, source port, purpose IP, destination interface, connection user name, client fastening means;
Step B3) link information in associated steps B1, the Query Result in step B2, if in link information and Query Result Source IP, source port, purpose IP, destination interface are all identical, then can uniquely confirm that the connection user name in Query Result, client connect Bonding tool, realizes audit sqlserver encryption user connection informations.
2. a kind of method for bypassing audit sqlserver link informations according to claim 1, it is characterised in that described In step A1, the mode that mirror port intercepts mirror image data on core switch is:Agency service is according to local data base service Port, the locally applied connection data of filtering Hook Function interception.
CN201710647099.8A 2017-08-01 2017-08-01 A kind of method for bypassing audit sqlserver link informations Pending CN107295009A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710647099.8A CN107295009A (en) 2017-08-01 2017-08-01 A kind of method for bypassing audit sqlserver link informations

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710647099.8A CN107295009A (en) 2017-08-01 2017-08-01 A kind of method for bypassing audit sqlserver link informations

Publications (1)

Publication Number Publication Date
CN107295009A true CN107295009A (en) 2017-10-24

Family

ID=60104219

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710647099.8A Pending CN107295009A (en) 2017-08-01 2017-08-01 A kind of method for bypassing audit sqlserver link informations

Country Status (1)

Country Link
CN (1) CN107295009A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108416225A (en) * 2018-03-14 2018-08-17 深圳市网域科技股份有限公司 Data Audit method, apparatus, computer equipment and storage medium
CN110708353A (en) * 2019-09-03 2020-01-17 上海派拉软件技术有限公司 Database risk control method based on Mysql agent

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN201150070Y (en) * 2007-11-19 2008-11-12 上海久隆电力科技有限公司 Processing system for centralization auditing data acquisition
US20110153714A1 (en) * 2009-12-17 2011-06-23 Robert Houben Secure remote web popup
CN102184222A (en) * 2011-05-05 2011-09-14 杭州安恒信息技术有限公司 Quick searching method in large data volume storage
CN102609462A (en) * 2012-01-14 2012-07-25 杭州安恒信息技术有限公司 Method for compressed storage of massive SQL (structured query language) by means of extracting SQL models
CN103678654A (en) * 2013-12-23 2014-03-26 蓝盾信息安全技术股份有限公司 Method for acquiring linkage information in database safety audit
CN104063473A (en) * 2014-06-30 2014-09-24 江苏华大天益电力科技有限公司 Database auditing monitoring system and database auditing monitoring method
CN104090941A (en) * 2014-06-30 2014-10-08 江苏华大天益电力科技有限公司 Database auditing system and database auditing method
CN104123370A (en) * 2014-07-24 2014-10-29 杭州安恒信息技术有限公司 Method and system for detecting sensitive information in database
US20150200821A1 (en) * 2014-01-14 2015-07-16 Cyber-Ark Software Ltd. Monitoring sessions with a session-specific transient agent
CN105574168A (en) * 2015-12-17 2016-05-11 福建六壬网安股份有限公司 Security audit system and audit method for in-memory database
CN106131207A (en) * 2016-08-03 2016-11-16 杭州安恒信息技术有限公司 A kind of method and system bypassing audit HTTPS packet

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN201150070Y (en) * 2007-11-19 2008-11-12 上海久隆电力科技有限公司 Processing system for centralization auditing data acquisition
US20110153714A1 (en) * 2009-12-17 2011-06-23 Robert Houben Secure remote web popup
CN102184222A (en) * 2011-05-05 2011-09-14 杭州安恒信息技术有限公司 Quick searching method in large data volume storage
CN102609462A (en) * 2012-01-14 2012-07-25 杭州安恒信息技术有限公司 Method for compressed storage of massive SQL (structured query language) by means of extracting SQL models
CN103678654A (en) * 2013-12-23 2014-03-26 蓝盾信息安全技术股份有限公司 Method for acquiring linkage information in database safety audit
US20150200821A1 (en) * 2014-01-14 2015-07-16 Cyber-Ark Software Ltd. Monitoring sessions with a session-specific transient agent
CN104063473A (en) * 2014-06-30 2014-09-24 江苏华大天益电力科技有限公司 Database auditing monitoring system and database auditing monitoring method
CN104090941A (en) * 2014-06-30 2014-10-08 江苏华大天益电力科技有限公司 Database auditing system and database auditing method
CN104123370A (en) * 2014-07-24 2014-10-29 杭州安恒信息技术有限公司 Method and system for detecting sensitive information in database
CN105574168A (en) * 2015-12-17 2016-05-11 福建六壬网安股份有限公司 Security audit system and audit method for in-memory database
CN106131207A (en) * 2016-08-03 2016-11-16 杭州安恒信息技术有限公司 A kind of method and system bypassing audit HTTPS packet

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘志光: "《对基于旁路技术的数据库审计的思考》", 《福建电脑》 *
华梁: "《基于ORACLE数据库审计的协议解析与设计实现》", 《中国优秀硕士学位论文全文数据库(电子期刊) 信息科技辑》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108416225A (en) * 2018-03-14 2018-08-17 深圳市网域科技股份有限公司 Data Audit method, apparatus, computer equipment and storage medium
CN110708353A (en) * 2019-09-03 2020-01-17 上海派拉软件技术有限公司 Database risk control method based on Mysql agent

Similar Documents

Publication Publication Date Title
CN103152352B (en) A kind of perfect information security forensics monitor method based on cloud computing environment and system
EP2036305B1 (en) Communication network application activity monitoring and control
US7555550B2 (en) Asset tracker for identifying user of current internet protocol addresses within an organization's communications network
US20120096145A1 (en) Multi-tier integrated security system and method to enhance lawful data interception and resource allocation
US7958226B2 (en) Identifying a computer device
US7185366B2 (en) Security administration server and its host server
US6292801B1 (en) System and method for managing computer and phone network resources
CN107066457B (en) user information view construction method and system
JP7010984B2 (en) Data management method for memory devices, data management system
CN101390338A (en) Lawful access; stored data handover enhanced architecture
CN101005503A (en) Method and data processing system for intercepting communication between a client and a service
CN104484187B (en) A kind of information integration method and system
CN101626323A (en) Method and device for monitoring network data flow
CN104639391A (en) Method for generating network flow record and corresponding flow detection equipment
CN104794624A (en) Anti-counterfeiting system and anti-counterfeiting method based on random anti-counterfeiting marks
CN102065416B (en) Method, device and system for formatting logs
CN101155229A (en) Distributed method and system for anti-fake and tracing product information
CN101426008B (en) Audit method and system based on back display
CN107295009A (en) A kind of method for bypassing audit sqlserver link informations
CN108965285B (en) Open cascade shared law enforcement evidence management platform
CN105743868B (en) A kind of data collection system and method for supporting encryption and non-encrypted agreement
CN109600395A (en) A kind of device and implementation method of terminal network access control system
CN102053970B (en) Database auditing method and system
CN104394216A (en) Remote management method for mobile client and device
CN114338244B (en) Equipment network behavior classification recording method and device and backtracking evidence-proving method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20171024