CN107295009A - A kind of method for bypassing audit sqlserver link informations - Google Patents
A kind of method for bypassing audit sqlserver link informations Download PDFInfo
- Publication number
- CN107295009A CN107295009A CN201710647099.8A CN201710647099A CN107295009A CN 107295009 A CN107295009 A CN 107295009A CN 201710647099 A CN201710647099 A CN 201710647099A CN 107295009 A CN107295009 A CN 107295009A
- Authority
- CN
- China
- Prior art keywords
- audit
- database
- port
- sqlserver
- source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/308—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information retaining data, e.g. retaining successful, unsuccessful communication attempts, internet access, or e-mail, internet telephony, intercept related information or call content
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/12—Network monitoring probes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/302—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Evolutionary Computation (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention relates to network technology, database audit technical field, it is desirable to provide a kind of method of bypass audit sqlserver link informations.The method of this kind bypass audit sqlserver link informations, carries out bypass audit to the audit target using audit device, is realized by following step:Local IP access flow, analysis network access traffic bag is gathered to obtain client link information.The present invention solves the deficiencies in the prior art, realizes bypass audit normally audit to link informations such as user name, fastening means;The invention also achieves on the premise of not influenceing database to connect, the database linkage information of encryption is reviewed, audit objective is finally reached.
Description
Technical field
The present invention is on network technology, database audit technical field, more particularly to a kind of bypass audit sqlserver
The method of link information.
Background technology
SQL Server are a relational database management systems.
SQL Server2005 versions are a comprehensive database platforms, are carried using integrated business intelligence (BI) instrument
The data management of enterprise-level is supplied.SQL Server database engines provide safer for relational data and structural data
Reliable store function so that user can build and manage the High Availabitity and high performance data-application for business.
SQL Server2008 versions are a great versions, and it is proposed many new characteristics and crucial improvement,
It is most powerful up to now and most comprehensive SQL Server versions.SQL Server2008 New function feature:Trusty,
Efficiently, it is intelligent.
On past SQL Server 2005 basis, SQL Server 2008 have done simple encryption, external key
Manage, enhance the enhancing such as examination to extend its security.
Whole database, data file and journal file can be encrypted by SQL Server 2008, without changing
Dynamic application program.Be encrypted allow company meet in accordance with specification and and its focused data privacy requirement.Simple data
The benefit of encryption searches for the data of encryption including the use of any scope or fuzzy query, strengthens Information Security to prevent unauthorized
User access, also have data encryption.These can be carried out in the case where not changing existing application program.
Because SQL Server are encrypted to whole database, therefore the information of client connection database is such as used
Name in an account book, fastening means etc., all employ the mode of encryption in communication process, and bypass audit will be unable to normal audit and arrive user
The link informations such as name, fastening means.
The content of the invention
It is a primary object of the present invention to overcome of the prior art not enough there is provided one kind can bypass the sqlserver that audits
The method for encrypting user connection information.In order to solve the above technical problems, the solution of the present invention is:
A kind of method for bypassing audit sqlserver link informations is provided, the audit target carried out using audit device other
Road is audited, and the method for the bypass audit sqlserver link informations specifically includes following step:
Step A:Gather local IP access flow;Specifically include following sub-steps:
Step A1) in core switch, (core switch is that the network for referring to complete to encapsulate forwarding data packet function is set
It is standby, the packet by the audit target be required for by the core switch forward) on mirror port is set, mirror image data is sent
To audit device;
The pattern (audit device of independent development) that the audit device is disposed using bypass, for monitoring and recording user
Hold the connection to database and all kinds of operation behaviors;Database is provided with audit device, for being used as the mirror image audit target;
Step A2) in audit device, the IP of configuration database, port are configured to IP, the port of the audit target;
Step A3) audit device is according to the database IP configured in step A2 and port, and crawl is from user terminal to data
The network access traffic bag in storehouse;
Step B:Network access traffic bag is analyzed, client link information is obtained:
If the database communication process of the audit target does not use the cipher mode (version database before SQL Server2008
This):The network access traffic bag captured in step A3 is parsed, the link information with database is parsed, that is, obtain with
The link information of the audit target, realizes bypass audit sqlserver link informations;Link information includes but is not limited to following:Source
IP, source port, purpose IP, destination interface, connection user name, client fastening means;
If the database communication process of the audit target is using cipher mode, (SQL Server2008 database version is used
The link informations such as name in an account book, client utility, all employ the mode of encryption in communication process), comprise the following steps that:
Step B1) the network access traffic bag captured in step A3 is parsed, parse the connection letter with database
Breath;Link information includes but is not limited to following:Source IP, source port, purpose IP, destination interface;
Step B2) by inquiring about the database linkage information table of the audit target, (database linkage information table is SQL
Client on-line joining process information is have recorded in the table that Server is carried, this table, is included but is not limited to following:Source IP, source port,
Purpose IP, connection user name, client fastening means), obtain Query Result;Query Result includes but is not limited to following:Source IP,
Source port, purpose IP, destination interface, connection user name, client fastening means;
Step B3) link information in associated steps B1, the Query Result in step B2, if link information and Query Result
In source IP, source port, purpose IP, destination interface it is all identical, then can uniquely confirm connection user name in Query Result, client
Fastening means is held, audit sqlserver encryption user connection informations are realized.
In the present invention, in the step A1, the mode that mirror port intercepts mirror image data on core switch is:Agency
Service is according to local data base serve port, the locally applied connection data of filtering Hook Function interception.
Compared with prior art, the beneficial effects of the invention are as follows:
The present invention solves the deficiencies in the prior art, and realizing bypass audit, normally user name, fastening means are arrived in audit
Etc. link information;The invention also achieves on the premise of not influenceing database to connect, the database linkage information of encryption is entered
Row is reviewed, and is finally reached audit objective.
Brief description of the drawings
Fig. 1 is flow chart of the invention.
Fig. 2 is the main information block diagram that data are parsed.
Fig. 3 is data base querying FB(flow block).
Embodiment
It is computer technology in field of information security technology the present invention relates to database technology firstly the need of explanation
A kind of application.In the implementation process of the present invention, the application of multiple software function modules can be related to.It is applicant's understanding that such as
After application documents, the realization principle of the accurate understanding present invention and goal of the invention is read over, existing known technology is being combined
In the case of, those skilled in the art can realize the present invention with the software programming technical ability of its grasp completely.
The present invention is described in further detail with embodiment below in conjunction with the accompanying drawings:
The method of a kind of bypass audit sqlserver link informations as shown in Figure 1, using audit device to the audit target
Bypass audit is carried out, is comprised the steps:
Step A:Gather local IP access flow;Specifically include following sub-steps:
Step A1) mirror port is set on core switch, agency service can be filtered according to local data base serve port
The locally applied connection data of Hook Function interception, then mirror image data is sent to audit device.
The core switch is the network equipment for referring to complete encapsulation forwarding data packet function, is particularly pointed out, herein
Packet by the audit target is required for forwarding by core switch.
The audit device is the audit device of independent development, for monitor and record user terminal to the connection of database and
All kinds of operation behaviors, using the pattern of bypass deployment;Database is provided with audit device, for being used as the mirror image audit target.
Step A2) in audit device, the IP of configuration database, port are configured to IP, the port of the audit target.
Step A3) audit device is according to the database IP configured in step A2 and port, and crawl is from user terminal to data
The network access traffic bag in storehouse.
Step B:Network access traffic bag is analyzed, client link information is obtained, according to the difference of the audit target, there is following
Two kinds of situations:
Situation 1) if the audit target be SQL Server2008 before database version, not using encryption in communication process
Mode:
The network access traffic bag captured in step A3 is parsed, the link information with database is parsed, that is, obtains
The link information with the audit target is obtained, bypass audit sqlserver link informations are realized.
Link information includes but is not limited to following:Source IP, source port, purpose IP, destination interface, connection user name, client
Hold fastening means.
Situation 2) if the audit target is SQL Server2008 database version, the connection such as user name, client utility
Information, all employ the mode of encryption in communication process, and bypass audit device can only parse source IP, source port, purpose IP, mesh
The link information such as port, it is impossible to some important client-side informations such as normal parsing connection user name, client fastening means,
Therefore, above-mentioned situation is needed to solve by following steps:
Step B1) the network access traffic bag captured in step A3 is parsed, parse the connection letter with database
Breath;
Link information includes but is not limited to following:Source IP, source port, purpose IP, destination interface.
Step B2) by inquiring about database linkage information table, database linkage information table is the table that SQL Server are carried,
The client on-line joining process letters such as source IP, source port, purpose IP, connection user name, client fastening means are have recorded in this table
Breath;Obtain Query Result;Therefore, to obtain client on-line joining process information, the connection of database audit equipment query database is believed
Table is ceased, Query Result is obtained;
Query Result includes but is not limited to following:Source IP, source port, purpose IP, destination interface, connection user name, client
Hold fastening means.
Step B3) link information in associated steps B1, the Query Result in step B2, identical source IP, source port, mesh
IP, destination interface can uniquely confirm connection user name, client utility so that realize audit sqlserver encryption user
Link information.
The present invention is more fully understood in the professional and technical personnel that the following examples can make this professional, but not with any side
The formula limitation present invention.
Assuming that user A is other by client utility sqlserver management studio (hereinafter referred to as sms) connections
The audit target database of road audit device, now the on-line joining process information table of database can update a record, comprising but not
It is limited to following:User A IP, client utility port, database IP, database port, client utility sms, user A.It is other
The mirror port that road audit device is configured by core switch grabs the network access traffic of database and analyzed, for
Using the database of unencryption communication mode, the analysis result that can normally obtain, including but not limited to following:User A IP, visitor
Family ending tool port, database IP, database port, client utility, user A.For the data using coded communication mode
Storehouse, obtained analysis result, including but not limited to following:User A IP, client utility port, database IP, database side
Mouthful, do not include:Client utility sma, user A.Therefore further, inquiry database on-line continuous information table is needed, by using
Family A IP, client utility port, database IP, database port, it is unique to confirm user A and client utility sms, so that
Realize audit sqlserver link informations.
Fig. 2 illustrates the main information of data parsing, and Fig. 3 illustrates data base querying flow.
Finally it should be noted that listed above is only specific embodiment of the invention.It is clear that the invention is not restricted to
Above example, can also there is many variations.One of ordinary skill in the art can directly lead from present disclosure
All deformations for going out or associating, are considered as protection scope of the present invention.
Claims (2)
1. a kind of method for bypassing audit sqlserver link informations, bypass audit is carried out using audit device to the audit target,
Characterized in that, the method for the bypass audit sqlserver link informations specifically includes following step:
Step A:Gather local IP access flow;Specifically include following sub-steps:
Step A1) mirror port is set on core switch, mirror image data is sent to audit device;
The pattern that the audit device is disposed using bypass, for monitoring and recording connection and all kinds of behaviour of the user terminal to database
Make behavior;Database is provided with audit device, for being used as the mirror image audit target;
Step A2) in audit device, the IP of configuration database, port are configured to IP, the port of the audit target;
Step A3) audit device is according to the database IP configured in step A2 and port, and crawl arrives database from user terminal
Network access traffic bag;
Step B:Network access traffic bag is analyzed, client link information is obtained:
If the database communication process of the audit target does not use cipher mode:The network access traffic bag captured in step A3 is entered
Row parsing, parses the link information with database, that is, obtains the link information with the audit target, realize bypass audit
Sqlserver link informations;Link information includes but is not limited to following:Source IP, source port, purpose IP, destination interface, connection are used
Name in an account book, client fastening means;
If the database communication process of the audit target uses cipher mode, comprise the following steps that:
Step B1) the network access traffic bag captured in step A3 is parsed, parse the link information with database;Even
Connect information include but is not limited to it is following:Source IP, source port, purpose IP, destination interface;
Step B2) by inquiring about the database linkage information table of the audit target, obtain Query Result;Query Result includes but not limited
In following:Source IP, source port, purpose IP, destination interface, connection user name, client fastening means;
Step B3) link information in associated steps B1, the Query Result in step B2, if in link information and Query Result
Source IP, source port, purpose IP, destination interface are all identical, then can uniquely confirm that the connection user name in Query Result, client connect
Bonding tool, realizes audit sqlserver encryption user connection informations.
2. a kind of method for bypassing audit sqlserver link informations according to claim 1, it is characterised in that described
In step A1, the mode that mirror port intercepts mirror image data on core switch is:Agency service is according to local data base service
Port, the locally applied connection data of filtering Hook Function interception.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710647099.8A CN107295009A (en) | 2017-08-01 | 2017-08-01 | A kind of method for bypassing audit sqlserver link informations |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710647099.8A CN107295009A (en) | 2017-08-01 | 2017-08-01 | A kind of method for bypassing audit sqlserver link informations |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107295009A true CN107295009A (en) | 2017-10-24 |
Family
ID=60104219
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710647099.8A Pending CN107295009A (en) | 2017-08-01 | 2017-08-01 | A kind of method for bypassing audit sqlserver link informations |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107295009A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108416225A (en) * | 2018-03-14 | 2018-08-17 | 深圳市网域科技股份有限公司 | Data Audit method, apparatus, computer equipment and storage medium |
CN110708353A (en) * | 2019-09-03 | 2020-01-17 | 上海派拉软件技术有限公司 | Database risk control method based on Mysql agent |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN201150070Y (en) * | 2007-11-19 | 2008-11-12 | 上海久隆电力科技有限公司 | Processing system for centralization auditing data acquisition |
US20110153714A1 (en) * | 2009-12-17 | 2011-06-23 | Robert Houben | Secure remote web popup |
CN102184222A (en) * | 2011-05-05 | 2011-09-14 | 杭州安恒信息技术有限公司 | Quick searching method in large data volume storage |
CN102609462A (en) * | 2012-01-14 | 2012-07-25 | 杭州安恒信息技术有限公司 | Method for compressed storage of massive SQL (structured query language) by means of extracting SQL models |
CN103678654A (en) * | 2013-12-23 | 2014-03-26 | 蓝盾信息安全技术股份有限公司 | Method for acquiring linkage information in database safety audit |
CN104063473A (en) * | 2014-06-30 | 2014-09-24 | 江苏华大天益电力科技有限公司 | Database auditing monitoring system and database auditing monitoring method |
CN104090941A (en) * | 2014-06-30 | 2014-10-08 | 江苏华大天益电力科技有限公司 | Database auditing system and database auditing method |
CN104123370A (en) * | 2014-07-24 | 2014-10-29 | 杭州安恒信息技术有限公司 | Method and system for detecting sensitive information in database |
US20150200821A1 (en) * | 2014-01-14 | 2015-07-16 | Cyber-Ark Software Ltd. | Monitoring sessions with a session-specific transient agent |
CN105574168A (en) * | 2015-12-17 | 2016-05-11 | 福建六壬网安股份有限公司 | Security audit system and audit method for in-memory database |
CN106131207A (en) * | 2016-08-03 | 2016-11-16 | 杭州安恒信息技术有限公司 | A kind of method and system bypassing audit HTTPS packet |
-
2017
- 2017-08-01 CN CN201710647099.8A patent/CN107295009A/en active Pending
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN201150070Y (en) * | 2007-11-19 | 2008-11-12 | 上海久隆电力科技有限公司 | Processing system for centralization auditing data acquisition |
US20110153714A1 (en) * | 2009-12-17 | 2011-06-23 | Robert Houben | Secure remote web popup |
CN102184222A (en) * | 2011-05-05 | 2011-09-14 | 杭州安恒信息技术有限公司 | Quick searching method in large data volume storage |
CN102609462A (en) * | 2012-01-14 | 2012-07-25 | 杭州安恒信息技术有限公司 | Method for compressed storage of massive SQL (structured query language) by means of extracting SQL models |
CN103678654A (en) * | 2013-12-23 | 2014-03-26 | 蓝盾信息安全技术股份有限公司 | Method for acquiring linkage information in database safety audit |
US20150200821A1 (en) * | 2014-01-14 | 2015-07-16 | Cyber-Ark Software Ltd. | Monitoring sessions with a session-specific transient agent |
CN104063473A (en) * | 2014-06-30 | 2014-09-24 | 江苏华大天益电力科技有限公司 | Database auditing monitoring system and database auditing monitoring method |
CN104090941A (en) * | 2014-06-30 | 2014-10-08 | 江苏华大天益电力科技有限公司 | Database auditing system and database auditing method |
CN104123370A (en) * | 2014-07-24 | 2014-10-29 | 杭州安恒信息技术有限公司 | Method and system for detecting sensitive information in database |
CN105574168A (en) * | 2015-12-17 | 2016-05-11 | 福建六壬网安股份有限公司 | Security audit system and audit method for in-memory database |
CN106131207A (en) * | 2016-08-03 | 2016-11-16 | 杭州安恒信息技术有限公司 | A kind of method and system bypassing audit HTTPS packet |
Non-Patent Citations (2)
Title |
---|
刘志光: "《对基于旁路技术的数据库审计的思考》", 《福建电脑》 * |
华梁: "《基于ORACLE数据库审计的协议解析与设计实现》", 《中国优秀硕士学位论文全文数据库(电子期刊) 信息科技辑》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108416225A (en) * | 2018-03-14 | 2018-08-17 | 深圳市网域科技股份有限公司 | Data Audit method, apparatus, computer equipment and storage medium |
CN110708353A (en) * | 2019-09-03 | 2020-01-17 | 上海派拉软件技术有限公司 | Database risk control method based on Mysql agent |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103152352B (en) | A kind of perfect information security forensics monitor method based on cloud computing environment and system | |
EP2036305B1 (en) | Communication network application activity monitoring and control | |
US7555550B2 (en) | Asset tracker for identifying user of current internet protocol addresses within an organization's communications network | |
US20120096145A1 (en) | Multi-tier integrated security system and method to enhance lawful data interception and resource allocation | |
US7958226B2 (en) | Identifying a computer device | |
US7185366B2 (en) | Security administration server and its host server | |
US6292801B1 (en) | System and method for managing computer and phone network resources | |
CN107066457B (en) | user information view construction method and system | |
JP7010984B2 (en) | Data management method for memory devices, data management system | |
CN101390338A (en) | Lawful access; stored data handover enhanced architecture | |
CN101005503A (en) | Method and data processing system for intercepting communication between a client and a service | |
CN104484187B (en) | A kind of information integration method and system | |
CN101626323A (en) | Method and device for monitoring network data flow | |
CN104639391A (en) | Method for generating network flow record and corresponding flow detection equipment | |
CN104794624A (en) | Anti-counterfeiting system and anti-counterfeiting method based on random anti-counterfeiting marks | |
CN102065416B (en) | Method, device and system for formatting logs | |
CN101155229A (en) | Distributed method and system for anti-fake and tracing product information | |
CN101426008B (en) | Audit method and system based on back display | |
CN107295009A (en) | A kind of method for bypassing audit sqlserver link informations | |
CN108965285B (en) | Open cascade shared law enforcement evidence management platform | |
CN105743868B (en) | A kind of data collection system and method for supporting encryption and non-encrypted agreement | |
CN109600395A (en) | A kind of device and implementation method of terminal network access control system | |
CN102053970B (en) | Database auditing method and system | |
CN104394216A (en) | Remote management method for mobile client and device | |
CN114338244B (en) | Equipment network behavior classification recording method and device and backtracking evidence-proving method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171024 |