CN110636084A - Method for filtering access interface of user-mode firewall - Google Patents

Method for filtering access interface of user-mode firewall Download PDF

Info

Publication number
CN110636084A
CN110636084A CN201911085133.2A CN201911085133A CN110636084A CN 110636084 A CN110636084 A CN 110636084A CN 201911085133 A CN201911085133 A CN 201911085133A CN 110636084 A CN110636084 A CN 110636084A
Authority
CN
China
Prior art keywords
snort
message
interface
rule
matching
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911085133.2A
Other languages
Chinese (zh)
Other versions
CN110636084B (en
Inventor
王小东
刘松涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Tiandihexing Technology Co Ltd
Original Assignee
Beijing Tiandihexing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Tiandihexing Technology Co Ltd filed Critical Beijing Tiandihexing Technology Co Ltd
Priority to CN201911085133.2A priority Critical patent/CN110636084B/en
Publication of CN110636084A publication Critical patent/CN110636084A/en
Application granted granted Critical
Publication of CN110636084B publication Critical patent/CN110636084B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an in-out interface filtering method of a user-mode firewall, wherein the user-mode firewall adopts a Netfilter firewall mechanism, and the method comprises the following steps: s1, the user-mode firewall acquires the in-out interface information of the message by entering the kernel Netfilter forwarding chain packet receiving point; s2, receiving the input and output interface information of the message and the message together into a user space for processing; s3, adding the acquired message in-out interface information in the snort rule; s4, analyzing the snort rule after adding the message access interface information to obtain access interface filtering configuration; and S5, adding the filter configuration of the access interface into the filter matching process to form a matching filter method, and implementing the filter matching operation by the matching filter method.

Description

Method for filtering access interface of user-mode firewall
Technical Field
The invention relates to the field of computers, in particular to a filtering method for an access interface of a user-mode firewall.
Background
The firewall is embedded in the processing process of the Linux kernel protocol stack and operates in the kernel address space, which requires a developer to deeply understand and master the kernel and the code of the kernel protocol stack, and the requirement is obviously too harsh for a common developer. Therefore, a method for receiving a message into a user state space for deep analysis and performing matched filtering on the message in the user state space is urgently needed to meet the use requirements of people.
Disclosure of Invention
The invention aims to solve the problems and provides an access interface filtering method based on a user-mode firewall.
In order to achieve the purpose, the technical scheme of the invention is as follows:
a filtering method for an access interface of a user-mode firewall adopts a Netfilter firewall mechanism, and comprises the following steps:
s1, the user-mode firewall acquires the in-out interface information of the message by entering the kernel Netfilter forwarding chain packet receiving point;
s2, receiving the input and output interface information of the message and the message together into a user space for processing;
s3, adding the acquired message in-out interface information in the snort rule;
s4, analyzing the snort rule after adding the message access interface information to obtain access interface filtering configuration;
and S5, adding the filter configuration of the access interface into the filter matching process to form a matching filter method, and implementing the filter matching operation by the matching filter method.
Further, the user-mode firewall in the step S1 includes a transparent mode and a routing mode; the transparent mode is processed by the network bridge before entering the NetFilter forwarding chain packet receiving point, and the routing mode is processed by the routing before entering the NetFilter forwarding chain packet receiving point.
Further, the Snort rule in step S3 includes a rule header part and a rule option part; the rule header part comprises the action, protocol, destination ip address and source and destination port information of the rule; the rule options section includes the alarm message content as well as the inspected data packet.
Further, the matching filtering method in step S5 includes the following steps:
s51, entering Snort rule matching processing;
s52, detecting whether the Snort input interface configuration is an any port, and when the Snort input interface is the any port, performing S3 operation; when the Snort input interface is not the any port, detecting whether the Snort input interface is consistent with the message input interface or not, when the Snort input interface is consistent with the message input interface, performing the operation of S3, and when the Snort input interface is inconsistent with the message input interface, returning to the step S1;
s53, detecting whether the Snort outgoing interface configuration is an any port, and when the Snort outgoing interface configuration is the any port, performing S4 operation; when the Snort outgoing interface is not an any port, detecting whether the Snort outgoing interface is consistent with the message outgoing interface or not, when the Snort outgoing interface is consistent with the message outgoing interface, performing the operation of S4, and when the Snort outgoing interface is inconsistent with the message outgoing interface, returning to the step S1;
and S54, matching subsequent information of the Snort rule, and finishing the matching filtering operation.
Compared with the prior art, the invention has the advantages and positive effects that:
the method firstly transmits the message in-out interface information to a user state at a Netfilter forwarding chain packet receiving point and analyzes the message, then adds the in-out interface information in a snort rule, and finally realizes the filtering function of the message in-out interface in a user space, so that the snort rule can be freely combined with quintuple filtering and depth detection in the user space; on the other hand, the invention combines a uniform matching filtering scheme, realizes the deep analysis of the message received into the user mode space, and performs the matching filtering operation on the message in the user mode space, and makes contribution to the development of the computer firewall.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a block flow diagram of a match filtering method.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived from the embodiments of the present invention by a person skilled in the art without any creative effort, should be included in the protection scope of the present invention.
As shown in FIG. 1, the invention provides an IP Queue mechanism based on a Netfilter framework by adopting a Linux kernel.
Netfilter/IPtables is a new generation Linux firewall mechanism behind Linux2.4.x, and is a subsystem of Linux kernel. Netfilter adopts a modular design and has good expandability. The important tool modules IPtables are connected to the architecture of the NetFilter in the kernel mode from the IPTables command in the user mode, the NetFilter and the IP protocol stack are in seamless fit, and a user is allowed to perform operations such as filtering, address conversion and processing on the datagram.
The invention utilizes the forwarding chain packet receiving point to receive the incoming and outgoing interface information of the message and the message together to the user state analysis, then modifies the snort rule format, increases the incoming and outgoing interface information, provides a uniform matching filtering method in the user state and realizes the filtering function of the message incoming and outgoing interface in the user space.
The method comprises the following specific operation steps:
1. obtaining the in-out interface information of the message at the kernel Netfilter forwarding chain packet receiving point
The IPS firewall has a transparent mode and a routing mode, the transparent mode is processed by the network bridge before entering the forwarding chain, and the routing mode is processed by the routing before entering the forwarding chain, so that the ingress and egress interface information of the message can be determined in the forwarding chain, and then the ingress and egress interface information is obtained at the packet receiving point of the forwarding chain and is sent to a user space for filtering the ingress and egress interface.
Receiving the in-out interface information and message to the user space in the forwarding chain processing for processing
2. Adding filtering information of incoming and outgoing interface in snort rule
The Snort rule is divided into two logical parts: a rule header and a rule option. The rule header contains the action, protocol, source and destination ip addresses and network masks, and source and destination port information of the rule; the rule options section contains the alarm message content and the specific portion of the packet to be examined.
3. Parsing rule matching messages
And analyzing the snort rule of the new format to obtain the filtering configuration of the access interface, and adding the filtering matching processing of the message access interface on the basis of the original matching process. The matching filtering process is shown in figure 1;
the matching filtering method comprises the following steps:
(1) entering Snort rule matching processing;
(2) detecting whether the Snort input interface configuration is an any port or not, and carrying out the next operation when the Snort input interface is the any port; when the Snort input interface is not an any port, detecting whether the Snort input interface is consistent with the message input interface or not, when the Snort input interface is consistent with the message input interface, carrying out the next operation, and when the Snort input interface is inconsistent with the message input interface, restarting the operation;
(3) detecting whether the Snort outgoing interface configuration is an any port or not, and carrying out the next operation when the Snort outgoing interface is the any port; when the Snort outgoing interface is not an any port, detecting whether the Snort outgoing interface is consistent with the message outgoing interface or not, when the Snort outgoing interface is consistent with the message outgoing interface, carrying out the next operation, and when the Snort outgoing interface is inconsistent with the message outgoing interface, restarting the operation;
(4) and matching subsequent information of Snort rules to finish the matching and filtering operation.
The method firstly transmits the message in-out interface information to a user state at a Netfilter forwarding chain packet receiving point and analyzes the message, then adds the in-out interface information in a snort rule, and finally realizes the filtering function of the message in-out interface in a user space, so that the snort rule can be freely combined with quintuple filtering and depth detection in the user space; on the other hand, the invention combines a uniform matching filtering scheme, realizes the deep analysis of the message received into the user mode space, and performs the matching filtering operation on the message in the user mode space, and makes contribution to the development of the computer firewall.

Claims (4)

1. A filtering method for an access interface of a user-mode firewall is characterized in that: the user-mode firewall adopts a Netfilter firewall mechanism, and comprises the following steps:
s1, the user-mode firewall acquires the in-out interface information of the message by entering the kernel Netfilter forwarding chain packet receiving point;
s2, receiving the input and output interface information of the message and the message together into a user space for processing;
s3, adding the acquired message in-out interface information in the snort rule;
s4, analyzing the snort rule after adding the message access interface information to obtain access interface filtering configuration;
and S5, adding the filter configuration of the access interface into the filter matching process to form a matching filter method, and implementing the filter matching operation by the matching filter method.
2. The method of claim 1, wherein the filtering comprises: the user-mode firewall in the step S1 includes a transparent mode and a routing mode; the transparent mode is processed by the network bridge before entering the NetFilter forwarding chain packet receiving point, and the routing mode is processed by the routing before entering the NetFilter forwarding chain packet receiving point.
3. The method of claim 1, wherein the filtering comprises: the Snort rule in step S3 includes a rule header part and a rule option part; the rule header part comprises the action, protocol, destination ip address and source and destination port information of the rule; the rule options section includes the alarm message content as well as the inspected data packet.
4. The method of claim 1, wherein the filtering comprises: the matching filtering method in the step S5 includes the steps of:
s51, entering Snort rule matching processing;
s52, detecting whether the Snort input interface configuration is an any port, and when the Snort input interface is the any port, performing S3 operation; when the Snort input interface is not the any port, detecting whether the Snort input interface is consistent with the message input interface or not, when the Snort input interface is consistent with the message input interface, performing the operation of S3, and when the Snort input interface is inconsistent with the message input interface, returning to the step S1;
s53, detecting whether the Snort outgoing interface configuration is an any port, and when the Snort outgoing interface configuration is the any port, performing S4 operation; when the Snort outgoing interface is not an any port, detecting whether the Snort outgoing interface is consistent with the message outgoing interface or not, when the Snort outgoing interface is consistent with the message outgoing interface, performing the operation of S4, and when the Snort outgoing interface is inconsistent with the message outgoing interface, returning to the step S1;
and S54, matching subsequent information of the Snort rule, and finishing the matching filtering operation.
CN201911085133.2A 2019-11-08 2019-11-08 Method for filtering access interface of user-mode firewall Active CN110636084B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911085133.2A CN110636084B (en) 2019-11-08 2019-11-08 Method for filtering access interface of user-mode firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911085133.2A CN110636084B (en) 2019-11-08 2019-11-08 Method for filtering access interface of user-mode firewall

Publications (2)

Publication Number Publication Date
CN110636084A true CN110636084A (en) 2019-12-31
CN110636084B CN110636084B (en) 2022-02-22

Family

ID=68979209

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911085133.2A Active CN110636084B (en) 2019-11-08 2019-11-08 Method for filtering access interface of user-mode firewall

Country Status (1)

Country Link
CN (1) CN110636084B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113691458A (en) * 2021-08-19 2021-11-23 北京指掌易科技有限公司 Network packet processing method and device, electronic equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100212012A1 (en) * 2008-11-19 2010-08-19 Yoggie Security Systems Ltd. Systems and Methods for Providing Real Time Access Monitoring of a Removable Media Device
CN103746996A (en) * 2014-01-03 2014-04-23 汉柏科技有限公司 Packet filtering method for firewall
CN107682312A (en) * 2017-08-25 2018-02-09 中国科学院信息工程研究所 A kind of security protection system and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100212012A1 (en) * 2008-11-19 2010-08-19 Yoggie Security Systems Ltd. Systems and Methods for Providing Real Time Access Monitoring of a Removable Media Device
CN103746996A (en) * 2014-01-03 2014-04-23 汉柏科技有限公司 Packet filtering method for firewall
CN107682312A (en) * 2017-08-25 2018-02-09 中国科学院信息工程研究所 A kind of security protection system and method

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
BAOLIANG WANG 等: ""Design and implementation of Linux firewall based on the frame of Netfilter/IPtable"", 《2016 11TH INTERNATIONAL CONFERENCE ON COMPUTER SCIENCE & EDUCATION (ICCSE)》 *
刘影 等: ""基于Snort的IPS模型"", 《网络安全技术与应用》 *
刘玄: ""基于Netfilter的轻量级防火墙的设计与实现"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
黄安详: ""浅谈防火墙配置中路由模式和透明模式的区别与应用"", 《消费导刊》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113691458A (en) * 2021-08-19 2021-11-23 北京指掌易科技有限公司 Network packet processing method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN110636084B (en) 2022-02-22

Similar Documents

Publication Publication Date Title
Zhao et al. SeqFuzzer: An industrial protocol fuzzing framework from a deep learning perspective
JP6526842B2 (en) Malware detection
US9787589B2 (en) Filtering of unsolicited incoming packets to electronic devices
NZ520984A (en) System for rapid packet filtering and processing using a pre-filtering module to supplement the firewall
US10855549B2 (en) Network data processing driver for a cognitive artificial intelligence system
US11568277B2 (en) Method and apparatus for detecting anomalies in mission critical environments using word representation learning
US11546295B2 (en) Industrial control system firewall module
CN113691460B (en) Data transmission method, device, equipment and storage medium based on load balancing
CN114398156B (en) Data channel construction method and device
KR101378115B1 (en) Intrusion detection apparatus and method using pattern matching technology based on perl compatible regular expressions
US11159560B1 (en) Identifying network applications using images generated from payload data and time data
CN103220287A (en) Method for service matching of messages by means of access control list (ACL)
CN110636084B (en) Method for filtering access interface of user-mode firewall
CN111600852A (en) Firewall design method based on programmable data plane
CN114518969A (en) Inter-process communication method, system, storage medium and computer device
WO2019089158A1 (en) Application identification and control in a network device
US20230208721A1 (en) Determining network topology based on packet traffic
CN108881247B (en) Message conversion method, device, gateway equipment and storage medium
CN116347518A (en) User plane data packet processing system, method, computer equipment and storage medium
US10129147B2 (en) Network-on-chip flit transmission method and apparatus
WO2020170802A1 (en) Detection device and detection method
WO2017117459A1 (en) Transparent control and transfer of network protocols
KR20200092744A (en) Apparatus for detecting abnormal branch based on machine learning and method therefor
CN110572415B (en) Safety protection method, equipment and system
CN113709196B (en) Data extraction method, apparatus, computer device, medium, and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant