CN110933094A - Network security equipment and smb vulnerability detection method, device and medium thereof - Google Patents
Network security equipment and smb vulnerability detection method, device and medium thereof Download PDFInfo
- Publication number
- CN110933094A CN110933094A CN201911228714.7A CN201911228714A CN110933094A CN 110933094 A CN110933094 A CN 110933094A CN 201911228714 A CN201911228714 A CN 201911228714A CN 110933094 A CN110933094 A CN 110933094A
- Authority
- CN
- China
- Prior art keywords
- smb
- message
- data packet
- dce
- rpc
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Abstract
The application discloses a network security device, a smb vulnerability detection method and a device thereof, and a computer readable storage medium, wherein the smb vulnerability detection method comprises the following steps: acquiring smb a data packet; smb analysis is carried out on the smb data packet, and the first preset field obtained after analysis is cached; judging whether the current cached first preset field forms a complete smb message; if not, continuing to analyze and obtain smb data packets and the subsequent steps; if yes, splicing the cached first preset fields to generate a complete smb message, and carrying out ips characteristic rule detection on the smb message to identify the vulnerability. According to the method and the device, through message integrity judgment and field caching and splicing, the complete smb message is used as the minimum detection unit for ips characteristic rule detection, so that the hit rate of smb vulnerability detection can be effectively improved, vulnerability attack risk is reduced, and network communication safety is guaranteed.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a network security device, a method and an apparatus for detecting smb vulnerabilities thereof, and a computer readable storage medium.
Background
As the market share of windows operating systems increases, there is an increasing amount of hacking attacks against windows-related vulnerabilities, particularly vulnerability attacks related to the smb protocol. smb, the variety of loopholes varies, and the bypassing method varies day by day, so that effective loophole detection is important and necessary for network security. In the smb vulnerability detection method in the prior art, single-packet detection is generally performed on smb data packets based on ips feature rules, that is, ips feature rule identification is performed every time a smb data packet is obtained. For some vulnerabilities, such as the smb protocol based bypass vulnerability, which requires multiple smb packets to be acquired for detection, the prior art is not able to detect such vulnerabilities.
In view of the above, it is an important need for those skilled in the art to provide a solution to the above technical problems.
Disclosure of Invention
The application aims to provide a network security device, an smb vulnerability detection method and device thereof, and a computer readable storage medium, so as to effectively improve the hit rate of smb vulnerability detection and reduce the vulnerability attack risk.
In order to solve the above technical problem, in a first aspect, the present application discloses an smb vulnerability detection method, including:
acquiring smb a data packet;
smb analysis is carried out on the smb data packet, and a first preset field obtained after analysis is cached;
judging whether the current cached first preset field forms a complete smb message;
if not, continuing to execute the analysis to obtain smb data packets and the subsequent steps;
if yes, splicing the cached first preset fields to generate a complete smb message, and carrying out ips characteristic rule detection on the smb message to identify a vulnerability.
Optionally, the obtaining smb a data packet includes:
acquiring a netbios data packet;
judging whether the currently acquired netbios data packet forms a complete netbios message or not;
if not, continuing to execute the analysis to obtain the netbios data packet and the subsequent steps thereof;
and if so, analyzing and acquiring the smb data packet based on the currently acquired netbios data packet.
Optionally, the obtaining a netbios data packet includes:
performing ip analysis on the ip data packet to obtain a tcp data packet;
and carrying out tcp analysis on the tcp data packet to obtain the netbios data packet.
Optionally, the parsing smb the smb data packet includes:
parsing the header of the smb packet and determining smb protocol version;
parsing the data segments of the smb data packet in accordance with a corresponding version of the smb protocol.
Optionally, the determining whether the currently cached first preset field constitutes a complete smb message includes:
and judging whether the currently cached first preset field forms a complete smb message or not according to the smb message length acquired from the packet header resolution.
Optionally, after the parsing smb of the smb data packet, the method further includes:
when the smb data packet carries a dce-rpc data packet, carrying out dce-rpc analysis on a dce-rpc data packet acquired after smb analysis, and caching a second preset field acquired after the analysis;
judging whether the second preset field cached currently forms a complete dce-rpc message;
if not, continuing to execute the dce-rpc analysis and the subsequent steps of the dce-rpc data packet acquired after the smb analysis;
and if so, splicing the cached second preset fields to generate a complete dce-rpc message, and carrying out ips characteristic rule detection on the dce-rpc message to identify the vulnerability.
Optionally, the dce-rpc data packet obtained after the smb parsing is subjected to dce-rpc parsing, including:
parsing the header of the dce-rpc data packet;
buffering data segments of the dce-rpc data packets;
judging whether the current dce-rpc packet which is acquired forms a complete dce-rpc packet according to the fragmentation parameters acquired from packet header analysis;
if not, continuing to analyze the next dce-rpc data packet by dce-rpc;
if yes, dce-rpc parsing is performed on the data segments of dce-rpc data packets which are currently cached.
Optionally, after the ips feature rule detection is performed on the smb message to identify a vulnerability, the method further includes:
judging whether the current smb message has message correlation with the previous smb message according to a first preset field of the cache;
if yes, extracting specific fields from the current smb message and the last smb message for formatting and splicing, and carrying out ips characteristic rule detection on the formatted and spliced message to identify the vulnerability.
In a second aspect, the present application further discloses an smb vulnerability detection apparatus, including:
smb a data packet obtaining module for obtaining smb data packets;
an smb protocol analysis module, configured to perform smb analysis on the smb data packet, and cache a first preset field obtained after the analysis;
smb message judgment module, configured to judge whether the currently cached first preset field constitutes a complete smb message; if not, the smb data packet obtaining module continues to obtain smb data packets;
the first identification detection module is used for splicing the cached first preset fields to generate a complete smb message when the currently cached first preset fields form a complete smb message, and performing ips feature rule detection on the smb message to identify a vulnerability.
In a third aspect, the present application also discloses a network security device, including:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of any of the smb vulnerability detection methods described above.
In a fourth aspect, the present application also discloses a computer readable storage medium having a computer program stored therein, which when executed by a processor, is configured to implement the steps of any one of the smb vulnerability detection methods described above.
The smb vulnerability detection method provided by the application comprises the following steps: acquiring smb a data packet; smb analysis is carried out on the smb data packet, and a first preset field obtained after analysis is cached; judging whether the current cached first preset field forms a complete smb message; if not, continuing to execute the analysis to obtain smb data packets and the subsequent steps; if yes, splicing the cached first preset fields to generate a complete smb message, and carrying out ips characteristic rule detection on the smb message to identify a vulnerability.
Therefore, the complete smb message is used as the minimum detection unit for detecting the ips characteristic rule through message integrity judgment and field caching and splicing, so that the problem of vulnerability bypass based on ip, tcp and smb protocols can be effectively solved, the hit rate of smb vulnerability detection is improved, vulnerability attack risk is reduced, and network communication safety is guaranteed. The smb vulnerability detection device, the network security equipment and the computer readable storage medium provided by the application also have the advantages.
Drawings
In order to more clearly illustrate the technical solutions in the prior art and the embodiments of the present application, the drawings that are needed to be used in the description of the prior art and the embodiments of the present application will be briefly described below. Of course, the following description of the drawings related to the embodiments of the present application is only a part of the embodiments of the present application, and it will be obvious to those skilled in the art that other drawings can be obtained from the provided drawings without any creative effort, and the obtained other drawings also belong to the protection scope of the present application.
Fig. 1 is a flowchart of an smb vulnerability detection method disclosed in an embodiment of the present application;
fig. 2 is a schematic structural diagram of a message disclosed in an embodiment of the present application;
fig. 3 is an application scenario diagram of an smb vulnerability detection method disclosed in the embodiment of the present application;
FIG. 4 is a flowchart of a method for parsing smb a packet disclosed in an embodiment of the present application;
fig. 5 is a flowchart of another smb vulnerability detection method disclosed in the embodiments of the present application;
FIG. 6 is a flow chart illustrating a method for dce-rpc parsing dce-rpc packets according to an embodiment of the present disclosure;
fig. 7 is a flowchart of another smb vulnerability detection method disclosed in the embodiments of the present application;
fig. 8 is a block diagram illustrating a structure of an smb vulnerability detection apparatus according to an embodiment of the present disclosure;
fig. 9 is a block diagram of a network security device according to an embodiment of the present application.
Detailed Description
The core of the application is to provide a network security device, and a smb vulnerability detection method, device and computer readable storage medium thereof, so as to effectively improve the hit rate of smb vulnerability detection and reduce vulnerability attack risk.
In order to more clearly and completely describe the technical solutions in the embodiments of the present application, the technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
smb (server message block), which is a communication protocol of Microsoft network, and is mainly used for enabling machines in the same network to share resources such as computer files, printers, serial ports and communication.
Currently, smb vulnerability variants are diverse, bypassing is also changing day by day, and effective vulnerability detection is important and essential for network security. In the smb vulnerability detection method in the prior art, single-packet detection is generally performed on smb data packets based on ips feature rules, that is, ips feature rule identification is performed every time a smb data packet is obtained. For some vulnerabilities, such as the smb protocol based bypass vulnerability, which requires multiple smb packets to be acquired for detection, the prior art is not able to detect such vulnerabilities. In view of this, the present application provides an smb vulnerability detection scheme, which can effectively solve the above problems.
Referring to fig. 1, an embodiment of the present application discloses an smb vulnerability detection method, which can be applied to a network security device. The method mainly comprises the following steps:
s101: the data packet is obtained smb.
Specifically, the smb data packet can be obtained by layer-by-layer parsing of ip layer, tcp layer, and netbios layer (network basic input/output system).
Referring to fig. 2, fig. 2 is a schematic structural diagram of a message disclosed in the embodiment of the present application. As shown in fig. 2, each layer of data packet is composed of a header (header) and a data field (data). Generally, the header includes some message parameters, such as protocol version, message type, header length, message length, source IP address, destination IP address, header check bits, etc.; the data segment mainly comprises message data and can also comprise data segment check bits and the like.
The front end of the ip data packet is an ip header, and the ip data at the rear end is loaded with a tcp data packet. Similarly, a netbios data packet is loaded in tcp data; the netbios data carries smb data packets. In some cases, the smbdata is loaded with dce-rpc (distributed computing environment-remote procedure calls) packets. The ip layer, the tcp layer, the netbios + smb layer (the netbios packet header is fixed to four bytes, and can be analyzed in combination with the smb layer), and the dce-rpc layers are independent from each other, and the analysis processes are not interfered with each other.
S102: the smb data packet is parsed by smb, and the first preset field obtained after parsing is cached.
Specifically, in order to improve the detection rate of smb vulnerabilities, the smb vulnerability detection method provided in the embodiment of the present application specifically uses a complete smb message as a detection object. A complete smb message may be sent out over multiple ip packets, and in the extreme case, an ip packet contains only one byte of valid data in the smb message. In this case, when an smb packet is parsed from an ip packet, the smb packet may not be a complete smb message, and then the smb packet may be buffered after parsing, and wait for the next smb packet to arrive until a complete smb message is formed.
Both the netbios protocol and the smb protocol are based on a frame header format, the length of a header field is a fixed four bytes, and the header field contains important parameters about a message, such as a message length, and therefore, generally, parsing needs to be performed from the header, and then parsing and buffering of a data segment are performed.
It should be noted that the first preset field is a field required for splicing messages constituting complete smb, and includes at least smb message data transmitted in the data segment of smb data packets; the smb message data may be divided into multiple fields for caching, such as PID (process identifier) field, TID (thread identifier) field, MID (one type of string identifier) field, FID (another type of string identifier) field, UID (database identifier) field, etc. In addition, for convenience of management and identification, the first preset field may further include smb some message parameters transmitted in the packet header of the data packet, such as smb message type, smb message length, etc.
S103: judging whether the current cached first preset field forms a complete smb message; if yes, entering S104; if not, the process proceeds to S101.
Wherein, whether the message is received completely can be determined smb by analyzing the smb message length in the packet header. In addition, whether the message is received intact may also be determined smb by the value of some special fields.
S104: splicing the cached first preset fields to generate a complete smb message, and carrying out ips characteristic rule detection on the smb message to identify a vulnerability.
Among them, ips (intrusion prevention system) is a computer network security device, which can monitor the network data transmission behavior of the network or network devices, and can immediately interrupt, adjust or isolate some abnormal or harmful network data transmission behaviors. After the complete smb message is acquired, ips can be used to perform vulnerability detection on the smb message.
The smb vulnerability detection method provided by the embodiment of the application comprises the following steps: acquiring smb a data packet; smb analysis is carried out on the smb data packet, and the first preset field obtained after analysis is cached; judging whether the current cached first preset field forms a complete smb message; if not, continuing to analyze and obtain smb data packets and the subsequent steps; if yes, splicing the cached first preset fields to generate a complete smb message, and carrying out ips characteristic rule detection on the smb message to identify the vulnerability.
Therefore, the complete smb message is used as the minimum detection unit for detecting the ips characteristic rule through message integrity judgment and field caching and splicing, so that the problem of vulnerability bypass based on ip, tcp and smb protocols can be effectively solved, the hit rate of smb vulnerability detection is improved, vulnerability attack risk is reduced, and network communication safety is guaranteed.
Referring to fig. 3, fig. 3 is an application scenario diagram of an smb vulnerability detection method disclosed in the embodiment of the present application. Further, the embodiment can be applied to a vulnerability detection system.
As shown in fig. 3, the vulnerability detection system may include a Client (Client), a network security device such as A Firewall (AF) and a Server (Server). The Client sends a request message to the Server through the AF. In the process, the AF carries out smb vulnerability detection on the request message sent by the Client, and if the security is confirmed, the request message is forwarded, otherwise, the AF carries out related processing according to the user strategy.
After receiving and processing the request message sent by the Client, the Server may return a response message. In the process, the AF performs smb vulnerability detection on the response message, and forwards the response message to the Client after confirming security.
Based on the above, the process of obtaining smb the data packet can be seen in fig. 4. Fig. 4 is a flowchart of a method for acquiring smb a data packet according to an embodiment of the present application, which mainly includes:
s201: a netbios packet is obtained.
Specifically, according to the message structure shown in fig. 2, ip parsing may be performed on an ip packet to obtain a tcp packet, and tcp parsing may be performed on the tcp packet to obtain a netbios packet. When the network cards communicate with each other, the interaction is basically carried out in the form of a single ip data packet.
S202: judging whether the currently acquired netbios data packet forms a complete netbios message or not; if yes, entering S203; if not, the process proceeds to S201.
S203: the data packet is parsed smb based on the currently retrieved netbios packet.
Specifically, on a Windows system, a complete netbios message will contain at least a complete smb message, otherwise, the server will ignore the incomplete netbios message. Meanwhile, since the header of the netbios packet is fixed to be four bytes, the data packet can be directly parsed and obtained smb from the data segment of the netbios packet.
Referring to fig. 5, the embodiment of the present application discloses yet another smb vulnerability detection method.
Based on the above, the smb vulnerability detection method provided by the embodiment of the present application further includes a parsing and detection process for the dce-rpc data packet after smb parsing is performed on the smb data packet when the smb data packet carries the dce-rpc data packet. Specifically, the smb vulnerability detection method shown in fig. 5 mainly includes:
s301: the data packet is obtained smb.
S302: the smb data packet is parsed by smb, and the first preset field obtained after parsing is cached.
The process of parsing the smb data packet may specifically include the following steps: parsing smb the header of the packet and determining smb the protocol version; the data segments of the smb data packet are parsed according to a corresponding version of the smb protocol.
Because the sub-message types of different versions (such as smb v1 and smb v2) are different, and the fields available for caching are not necessarily the same, the sub-message types can be processed separately according to different smb protocol versions, so as to perform parsing according to the respective corresponding parsing formats, and perform field caching by adopting the respective corresponding caching formats.
S303: judging whether the current cached first preset field forms a complete smb message; if yes, entering S304; if not, the process proceeds to S301.
As mentioned above, the smb header contains important parameters of the relation smb message, such as smb message length. Therefore, as an embodiment, whether the currently cached first preset field constitutes a complete smb message may be determined according to the smb message length parsed from the packet header. Specifically, if the total length of the currently cached first predetermined field is equal to the length of the smb message parsed from the packet header, it may be determined that a complete smb message has been formed, otherwise, it is necessary to continue parsing and caching the next smb packet.
S304: splicing the cached first preset fields to generate a complete smb message, and carrying out ips characteristic rule detection on the smb message to identify a vulnerability.
S305: and (3) carrying out dce-rpc analysis on the dce-rpc data packet acquired after the smb analysis, and caching a second preset field acquired after the analysis.
It should be noted that the second preset field is a field required for splicing complete dce-rpc messages, and at least includes dce-rpc message data transmitted in data segments of dce-rpc data packets; in addition, for convenience of management and identification, the second preset field may further include some message parameters transmitted in the header of the dce-rpc data packet, such as dce-rpc message type, dce-rpc message length, and the like.
S306: judging whether the second preset field cached currently forms a complete dce-rpc message; if not, the process goes to S305; if yes, the process proceeds to S307. S307: splicing the cached second preset fields to generate complete dce-rpc messages, and carrying out ips characteristic rule detection on the dce-rpc messages to identify vulnerabilities.
In particular, similar to the smb message, the present application also performs field buffering for the dce-rpc message to detect ips feature rules with the full dce-rpc message. Referring to fig. 6, when dce-rpc parsing is performed on the dce-rpc data packets in step S305, the method may specifically include:
s401: the headers of the dce-rpc packets are parsed.
S402: the data segments of the dce-rpc packets are buffered.
S403: judging whether the current dce-rpc packet which is acquired forms a complete dce-rpc packet according to the fragmentation parameters acquired from packet header analysis; if not, the header of the next dce-rpc data packet is analyzed in dce-rpc; if yes, the process proceeds to S404.
Wherein, in general, an dce-rpc message is not sent in fragments, but when the overlay bypasses, a complete dce-rpc message may be sent in fragments. Thus, in this embodiment, after the complete dce-rpc fragment is obtained, dce-rpc analysis is performed.
Specifically, the fragmentation parameter for determining whether to constitute a complete dce-rpc fragment packet may be specifically the data length of a complete dce-rpc fragment packet, and when the length of the buffered data segments reaches the data length of a complete dce-rpc fragment packet, S404 may be entered to parse the buffered data segments to buffer the second predetermined field. In another embodiment, the fragmentation parameter may specifically refer to how many dce-rpc data packets the complete dce-rpc fragment packet is distributed in, and when the number of buffered data segments reaches this number, the data packets are considered to form a complete dce-rpc fragment packet. S404: dce-rpc parsing is performed on the data segments of dce-rpc packets that are currently cached.
After the data segments of the dce-rpc packets are parsed, S306 may be entered to determine whether a complete dce-rpc message is formed. Similar to the smb message integrity determination, whether the dce-rpc message is complete can be determined based on parsing the obtained dce-rpc message length in the packet header. If the total length of the currently cached second preset field is equal to the length of the dce-rpc message parsed from the packet header, it can be determined that the complete dce-rpc message is formed, otherwise, the parsing and caching of the next dce-rpc data packet needs to be continued.
Referring to fig. 7, the embodiment of the present application discloses yet another smb vulnerability detection method.
S501: the data packet is obtained smb.
S502: the smb data packet is parsed by smb, and the first preset field obtained after parsing is cached.
S503: judging whether the current cached first preset field forms a complete smb message; if yes, entering S504; if not, the process proceeds to S501.
S504: splicing the cached first preset fields to generate a complete smb message, and carrying out ips characteristic rule detection on the smb message to identify a vulnerability.
S505: judging whether the current smb message and the last smb message have message relevance according to the cached first preset field; if yes, the process proceeds to S506.
If the current smb message does not have a message association with the previous smb message, the ips feature rule check performed on the current smb message, via step 504, may end processing the current smb message and then begin processing the next smb packet.
S506: specific fields are extracted from the current smb message and the last smb message for formatting splicing, and ips characteristic rule detection is carried out on the formatting spliced message to identify the loophole.
Specifically, in some cases, some special vulnerabilities may be distributed among two or even more smb messages that are adjacent, with some similarity between these smb messages, which are said to be smb messages having message associations with each other.
For example, for two SMB messages with a message type of SMB _ COM _ transport, SMB _ COM _ transport 2, or SMB _ COM _ NT _ transport, if the PID field, TID field, MID field, and UID field in the first preset field are respectively corresponding to the same value, they may be regarded as having message association. For another example, for SMB messages with a message type of SMB _ COM _ WRITE _ ANDX, if the PID field, TID field, and UID field in the first preset field are respectively corresponding to the same message as the previous SMB message, and the MID field is the same as the FID field of the previous SMB message, it can also be considered as having message association.
For such vulnerabilities, a single complete smb message may not be identified by the ips feature rules. Since these vulnerabilities need to be attacked by multiple smb messages, based on analysis of the vulnerability principle, embodiments of the present application can detect based on the association of specific fields in multiple smb messages.
Therefore, in order to further improve the detection hit rate, in this embodiment, based on the ips feature rule detection performed on a single smb message, specific fields in multiple smb messages with message relevance are further formatted and spliced, so that the ips feature rule detection is performed again after splicing, thereby further reducing the miss rate of the vulnerability.
The specific field may be all fields in the smb message, or may be some important fields such as message type, message length, PID, TID, etc.
Referring to fig. 8, an embodiment of the present application discloses an smb vulnerability detection apparatus, which mainly includes:
smb a packet obtaining module 601, configured to obtain smb a packet;
smb protocol parsing module 602, configured to perform smb parsing on the smb data packet, and cache a first preset field obtained after parsing;
smb message judgment module 603, configured to judge whether the currently cached first preset field constitutes a complete smb message; if not, the smb packet retrieving module 601 continues to retrieve smb packets;
the first identification detection module 604 is configured to splice the cached first preset fields to generate a complete smb message when the currently cached first preset fields form a complete smb message, and perform ips feature rule detection on the smb message to identify a vulnerability.
Therefore, the smb vulnerability detection device disclosed in the embodiment of the application uses the complete smb message as the minimum detection unit for ips feature rule detection through message integrity judgment and field caching and splicing, so that the vulnerability bypass problem based on ip, tcp and smb protocols can be effectively solved, the hit rate of smb vulnerability detection is improved, vulnerability attack risk is reduced, and network communication safety is guaranteed.
For details of the smb vulnerability detection apparatus, reference may be made to the aforementioned detailed description of the smb vulnerability detection method, which is not repeated herein.
In a specific implementation manner, based on the above, in the smb vulnerability detection apparatus disclosed in the embodiment of the present application, the smb data packet obtaining module 601 specifically includes:
a netbios packet acquiring unit configured to acquire a netbios packet;
a netbios message judgment unit, configured to judge whether a currently acquired netbios data packet constitutes a complete netbios message; if not, the netbios data packet acquisition unit continues to acquire the netbios data packet;
and a netbios parsing unit, configured to parse and obtain smb the data packet based on the currently obtained netbios data packet when the currently obtained netbios data packet forms a complete netbios message.
In an embodiment, based on the above, in the smb vulnerability detection apparatus disclosed in this embodiment of the present application, the netbios packet obtaining unit is specifically configured to:
performing ip analysis on the ip data packet to obtain a tcp data packet; and carrying out tcp parsing on the tcp data packet to obtain a netbios data packet.
In a specific implementation manner, on the basis of the above, in the smb vulnerability detection apparatus disclosed in the embodiment of the present application, the smb protocol parsing module 602 is specifically configured to:
parsing smb the header of the packet and determining smb the protocol version; the data segments of the smb data packet are parsed according to a corresponding version of the smb protocol.
In a specific implementation manner, on the basis of the above, in the smb vulnerability detection apparatus disclosed in the embodiment of the present application, the smb message determining module 603 is specifically configured to: and judging whether the currently cached first preset field forms a complete smb message or not according to the smb message length acquired from the packet header resolution.
In a specific implementation manner, on the basis of the foregoing, the smb vulnerability detection apparatus disclosed in the embodiment of the present application further includes:
an dce-rpc parsing module, configured to, when the smb packet carries a dce-rpc packet, perform dce-rpc parsing on an dce-rpc packet obtained after the smb parsing, and cache a second preset field obtained after the parsing;
the dce-rpc message judgment module is used for judging whether the second preset field which is cached currently forms a complete dce-rpc message; if not, the dce-rpc analysis module is continuously used for carrying out dce-rpc analysis on the dce-rpc data packet acquired after smb analysis;
and the second identification detection module is used for splicing the cached second preset fields to generate a complete dce-rpc message when the currently cached second preset fields form the complete dce-rpc message, and carrying out ips characteristic rule detection on the dce-rpc message to identify the vulnerability.
In an embodiment, based on the above, in the smb vulnerability detection apparatus disclosed in this embodiment of the present application, the dce-rpc parsing module is specifically configured to:
resolving the header of the dce-rpc data packet; caching data segments of dce-rpc data packets; judging whether the current dce-rpc packet which is acquired forms a complete dce-rpc packet according to the fragmentation parameters acquired from packet header analysis; if not, continuing to analyze the next dce-rpc data packet by dce-rpc; if yes, dce-rpc parsing is performed on the data segments of dce-rpc data packets which are currently cached.
In an embodiment, on the basis of the foregoing, in the smb vulnerability detection apparatus disclosed in this embodiment of the present application, the first identification detection module 604 is further configured to:
after ips feature rule detection is performed on the current smb message to identify a vulnerability, whether the current smb message and the previous smb message have message relevance is judged according to a first preset field of a cache; if yes, extracting specific fields from the current smb message and the last smb message for formatting and splicing, and carrying out ips characteristic rule detection on the formatted and spliced message to identify the vulnerability.
Referring to fig. 9, an embodiment of the present application discloses a network security device, including:
a memory 701 for storing a computer program;
a processor 702 for executing the computer program to implement the steps of any of the smb vulnerability detection methods described above.
Further, the present application also discloses a computer readable storage medium, in which a computer program is stored, and the computer program is used for implementing the steps of any smb vulnerability detection method as described above when being executed by a processor.
For details of the network security device and the computer-readable storage medium, reference may be made to the foregoing detailed description of the smb vulnerability detection method, which is not repeated here.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the equipment disclosed by the embodiment, the description is relatively simple because the equipment corresponds to the method disclosed by the embodiment, and the relevant parts can be referred to the method part for description.
It is further noted that, throughout this document, relational terms such as "first" and "second" are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Furthermore, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The technical solutions provided by the present application are described in detail above. The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, without departing from the principle of the present application, several improvements and modifications can be made to the present application, and these improvements and modifications also fall into the protection scope of the present application.
Claims (11)
1. An smb vulnerability detection method, comprising:
acquiring smb a data packet;
smb analysis is carried out on the smb data packet, and a first preset field obtained after analysis is cached;
judging whether the current cached first preset field forms a complete smb message;
if not, continuing to execute the analysis to obtain smb data packets and the subsequent steps;
if yes, splicing the cached first preset fields to generate a complete smb message, and carrying out ips characteristic rule detection on the smb message to identify a vulnerability.
2. The smb vulnerability detection method of claim 1, wherein the obtaining smb data packets comprises:
acquiring a netbios data packet;
judging whether the currently acquired netbios data packet forms a complete netbios message or not;
if not, continuing to execute the analysis to obtain the netbios data packet and the subsequent steps thereof;
and if so, analyzing and acquiring the smb data packet based on the currently acquired netbios data packet.
3. The smb vulnerability detection method of claim 2, wherein the obtaining a netbios data packet comprises:
performing ip analysis on the ip data packet to obtain a tcp data packet;
and carrying out tcp analysis on the tcp data packet to obtain the netbios data packet.
4. The smb vulnerability detection method of claim 1, wherein the smb parsing the smb data packet comprises:
parsing the header of the smb packet and determining smb protocol version;
parsing the data segments of the smb data packet in accordance with a corresponding version of the smb protocol.
5. The smb vulnerability detection method of claim 4, wherein the determining whether the first preset field that is currently cached constitutes a complete smb message comprises:
and judging whether the currently cached first preset field forms a complete smb message or not according to the smb message length acquired from the packet header resolution.
6. The smb vulnerability detection method of claim 1, wherein after the smb parsing of the smb data packet, further comprising:
when the smb data packet carries a dce-rpc data packet, carrying out dce-rpc analysis on a dce-rpc data packet acquired after smb analysis, and caching a second preset field acquired after the analysis;
judging whether the second preset field cached currently forms a complete dce-rpc message;
if not, continuing to execute the dce-rpc analysis and the subsequent steps of the dce-rpc data packet acquired after the smb analysis;
and if so, splicing the cached second preset fields to generate a complete dce-rpc message, and carrying out ips characteristic rule detection on the dce-rpc message to identify the vulnerability.
7. The smb vulnerability detection method of claim 6, wherein the dce-rpc parsing of the dce-rpc data packet obtained after smb parsing includes:
parsing the header of the dce-rpc data packet;
buffering data segments of the dce-rpc data packets;
judging whether the current dce-rpc packet which is acquired forms a complete dce-rpc packet according to the fragmentation parameters acquired from packet header analysis;
if not, continuing to analyze the next dce-rpc data packet by dce-rpc;
if yes, dce-rpc parsing is performed on the data segments of dce-rpc data packets which are currently cached.
8. The smb vulnerability detection method of any of claims 1-7, wherein after the ips feature rule detection of the smb message to identify vulnerabilities, further comprising:
judging whether the current smb message has message correlation with the previous smb message according to a first preset field of the cache;
if yes, extracting specific fields from the current smb message and the last smb message for formatting and splicing, and carrying out ips characteristic rule detection on the formatted and spliced message to identify the vulnerability.
9. An smb vulnerability detection device, comprising:
smb a data packet obtaining module for obtaining smb data packets;
an smb protocol analysis module, configured to perform smb analysis on the smb data packet, and cache a first preset field obtained after the analysis;
smb message judgment module, configured to judge whether the currently cached first preset field constitutes a complete smb message; if not, the smb data packet obtaining module continues to obtain smb data packets;
the first identification detection module is used for splicing the cached first preset fields to generate a complete smb message when the currently cached first preset fields form a complete smb message, and performing ips feature rule detection on the smb message to identify a vulnerability.
10. A network security device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the smb vulnerability detection method of any of claims 1 to 8.
11. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, is adapted to carry out the steps of the smb vulnerability detection method according to any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911228714.7A CN110933094A (en) | 2019-12-04 | 2019-12-04 | Network security equipment and smb vulnerability detection method, device and medium thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911228714.7A CN110933094A (en) | 2019-12-04 | 2019-12-04 | Network security equipment and smb vulnerability detection method, device and medium thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110933094A true CN110933094A (en) | 2020-03-27 |
Family
ID=69856731
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911228714.7A Pending CN110933094A (en) | 2019-12-04 | 2019-12-04 | Network security equipment and smb vulnerability detection method, device and medium thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110933094A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112615832A (en) * | 2020-12-11 | 2021-04-06 | 杭州安恒信息安全技术有限公司 | Method and related device for blocking SMB lateral movement |
| CN113364790A (en) * | 2021-06-12 | 2021-09-07 | 四川虹美智能科技有限公司 | Data transmission method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100088767A1 (en) * | 2008-10-08 | 2010-04-08 | Sourcefire, Inc. | Target-based smb and dce/rpc processing for an intrusion detection system or intrusion prevention system |
| CN201774547U (en) * | 2010-07-19 | 2011-03-23 | 江苏国瑞信安科技有限公司 | Web service defense device based on data packet reassembly |
| CN103384213A (en) * | 2011-12-31 | 2013-11-06 | 华为数字技术(成都)有限公司 | Method and device for configuring and optimizing detection rule |
| CN103731429A (en) * | 2014-01-08 | 2014-04-16 | 深信服网络科技(深圳)有限公司 | Method and device for web application vulnerability detection |
| CN104168288A (en) * | 2014-08-27 | 2014-11-26 | 中国科学院软件研究所 | Automatic vulnerability discovery system and method based on protocol reverse parsing |
| WO2016082371A1 (en) * | 2014-11-25 | 2016-06-02 | 中国科学院声学研究所 | Ssh protocol-based session parsing method and system |
-
2019
- 2019-12-04 CN CN201911228714.7A patent/CN110933094A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100088767A1 (en) * | 2008-10-08 | 2010-04-08 | Sourcefire, Inc. | Target-based smb and dce/rpc processing for an intrusion detection system or intrusion prevention system |
| CN201774547U (en) * | 2010-07-19 | 2011-03-23 | 江苏国瑞信安科技有限公司 | Web service defense device based on data packet reassembly |
| CN103384213A (en) * | 2011-12-31 | 2013-11-06 | 华为数字技术(成都)有限公司 | Method and device for configuring and optimizing detection rule |
| CN103731429A (en) * | 2014-01-08 | 2014-04-16 | 深信服网络科技(深圳)有限公司 | Method and device for web application vulnerability detection |
| CN104168288A (en) * | 2014-08-27 | 2014-11-26 | 中国科学院软件研究所 | Automatic vulnerability discovery system and method based on protocol reverse parsing |
| WO2016082371A1 (en) * | 2014-11-25 | 2016-06-02 | 中国科学院声学研究所 | Ssh protocol-based session parsing method and system |
| CN105704091A (en) * | 2014-11-25 | 2016-06-22 | 中国科学院声学研究所 | SSH protocol-based session analysis method and system |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112615832A (en) * | 2020-12-11 | 2021-04-06 | 杭州安恒信息安全技术有限公司 | Method and related device for blocking SMB lateral movement |
| CN112615832B (en) * | 2020-12-11 | 2022-08-02 | 杭州安恒信息安全技术有限公司 | Method and related device for blocking SMB lateral movement |
| CN113364790A (en) * | 2021-06-12 | 2021-09-07 | 四川虹美智能科技有限公司 | Data transmission method and device |
| CN113364790B (en) * | 2021-06-12 | 2022-10-18 | 四川虹美智能科技有限公司 | Data transmission method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108206802B (en) | Method and device for detecting webpage backdoor | |
| KR100862187B1 (en) | A Method and a Device for Network-Based Internet Worm Detection With The Vulnerability Analysis and Attack Modeling | |
| JP4977888B2 (en) | Web application attack detection method | |
| US8024804B2 (en) | Correlation engine for detecting network attacks and detection method | |
| US8751787B2 (en) | Method and device for integrating multiple threat security services | |
| US20030084318A1 (en) | System and method of graphically correlating data for an intrusion protection system | |
| KR102152338B1 (en) | System and method for converting rule between NIDPS engines | |
| RU2653241C1 (en) | Detecting a threat of a zero day with the use of comparison of a leading application/program with a user agent | |
| EP3633948B1 (en) | Anti-attack method and device for server | |
| CN111641658A (en) | Request intercepting method, device, equipment and readable storage medium | |
| CN112887405B (en) | Intrusion prevention method, system and related equipment | |
| CN110933094A (en) | Network security equipment and smb vulnerability detection method, device and medium thereof | |
| CN111865996A (en) | Data detection method and device and electronic equipment | |
| CN113055399A (en) | Attack success detection method, system and related device for injection attack | |
| US20230412591A1 (en) | Traffic processing method and protection system | |
| CN110740144B (en) | Method, device, equipment and storage medium for determining attack target | |
| CN108259416B (en) | Method for detecting malicious webpage and related equipment | |
| US10757118B2 (en) | Method of aiding the detection of infection of a terminal by malware | |
| CN115664833B (en) | Network hijacking detection method based on local area network safety equipment | |
| CN112202717B (en) | HTTP request processing method and device, server and storage medium | |
| KR101650316B1 (en) | Apparatus and method for collecting and analysing HTML5 documents based a distributed parallel processing | |
| CN112637171A (en) | Data traffic processing method, device, equipment, system and storage medium | |
| CN113328982A (en) | Intrusion detection method, device, equipment and medium | |
| US20180077065A1 (en) | Transmitting packet | |
| JP7306456B2 (en) | Information protection device, information protection method and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200327 |
|
| RJ01 | Rejection of invention patent application after publication |