CN113285904A - RDP-based method for analyzing disk mapping file information - Google Patents
RDP-based method for analyzing disk mapping file information Download PDFInfo
- Publication number
- CN113285904A CN113285904A CN202010101386.0A CN202010101386A CN113285904A CN 113285904 A CN113285904 A CN 113285904A CN 202010101386 A CN202010101386 A CN 202010101386A CN 113285904 A CN113285904 A CN 113285904A
- Authority
- CN
- China
- Prior art keywords
- message
- file
- transmission
- byte
- content
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/26—Special purpose or proprietary protocols or architectures
Abstract
The invention discloses an RDP-based method for analyzing disk mapping file information, which is used for analyzing a message between an operation and maintenance end and a target end to obtain specific functional data, wherein the analysis process of the message data comprises the following steps: extracting the content mark byte of the message, and judging whether the message data is file transmission according to the byte value; if yes, carrying out the next step; if not, ending the analysis; extracting the direction mark byte of the message, and judging the file transmission direction according to the byte value; if the byte value of the direction flag is equal to the specified value of the uplink or downlink file transmission, the next step is carried out; if not, ending the analysis; and analyzing the message content to obtain file information comprising the file name and the file path, and outputting the file information as an analysis result. In the analysis process, irrelevant data packets are screened out, the analysis speed and accuracy are improved, and the audit efficiency is improved.
Description
Technical Field
The invention belongs to the technical field of operation and maintenance auditing, and particularly relates to an RDP-based method for analyzing disk mapping file information.
Background
Remote Desktop Protocol (RDP) is a set of standard protocols established by microsoft corporation for Remote Desktop access over a network, and serves as an application layer of a network Protocol suite. The RDP-based bastion machine (also called a flashboard machine) is mainly used for enabling a user to be connected to a remote Windows server which starts a Terminal Service through an RDP-based client (such as an mstsc client tool), the client can acquire a complete remote server desktop and realize operation and maintenance operation on the server on the desktop, the whole process is consistent with the operation directly on the remote server, and the server maintenance efficiency is improved. RDP is essentially a graphical operating protocol, and since RDP is a protocol for maintaining servers, it is an interactive protocol, i.e. clients submit information while servers return information.
In the remote operation and maintenance process, disk mapping is a common operation for improving operation and maintenance efficiency, and a remote desktop mapping disk can map a disk or a folder on an operation and maintenance host to a target machine for direct access and operation, so that repeated switching is avoided, and the access time and the convenience of operation can be greatly improved. If auditing the disk mapping process is to be realized, functional parameters in the message data need to be analyzed, and information such as the mapped file path and the like is finally obtained so as to perform subsequent security audit operation.
Disclosure of Invention
Based on the above background, an RDP-based method for parsing information of a disk mapping file is provided, where after being processed by a network channel layer, an ISO data layer, a virtual channel layer, and a decryption layer, specific functional data in a message can be obtained, and then the functional data are analyzed to obtain a file name and a path of a disk mapping, so as to further perform content audit. The specific technical scheme is as follows.
The method for analyzing the disk mapping file information based on RDP analyzes the message between an operation and maintenance end and a target end to obtain specific functional data, wherein the analysis process of the message data comprises the following steps:
extracting the content mark byte of the message, and judging whether the message data is file transmission according to the byte value; if yes, carrying out the next step; if not, ending the analysis;
extracting the direction mark byte of the message, and judging the file transmission direction according to the byte value; if the byte value of the direction flag is equal to the specified value of the uplink or downlink file transmission, the next step is carried out; if not, ending the analysis;
and analyzing the message content to obtain file information comprising the file name and the file path, and outputting the file information as an analysis result.
Preferably, if the value of the content flag byte is equal to a first specified value and the message data is greater than a specific length, determining that the message data is file transmission mapped by a disk; otherwise, the analysis is finished.
Further preferably, the determining the direction to which the transmission file belongs according to the value of the direction flag byte of the packet includes: if the values of the 45 th byte, the 49 th byte and the 51 th byte of the message respectively accord with the second specified value, the third specified value and the fourth specified value at the same time, determining that the message is an uplink file transmission message; and if the value of the 45 th byte of the message is equal to the fifth specified value, determining that the message is a downlink file transmission message.
Analyzing the message determined as the downlink transmission file, comprising: and shifting the message content backward by a fixed byte number, intercepting the data content to obtain a file name and a file path, and outputting the file name and the file path as an analysis result.
Before the analysis result is output, extracting the content of the first 35 bytes of the file path, and judging whether the file path conforms to the specified character string; if the character string is in accordance with the designated character string, ignoring the message; and if the specified character string is not met, extracting a complete file path as an analysis result.
The technical scheme is applied to a bastion machine for remote operation and maintenance, file or folder operation is realized through disk mapping, message data copied and pasted through a clipboard is screened out according to content mark bytes, all message quantity transmitted each time is counted according to the position mark byte value of each message, the data content of the message is respectively intercepted from a first message and a continuing message, and a complete file path is obtained through analysis after the first message and the continuing message are sequentially assembled, so that safety audit is carried out on the analyzed file operation process. According to the technical scheme, irrelevant data packets are screened out in the analysis process, the analysis speed and accuracy are improved, and the audit efficiency is improved.
Drawings
Fig. 1 is a schematic diagram of a work flow of an embodiment of an RDP-based disk mapping file information parsing method according to the present invention.
Detailed Description
The first is a supplementary explanation of the related art.
The operation and maintenance auditing system monitors communication data between the operation and maintenance client and the target server through a network, when an operation and maintenance person accesses the target server through the operation and maintenance client, file operation records and file operation processes are transmitted between the operation and maintenance client and the target server in a communication data mode, protocol data are extracted and analyzed by capturing the communication data, the protocol data are restored into readable data and stored in a database, and the auditing person can check each operation process of the operation and maintenance person through image or file playback.
Windows remote operation and maintenance is a widely used operation and maintenance mode. Besides the graph operation and maintenance, the Windows remote operation and maintenance can also upload and download files. Therefore, some security problems often occur in remote operation and maintenance, for example, operation and maintenance personnel may mistakenly upload a virus file to a target host, and may also download data on a target device, resulting in leakage of confidential data. Therefore, accurate post positioning is performed on file operations of operation and maintenance personnel, such as copying and pasting, uploading and downloading, disk mapping and the like, and the method is very important for operation and maintenance auditing.
Generally, if a remote Linux system needs to be logged in, ssh/telnet is mostly used for completion, and if a desktop environment of the remote Linux system needs to be logged in, VNC is a remote desktop program based on an RFB protocol and default to most Linux distribution versions, but VNC is not friendly to the experience of a common user and runs slowly. Remote desktops for Windows are based on RDP protocol, and under Linux, open-source rdpserver, or xrdp, can be utilized.
The advantage of the operation and maintenance personnel remotely operating the target host computer through the RDP protocol is that the user can reliably use all application programs, files and network resources on the remote computer without executing local programs; moreover, the RDP supports virtual channels to continuously transmit data exchange between the client and the server, including remoteapp channel, sticker board channel, audio channel, printer channel, disk mapping channel, USB pluggable device channel for transmitting different types of data. Meanwhile, the RDP data stream can be conveniently intercepted between the operation and maintenance client and the target host, and the data volume is small due to the fact that the RDP data stream is compressed.
However, RDP data may transmit a plurality of data packets or only transmit a part of the data packets in a single transmission process, and if the received data packets are directly analyzed, error information may be extracted; meanwhile, the analysis of a large number of data packets requires too long time, which results in too slow generation of analysis results, and may cause the auditing system to be unable to quickly and accurately obtain the required information, which affects the accurate analysis and positioning of security problems. Therefore, it is necessary to provide a new technical solution for implementing fast and accurate analysis of data message content in RDP operation and maintenance, so as to improve operation and maintenance efficiency.
Therefore, in embodiment 1 of the present invention, a data message parsing method is provided for disk mapping file information based on RDP, and after processing by a network channel layer, an ISO data layer, a virtual channel layer, and a decryption layer, specific functional data in a message can be obtained, and then the functional data are analyzed, so as to obtain a file name and a path of disk mapping, where the specific message parsing process includes:
and S0, acquiring the RDP protocol message between the operation and maintenance client and the target server. Packet capturing software or hardware can be used for capturing a data packet on a transmission link of the network card by monitoring network data, and the captured data packet is stored or recorded as a data packet to be filtered or analyzed. Of course, the capturing of the data packets may also set different capturing strategies to perform preliminary screening on the unnecessary data packets.
S100, extracting the content flag byte of the message, and judging whether the message data is file transmission according to the byte value, namely: if the value of the content flag byte is equal to a first specified value and the message data is greater than a specific length, determining that the message data is file transmission mapped by a disk; otherwise, the analysis is finished.
S200, extracting direction flag bytes of the message, and judging a file transmission direction according to byte values, wherein the file transmission direction is divided into an uplink direction and a downlink direction, the uplink direction refers to the direction from the operation and maintenance client to the target server, and the downlink direction refers to the direction from the target server to the operation and maintenance client; if the byte value of the direction flag is equal to the specified value of the uplink or downlink file transmission, the following steps are carried out: if the values of the 45 th byte, the 49 th byte and the 51 th byte of the message respectively accord with the second specified value, the third specified value and the fourth specified value at the same time, determining that the message is an uplink file transmission message; if the value of the 45 th byte of the message is equal to the fifth specified value, determining that the message is a downlink file transmission message, and carrying out the next step; otherwise, the analysis is finished.
S300, analyzing the message content to obtain file information including the file name and the file path, and outputting the file information as an analysis result. Because the file information transmitted by the uplink and downlink files can be extracted from the downlink message, in order to improve the analysis efficiency and reduce unnecessary resource consumption, only the message of the downlink file needs to be analyzed, which includes: and shifting the message content backward by a fixed byte number, intercepting the data content to obtain a file name and a file path, and outputting the file name and the file path as an analysis result. It should be noted that, if the system is a windows xp system, a temporary path exists in file transmission, and the temporary path needs to be masked off during analysis, specifically, the first 35 bytes of content of the file path are extracted first, and whether the specified character string is met is judged; if the message conforms to the designated character string, the message is a temporary theory of the xp system, and the message is ignored after heat preservation; and if the specified character string is not met, extracting a complete file path as an analysis result.
As a preferred embodiment, the analyzing the content of the message to obtain a file transmission path further includes determining the position of the message in the current transmission according to two position flag bytes of the message, and determining the number of the message of the current transmission file; when the values of the two position mark bytes are set to be 1, respectively identifying the first message and the last message of the transmission data, so that the position of each message in the transmission data can be determined according to the values of the two bytes, and the message quantity of the transmission data is further determined; the specific process comprises the following steps:
if the first mark determines that the current message is the first message of the transmission, and the second mark determines that the current message is not the last message of the transmission, the current message is the first message of the transmission and is provided with a continuous message thereafter; continuing to judge the subsequent messages until the second mark determines that the message is the last message of the transmission, and counting to obtain the number of the messages;
if the first mark determines that the current message is the first message of the transmission, and the second mark determines that the current message is the last message of the transmission, the current message is the only message of the transmission, and no continuous message is left behind; determining the number of the messages transmitted this time as 1;
if the first mark determines that the current message is not the first message of the transmission, and the second mark determines that the current message is not the last message of the transmission, the current message is the middle message of the transmission, and a continuous message is arranged behind the middle message; continuing to judge the subsequent messages until the second mark determines that the message is the last message of the transmission, and counting to obtain the number of the messages;
if the first mark determines that the current message is not the first message of the transmission, and the second mark determines that the current message is the last message of the transmission, and no continuous message is left behind; and counting the number of all messages.
Further, when no continuing message exists after the first message is acquired, intercepting and storing the content of the first message as a file path; when a continuous message exists after a first message is acquired, intercepting the content of the first message for temporary storage, continuously acquiring subsequent messages, sequentially identifying and intercepting the content of the messages until the last message transmitted at this time, and sequentially assembling the intercepted content of the messages to obtain a file path.
Those skilled in the art will appreciate that the steps or components for implementing the above embodiments may be implemented by a program to instruct associated hardware to implement the steps or components, and the program may be stored in a computer readable storage medium, such as: ROM/RAM, magnetic disk, optical disk, etc.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (7)
1. The RDP-based method for analyzing the disk mapping file information is used for analyzing a message between an operation and maintenance end and a target end to obtain specific functional data, and is characterized in that the process of analyzing the message data comprises the following steps:
extracting the content mark byte of the message, and judging whether the message data is file transmission according to the byte value; if yes, carrying out the next step; if not, ending the analysis;
extracting the direction mark byte of the message, and judging the file transmission direction according to the byte value; if the byte value of the direction flag is equal to the specified value of the uplink or downlink file transmission, the next step is carried out; if not, ending the analysis;
and analyzing the message content to obtain file information comprising the file name and the file path, and outputting the file information as an analysis result.
2. The parsing method of claim 1, wherein if the value of the content flag byte is equal to a first specified value and the message data is greater than a specific length, determining that the message data is a disk mapped file transfer; otherwise, the analysis is finished.
3. The parsing method of claim 2, wherein determining the direction to which the transmission file belongs according to the value of the direction flag byte of the packet comprises: if the values of the 45 th byte, the 49 th byte and the 51 th byte of the message respectively accord with the second specified value, the third specified value and the fourth specified value at the same time, determining that the message is an uplink file transmission message; and if the value of the 45 th byte of the message is equal to the fifth specified value, determining that the message is a downlink file transmission message.
4. The parsing method according to claim 3, wherein parsing the message determined as the downlink transmission file comprises: and shifting the message content backward by a fixed byte number, intercepting the data content to obtain a file name and a file path, and outputting the file name and the file path as an analysis result.
5. The parsing method of claim 4, wherein before outputting the parsing result, extracting the first 35 bytes of content of the file path, and determining whether the content conforms to the specified character string; if the character string is in accordance with the designated character string, the message content is ignored; and if the specified character string is not met, extracting a complete file path as an analysis result.
6. The parsing method according to claim 1, wherein the parsing of the message content obtains a file transmission path, further comprising determining a position of the message in the current transmission according to two position flag bytes of the message, and determining a number of the message of the current transmission file:
if the first mark determines that the current message is the first message of the transmission, and the second mark determines that the current message is not the last message of the transmission, the current message is the first message of the transmission and is provided with a continuous message thereafter; continuing to judge the subsequent messages until the second mark determines that the message is the last message of the transmission, and counting to obtain the number of the messages;
if the first mark determines that the current message is the first message of the transmission, and the second mark determines that the current message is the last message of the transmission, the current message is the only message of the transmission, and no continuous message is left behind; determining the number of the messages transmitted this time as 1;
if the first mark determines that the current message is not the first message of the transmission, and the second mark determines that the current message is not the last message of the transmission, the current message is the middle message of the transmission, and a continuous message is arranged behind the middle message; continuing to judge the subsequent messages until the second mark determines that the message is the last message of the transmission, and counting to obtain the number of the messages;
if the first mark determines that the current message is not the first message of the transmission, and the second mark determines that the current message is the last message of the transmission, and no continuous message is left behind; and counting the number of all messages.
7. The parsing method according to claim 6, wherein when there is no continuing packet after the first packet is obtained, intercepting and storing the content of the first packet as a file path; when a continuous message exists after a first message is acquired, intercepting the content of the first message for temporary storage, continuously acquiring subsequent messages, sequentially identifying and intercepting the content of the messages until the last message transmitted at this time, and sequentially assembling the intercepted content of the messages to obtain a file path.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010101386.0A CN113285904A (en) | 2020-02-19 | 2020-02-19 | RDP-based method for analyzing disk mapping file information |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010101386.0A CN113285904A (en) | 2020-02-19 | 2020-02-19 | RDP-based method for analyzing disk mapping file information |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113285904A true CN113285904A (en) | 2021-08-20 |
Family
ID=77275063
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010101386.0A Pending CN113285904A (en) | 2020-02-19 | 2020-02-19 | RDP-based method for analyzing disk mapping file information |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113285904A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115086308A (en) * | 2022-04-27 | 2022-09-20 | 上海上讯信息技术股份有限公司 | RDP-based data transmission control method and device |
-
2020
- 2020-02-19 CN CN202010101386.0A patent/CN113285904A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115086308A (en) * | 2022-04-27 | 2022-09-20 | 上海上讯信息技术股份有限公司 | RDP-based data transmission control method and device |
| CN115086308B (en) * | 2022-04-27 | 2023-10-20 | 上海上讯信息技术股份有限公司 | RDP-based data transmission control method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10887201B2 (en) | Method for automatically monitoring end-to-end end user performance and apparatus for performing the method | |
| JP5167501B2 (en) | Network monitoring system and its operation method | |
| WO2016082371A1 (en) | Ssh protocol-based session parsing method and system | |
| CN112714047B (en) | Industrial control protocol flow based test method, device, equipment and storage medium | |
| US20110055470A1 (en) | Measuring attributes of client-server applications | |
| US7742415B1 (en) | Non-intrusive knowledge suite for evaluation of latencies in IP networks | |
| US20050050098A1 (en) | System and method for aligning data frames in time | |
| WO2021164261A1 (en) | Method for testing cloud network device, and storage medium and computer device | |
| CN111737128A (en) | On-line testing method, gray level shunting equipment and storage medium | |
| US10983848B2 (en) | Implicit push data transfer | |
| CN113285904A (en) | RDP-based method for analyzing disk mapping file information | |
| CN111224891A (en) | Traffic application identification system and method based on dynamic learning triples | |
| CN113282358A (en) | File transmission analysis method and device of bastion machine | |
| CN111367686A (en) | Service interface calling method and device, computer equipment and storage medium | |
| CN113285965A (en) | Analysis method for RDP text transmission of bastion machine | |
| CN107517237A (en) | A kind of video frequency identifying method and device | |
| CN113472878B (en) | Method and device for realizing file dragging transmission in VNC by using browser plug-in | |
| CN113778709B (en) | Interface calling method, device, server and storage medium | |
| CN111245880A (en) | Behavior trajectory reconstruction-based user experience monitoring method and device | |
| CN110493081B (en) | Method, device, equipment and storage medium for determining network traffic of game client | |
| CN111611134A (en) | Time monitoring method and device, application terminal and storage medium | |
| CN112714153A (en) | Processing method and device compatible with multiple TCPs (Transmission control protocol) based on Internet of things system | |
| CN109840264B (en) | Method and device for auditing access of application program database | |
| CN111294382A (en) | Real-time data pushing method and device | |
| CN115037793B (en) | User datagram protocol data processing method and device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20210820 |
|
| WD01 | Invention patent application deemed withdrawn after publication |