CN116866209A - Database traffic filtering method and system based on remote call network address - Google Patents
Database traffic filtering method and system based on remote call network address Download PDFInfo
- Publication number
- CN116866209A CN116866209A CN202310815905.3A CN202310815905A CN116866209A CN 116866209 A CN116866209 A CN 116866209A CN 202310815905 A CN202310815905 A CN 202310815905A CN 116866209 A CN116866209 A CN 116866209A
- Authority
- CN
- China
- Prior art keywords
- database
- program
- client
- flow
- agent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 61
- 238000001914 filtration Methods 0.000 title claims abstract description 18
- 230000002452 interceptive effect Effects 0.000 claims abstract description 8
- 230000006870 function Effects 0.000 claims description 36
- 230000008569 process Effects 0.000 claims description 25
- 238000012550 audit Methods 0.000 abstract description 35
- 239000002699 waste material Substances 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 9
- 230000003993 interaction Effects 0.000 description 5
- 230000006399 behavior Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 230000009193 crawling Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 239000000523 sample Substances 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/028—Capturing of monitoring data by filtering
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/21—Design, administration or maintenance of databases
- G06F16/211—Schema design and management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/12—Network monitoring probes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/20—Support for services
- H04L49/208—Port mirroring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/133—Protocols for remote procedure calls [RPC]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
- H04L67/63—Routing a service request depending on the request content or context
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Databases & Information Systems (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a database flow filtering method and a system based on a remote call network address, wherein the method comprises the following steps: the agent program obtains the interactive database flow between the database client and the database server from the loop address of the network card on the database server; the agent program obtains network information used by a remote access program for calling the database client from the database flow, wherein the network information comprises a network address and/or a port number used by the remote access program; the agent program determines whether the database traffic needs to be audited according to the network information; and under the condition that the database flow needs to be audited, the agent program sends the database flow to auditing equipment for auditing. The application solves the problem that the flow of the database is grasped by the agent program and the caused waste of audit resources can not be distinguished, thereby improving the audit efficiency and saving the audit resources.
Description
Technical Field
The application relates to the field of databases, in particular to a database traffic filtering method and system based on a remote call network address.
Background
Database audit (DBAudio for short) is centered on security events, based on comprehensive audit and accurate audit, database activities on a network are recorded in real time, compliance management of fine-grained audit is performed on database operation, and real-time warning is performed on risk behaviors suffered by the database. The method helps the user to generate compliance reports and accident tracing sources afterwards by recording, analyzing and reporting the behaviors of the user access database, and simultaneously provides high-efficiency inquiry audit reports and positions event reasons through a big data searching technology so as to inquire, analyze and filter the event reasons later, thereby realizing the monitoring and audit of the network behaviors of the internal database and the external database and improving the safety of data assets.
When the database is audited, the slave interaction machine can be adopted to copy and mirror the database flow, and then the copied database flow is sent to the auditing equipment for auditing. The method is applied to the situation that the database client and the database server are not on the same server any more, and at the moment, the traffic between the database client and the database server passes through the switch, so that the traffic passing through the switch can be duplicated.
If the database client and the database server are on the same server, the database traffic between the database client and the server does not pass through the switch, so that the database traffic cannot be copied. In this case, it is necessary to install an agent (simply referred to as agent) on the server. And the agent program grabs a packet on a network card of the server and sends the grabbed database flow to auditing equipment for auditing. The agent program can grab the data packet (127.0.0.1) of the loop address when the network card grabs the packet, so that all database traffic between the database client and the server is sent to the auditing equipment for auditing, the database traffic between the database client and the server cannot be filtered, and the database traffic which does not need to be audited originally is also sent to the auditing equipment, so that auditing resources are wasted.
Disclosure of Invention
The embodiment of the application provides a database flow filtering method and system based on a remote call network address, which at least solve the problem of audit resource waste caused by incapability of distinguishing by capturing database flow by an agent program.
According to one aspect of the present application, there is provided a database traffic filtering method based on a remote call network address, including: the method comprises the steps that an agent program obtains interactive database flow between a database client and a database server from a loop address of a network card on a database server, wherein the agent program, the database client and the database server are all installed on the database server, and the database flow is generated when a remote access program logs in the database server and calls the database client to access the database server; the agent program obtains network information used by a remote access program for calling the database client from the database flow, wherein the network information comprises a network address and/or a port number used by the remote access program; the agent program determines whether the database traffic needs to be audited according to the network information; and under the condition that the database flow needs to be audited, the agent program sends the database flow to auditing equipment for auditing.
Further, obtaining network information used by a remote access program that invokes the database client includes: the agent program obtains the identification information of the database client process; the agent program obtains the information of a terminal of a remote calling program where the database client is located on the database server according to the identification information of the database client process; the agent program obtains network information used by the remote calling program according to the information of the terminal.
Further, the agent obtaining the identification information of the database client process includes: the agent program obtains the port number used by the database client and obtains the identification information of the database client process according to the port number.
Further, obtaining network information used by a remote access program that invokes the database client includes: the agent program obtains a preset function, wherein the preset function is a preset function built in an operating system running on the database server and is used for obtaining network information used by the remote access program; and acquiring network information used by the remote access program from the preset function when the preset function is acquired by the agent program.
According to another aspect of the present application, there is also provided a database traffic filtering system based on a remote call network address, wherein the system includes a proxy program including: the first acquisition module is used for acquiring the interactive database flow between the database client and the database server from the loop-back address of the network card on the database server, wherein the agent program, the database client and the database server are all arranged on the database server, and the database flow is generated by logging in a remote access program on the database server and calling the database client to access the database server; the second acquisition module is used for acquiring network information used by calling a remote access program of the database client from the database flow, wherein the network information comprises a network address and/or a port number used by the remote access program; the determining module is used for determining whether the database flow needs to be audited according to the network information; and the sending module is used for sending the database flow to auditing equipment for auditing under the condition that the database flow needs to be audited.
Further, the second acquisition module is configured to: acquiring identification information of the database client process; acquiring information of a terminal of a remote calling program where the database client is located on the database server according to the identification information of the database client process; and acquiring network information used by the remote calling program according to the information of the terminal.
Further, the second acquisition module is configured to: and acquiring the port number used by the database client, and acquiring the identification information of the database client process according to the port number.
Further, the second acquisition module is configured to: acquiring a preset function, wherein the preset function is a preset function built in an operating system running on the database server and is used for acquiring network information used by the remote access program; and acquiring network information used by the remote access program from the preset function under the condition that the preset function is acquired.
According to another aspect of the present application, there is also provided an electronic device including a memory and a processor; wherein the memory is configured to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor to perform the method steps described above.
According to another aspect of the present application there is also provided a readable storage medium having stored thereon computer instructions which when executed by a processor perform the above-mentioned method steps.
In the embodiment of the application, an agent is adopted to acquire the interactive database flow between a database client and a database server from the loop address of a network card on the database server, wherein the agent, the database client and the database server are all arranged on the database server, and the database flow is generated when a remote access program logs on the database server to call the database client to access the database server; the agent program obtains network information used by a remote access program for calling the database client from the database flow, wherein the network information comprises a network address and/or a port number used by the remote access program; the agent program determines whether the database traffic needs to be audited according to the network information; and under the condition that the database flow needs to be audited, the agent program sends the database flow to auditing equipment for auditing. The application solves the problem that the flow of the database is grasped by the agent program and the caused waste of audit resources can not be distinguished, thereby improving the audit efficiency and saving the audit resources.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application. In the drawings:
FIG. 1 is a schematic diagram of three audit modes according to an embodiment of the present application;
FIG. 2 is a schematic diagram of an audit traffic acquisition mode according to an embodiment of the present application;
FIG. 3 is a schematic diagram of an agent crawling database traffic from a network card according to an embodiment of the present application;
FIG. 4 is a schematic diagram of an agent crawling database traffic through a network card according to an embodiment of the present application; the method comprises the steps of,
FIG. 5 is a flow chart of database traffic filtering based on remote invocation of network addresses in accordance with an embodiment of the application.
Detailed Description
It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be combined with each other. The application will be described in detail below with reference to the drawings in connection with embodiments.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowcharts, in some cases the steps illustrated or described may be performed in an order other than that illustrated herein.
The English of the probe (also called agent) is agent, the English of the plug-in is plug in, and the functions of the probe and the plug-in are described below in connection with the database auditing product. The database audit product is a product which analyzes the database information and performs audit by analyzing the flow between networks. When the database audit is performed, various acquisition modes aiming at different types of database flows are provided, wherein the acquisition modes comprise a mirror image flow, a local audit mode and a local audit plug-in mode, and the three audit modes respectively aim at different scenes. Fig. 1 is a schematic diagram of three auditing modes according to an embodiment of the present application, as shown in fig. 1, the mirror flow mode is to obtain database flow (also referred to as auditing data) to be audited through a switch mirror flow function, and then send the auditing data to an auditing device (also referred to as auditing service) for auditing. The local auditing mode is to obtain the database flow by deploying a small agent program on the equipment where the database is located, obtaining the database access flow on the local network card and returning to the auditing equipment. The local audit plug-in mode is aimed at the scene that the client and the database are directly used in the same equipment, the client can perform data interaction in the modes of shared memory, pipelines, UDS and the like, and at the moment, the flow cannot be acquired from the network card. At this time, the flow is acquired by deploying a plug in to the client, and the acquired flow is sent to the agent program and then sent to the auditing device by the agent program.
Fig. 2 is a schematic diagram of an audit flow obtaining manner according to an embodiment of the present application, as shown in fig. 2, a database client (db-client) and a database server (db-server) are disposed on a database server, where a plug in is installed on the database client, and the plug in captures data of SQL interaction between the database client and the server, and these data are sent as audit data to a agent, and then the agent sends the audit data to an audit device. The auditing equipment provides an interface and a program (which can be called rms program for short) for receiving the auditing data, and then carries out protocol analysis on the received auditing data to obtain a final auditing result.
In fig. 2, plugin is a program, which may be embedded in a database client, to obtain, through interface feature information, an interaction flow between the database client and a database server. In the following embodiments, the plugin may record the obtained feature information of the database client transceiver packet interface into a certain file, and the feature information is different for different client types and different client versions.
In addition to acquiring the database traffic from the plugin, the Agent also captures the traffic from the network card, fig. 3 is a schematic diagram of the Agent program capturing the database traffic from the network card according to the embodiment of the present application, as shown in fig. 3, the database client and the database server interact through the network card 2, that is, the database traffic between the database client and the database server all passes through the network card 2, the Agent captures the database traffic through the network card, then sends the database traffic to the auditing device through the network card 2, and the auditing device receives the database traffic through the rms program and then performs auditing.
In the scenario shown in fig. 1 to 3, the type of each database of all databases installed on one server is obtained, wherein one database client is used to connect with each database server in all databases; acquiring characteristic information and port numbers of each database according to the type of each database; writing the characteristic information and the port number of each database into a file respectively; and taking the characteristic information of each database and the file corresponding to the port number as the file loaded when the plug-in is started, wherein each file corresponds to one plug-in, the plug-in is used for acquiring the database flow between the database client and the database server corresponding to the file, and the database flow is used for carrying out database audit. The characteristic information is used to indicate information used to connect with the database.
Optionally, the method further comprises: the plug-in sends the acquired database flow to an agent program; and the agent program sends the database flow to auditing equipment for auditing, wherein the agent program and the spread are both deployed on the server.
Optionally, the agent sending the database traffic to the auditing device for auditing includes: the agent program receives information from auditing equipment, wherein the information comprises a port number and an IP address of a database server side; the agent program stores the corresponding relation between the port numbers and the IP addresses of the auditing equipment and the database server; and the agent program sends the database traffic from different port numbers and IP addresses to corresponding auditing equipment according to the corresponding relation.
Optionally, the agent program storing the correspondence between the port numbers and the IP addresses of the auditing device and the database server side includes: the agent program carries out hash operation on the port number and the IP address to obtain an operation result; and the agent program stores the corresponding relation between the auditing equipment and the operation result.
The following embodiments are mainly directed to a scenario of acquiring local operation traffic of a database using a agent program, where, in particular, a database client and a database server are on the same device. In this case, only 127.0.0.1 IP can be audited, or the IP address of the program calling the database client cannot be audited. If the IP address of the application program calling the database client can be obtained, filtering can be performed according to the IP address, and if the database traffic generated when the application program calling the database client with a certain IP address does not need to be audited, filtering can be performed.
Fig. 4 is a schematic diagram of an agent program capturing database traffic through a network card, as shown in fig. 4, an IP address of a database server is B, a database client, a database server and an agent are installed on the database server, a first application program is on an executor device a, an IP address of the executor device is a, the first application program calls a database client (db-client) through an external network card of the database server B, the database client calls a database server (db-server) through a loop-back card, the database traffic between the database client and the database server is interacted through the loop-back card, and the agent program captures a packet from the loop-back card to obtain the database traffic and then sends the captured database traffic to an auditing device. At this time, if there is a second application calling the database client on the executor device C, at this time, the database traffic generated by the proxy program due to the first application calling and the second application calling is sent to the auditing device, and if the database traffic generated by the first application calling does not need to be audited, the proxy program cannot be used for filtering.
To solve this problem, in the following embodiment, a method for filtering database traffic based on a remote call network address according to an aspect of the present application is provided, and fig. 5 is a flowchart of filtering database traffic based on a remote call network address according to an embodiment of the present application, as shown in fig. 5, and the steps included in fig. 5 are described below.
In step S502, the agent obtains the database traffic of the interaction between the database client and the database server from the loop address of the network card on the database server, where the agent, the database client and the database server are all installed on the database server, and the database traffic is generated when a remote access program logs on the database server and calls the database client to access the database server.
In step S504, the agent obtains, from the database traffic, network information used by a remote access program that invokes the database client, where the network information includes a network address and/or a port number used by the remote access program.
In step S506, the agent determines, according to the network information, whether the database traffic needs to be audited.
And step S508, the agent program sends the database flow to auditing equipment for auditing under the condition that the database flow needs to be audited.
The method solves the problem that audit resources are wasted caused by incapability of distinguishing by capturing database flow by the agent program, thereby improving audit efficiency and saving audit resources.
In one embodiment, obtaining network information used by a remote access program that invokes the database client comprises: the agent program obtains the identification information of the database client process; the agent program obtains the information of a terminal of a remote calling program where the database client is located on the database server according to the identification information of the database client process; the agent program obtains network information used by the remote calling program according to the information of the terminal.
For example, the agent obtaining the identification information of the database client process includes: the agent program obtains the port number used by the database client and obtains the identification information of the database client process according to the port number.
In another embodiment, obtaining network information used by a remote access program that invokes the database client comprises: the agent program obtains a preset function, wherein the preset function is a preset function built in an operating system running on the database server and is used for obtaining network information used by the remote access program; and acquiring network information used by the remote access program from the preset function when the preset function is acquired by the agent program.
Typically, the actor means will log onto the database server through an application, which may be considered a program for remote access to the database server, and thus in this example a method of obtaining the IP address of the device in which the remote actor is located is provided.
In this example, two systems are illustrated as windows system and Linux system, and these two systems are basically the most widely used systems at present, and applications of other systems may refer to applications on these two systems, which will not be described in detail herein. Through the technical scheme in the example, the method and the device not only use the source problem for auditing and distinguishing the local flow; the problem of confirming the role of the performer itself, similar to a network firewall, can also be solved, and the solution of the problem is based on the fact that the IP address of the application program remotely accessing the database server can be acquired.
In the linux system, the following steps may be performed:
and S1, ssh is performed on the equipment A by an executor to the database server B, and a db-client program is executed to access a db-server.
And S2, accessing the db-server by the db-client through the local loop-back network card, and enabling the flow to pass through the loop-back network card.
And S3, the agent acquires the flow of db-client access db-server from the loop network card. (in this case, the agent program alone is taken as an example, and if the plug in mode is used, the flow is obtained from the plug in the same manner).
And S4, analyzing a system port number used by the db-client in the flow acquired by the agent, and acquiring a process pid (identification information of the process) of the db-client from the/proc/net/tcp by using the port number.
And S5, the agent acquires terminal information of the db-client from the/proc/pid/stat file through the process pid of the db-client.
And S6, the agent acquires the executor device IP: A from the condition of/var/run/utmp by using the terminal information of the db-client.
In step S7, the agent can filter the traffic according to the IP and determine whether the IP is audited or not.
The connection mode under the windows is not ssh, but remote desktop mode, so that when the method for acquiring the IP of the executor equipment is different from that under the linux, the wtsquirysessioninformation function under the windows can be used for directly acquiring the IP of the executor equipment A.
The executing step replaces the steps S4, S5, S6 with the following steps:
and step S4', acquiring the IP of the executor equipment A by using a WTSquarySessionInformationA function.
In addition to the above manner, the filtering may be performed by an insert, and the method includes: the method comprises the steps that a plug-in acquires configuration information, wherein the configuration information comprises identification information of a program, the program is used for calling a database client to interact with a database server, and the plug-in is installed on the database client; the plug-in obtains the interactive database flow between the database client and the database server; the plug-in acquires identification information of a program which calls the database client so as to generate the database flow; and the plug-in judges whether the identification information of the program is in the configuration information or not, and determines whether the database flow is the database flow which needs to be audited or not according to a judging result. If audit is needed, the plug-in sends the database traffic to the agent, if audit is not needed, the database traffic is not sent to the agent, and then the agent performs further filtering based on the network address according to the method.
In this embodiment, there is provided an electronic device including a memory in which a computer program is stored, and a processor configured to run the computer program to perform the method in the above embodiment.
The above-described programs may be run on a processor or may also be stored in memory (or referred to as computer-readable media), including both permanent and non-permanent, removable and non-removable media, and information storage may be implemented by any method or technique. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device.
These computer programs may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart block or blocks and/or block diagram block or blocks, and corresponding steps may be implemented in different modules.
Such an apparatus or system is provided in this embodiment. The system is called a database traffic filtering system based on remote call network addresses, characterized in that the system comprises a proxy program comprising: the first acquisition module is used for acquiring the interactive database flow between the database client and the database server from the loop-back address of the network card on the database server, wherein the agent program, the database client and the database server are all arranged on the database server, and the database flow is generated by logging in a remote access program on the database server and calling the database client to access the database server; the second acquisition module is used for acquiring network information used by calling a remote access program of the database client from the database flow, wherein the network information comprises a network address and/or a port number used by the remote access program; the determining module is used for determining whether the database flow needs to be audited according to the network information; and the sending module is used for sending the database flow to auditing equipment for auditing under the condition that the database flow needs to be audited.
The system or the device is used for realizing the functions of the method in the above embodiment, and each module in the system or the device corresponds to each step in the method, which has been described in the method, and will not be described herein.
Optionally, the second obtaining module is configured to: acquiring identification information of the database client process; acquiring information of a terminal of a remote calling program where the database client is located on the database server according to the identification information of the database client process; and acquiring network information used by the remote calling program according to the information of the terminal.
Optionally, the second obtaining module is configured to: and acquiring the port number used by the database client, and acquiring the identification information of the database client process according to the port number.
Optionally, the second obtaining module is configured to: acquiring a preset function, wherein the preset function is a preset function built in an operating system running on the database server and is used for acquiring network information used by the remote access program; and acquiring network information used by the remote access program from the preset function under the condition that the preset function is acquired.
The method and the device solve the problem that audit resources are wasted because the agent program can not distinguish the flow of the database, thereby improving audit efficiency and saving audit resources.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.
Claims (10)
1. A method for filtering database traffic based on a remote invocation network address, comprising:
the method comprises the steps that an agent program obtains interactive database flow between a database client and a database server from a loop address of a network card on a database server, wherein the agent program, the database client and the database server are all installed on the database server, and the database flow is generated when a remote access program logs in the database server and calls the database client to access the database server;
the agent program obtains network information used by a remote access program for calling the database client from the database flow, wherein the network information comprises a network address and/or a port number used by the remote access program;
the agent program determines whether the database traffic needs to be audited according to the network information;
and under the condition that the database flow needs to be audited, the agent program sends the database flow to auditing equipment for auditing.
2. The method of claim 1, wherein obtaining network information used by a remote access program invoking the database client comprises:
the agent program obtains the identification information of the database client process;
the agent program obtains the information of a terminal of a remote calling program where the database client is located on the database server according to the identification information of the database client process;
the agent program obtains network information used by the remote calling program according to the information of the terminal.
3. The method of claim 2, wherein the agent obtaining identification information of the database client process comprises:
the agent program obtains the port number used by the database client and obtains the identification information of the database client process according to the port number.
4. The method of claim 1, wherein obtaining network information used by a remote access program invoking the database client comprises:
the agent program obtains a preset function, wherein the preset function is a preset function built in an operating system running on the database server and is used for obtaining network information used by the remote access program;
and acquiring network information used by the remote access program from the preset function when the preset function is acquired by the agent program.
5. A database traffic filtering system based on remote invocation network addresses, said system comprising a proxy program, said proxy program comprising:
the first acquisition module is used for acquiring the interactive database flow between the database client and the database server from the loop-back address of the network card on the database server, wherein the agent program, the database client and the database server are all arranged on the database server, and the database flow is generated by logging in a remote access program on the database server and calling the database client to access the database server;
the second acquisition module is used for acquiring network information used by calling a remote access program of the database client from the database flow, wherein the network information comprises a network address and/or a port number used by the remote access program;
the determining module is used for determining whether the database flow needs to be audited according to the network information;
and the sending module is used for sending the database flow to auditing equipment for auditing under the condition that the database flow needs to be audited.
6. The system of claim 5, wherein the second acquisition module is configured to:
acquiring identification information of the database client process;
acquiring information of a terminal of a remote calling program where the database client is located on the database server according to the identification information of the database client process;
and acquiring network information used by the remote calling program according to the information of the terminal.
7. The system of claim 6, wherein the second acquisition module is configured to:
and acquiring the port number used by the database client, and acquiring the identification information of the database client process according to the port number.
8. The system of claim 5, wherein the second acquisition module is configured to:
acquiring a preset function, wherein the preset function is a preset function built in an operating system running on the database server and is used for acquiring network information used by the remote access program;
and acquiring network information used by the remote access program from the preset function under the condition that the preset function is acquired.
9. An electronic device includes a memory and a processor; wherein the memory is for storing one or more computer instructions, wherein the one or more computer instructions are executed by the processor to implement the method steps of any of claims 1 to 4.
10. A readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the method steps of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310815905.3A CN116866209A (en) | 2023-07-04 | 2023-07-04 | Database traffic filtering method and system based on remote call network address |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310815905.3A CN116866209A (en) | 2023-07-04 | 2023-07-04 | Database traffic filtering method and system based on remote call network address |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116866209A true CN116866209A (en) | 2023-10-10 |
Family
ID=88233461
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310815905.3A Pending CN116866209A (en) | 2023-07-04 | 2023-07-04 | Database traffic filtering method and system based on remote call network address |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116866209A (en) |
-
2023
- 2023-07-04 CN CN202310815905.3A patent/CN116866209A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111935082B (en) | Network threat information correlation analysis system and method | |
| CN107579874B (en) | Method and device for detecting data collection missing report of flow collection equipment | |
| CN108038039B (en) | Method for recording log and micro-service system | |
| CN112738095A (en) | Method, device, system, storage medium and equipment for detecting illegal external connection | |
| US20230006898A1 (en) | A Method of Capturing Packets from a Container in a Cluster | |
| CN112818307A (en) | User operation processing method, system, device and computer readable storage medium | |
| CN111258971A (en) | Application state monitoring alarm system and method based on access log | |
| CN114531304B (en) | Session processing method and system based on data packet | |
| CN116841645A (en) | Database flow processing method and system for database audit | |
| CN116827830A (en) | Database flow audit processing method and system under multiple database servers | |
| CN113536304A (en) | Operation and maintenance audit system-based bypassing prevention method and equipment | |
| CN116582365B (en) | Network traffic safety control method and device and computer equipment | |
| CN114756530B (en) | Client information processing method based on bastion machine | |
| CN113098727A (en) | Data packet detection processing method and device | |
| CN111343132B (en) | File transmission detection method and device and storage medium | |
| CN116866209A (en) | Database traffic filtering method and system based on remote call network address | |
| CN115114132A (en) | Performance test method and system for auditing program | |
| CN115333791A (en) | Cloud-based vehicle safety protection method and related equipment | |
| CN114978963A (en) | Network system monitoring analysis method and device, electronic equipment and storage medium | |
| CN115118640B (en) | Database auditing processing method and system in presence of proxy equipment | |
| CN109743733B (en) | Wireless signal control method and device | |
| CN117093639B (en) | Socket connection processing method and system based on audit service | |
| CN112214800A (en) | Log data sorting evidence-storing method, system, equipment and medium based on block chain | |
| CN116679965A (en) | Database client upgrading method and system | |
| CN113905105B (en) | Method and device for establishing application dependency relationship |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |