CN1917445B - Method for auditing log event of fire wall, and teaching experimental system - Google Patents
Method for auditing log event of fire wall, and teaching experimental system Download PDFInfo
- Publication number
- CN1917445B CN1917445B CN2006100309010A CN200610030901A CN1917445B CN 1917445 B CN1917445 B CN 1917445B CN 2006100309010 A CN2006100309010 A CN 2006100309010A CN 200610030901 A CN200610030901 A CN 200610030901A CN 1917445 B CN1917445 B CN 1917445B
- Authority
- CN
- China
- Prior art keywords
- daily record
- user
- normal packet
- grouping
- log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention is designed for use in LAN and can reproduce the whole process of producing the log of firewall. The iptables and FWTK produces original log, and cooperates with the sub-class log generating module to generate each sub-class log; with comparing the normal packet filter and application agent rule with its corresponding log, the user can deeply understand the result of rule's setting. The system comprises module for generating and analyzing the normal packet filter, module for generating and analyzing the application agent log, and module for sorting and outputting log.
Description
Technical field
The present invention relates to a kind of network security technology field, specifically be a kind of method for auditing log event of fire wall and teaching experiment system, promptly be used for the method and the teaching experiment system of the realization multiuser firewall log event audit of large-scale and multiple users information security teaching experiment system.
Background technology
Fire compartment wall (Firewall) is one or one group of system that assembly constitutes, and it carries out access control policy on the passage that network connects.Can realize on link layer, network layer and application layer that the substantive characteristics of its function is to isolate internal-external network and the turnover information flow is implemented access control, protecting network resource (containing main frame, sub-network and website etc.)
Firewall system (Firewall System is called for short FWS) is exactly the system that carries out firewall security policy.Firewall system is deployed in the outermost end of Intranet usually, the position that directly links to each other with outer net just, and therefore, fire compartment wall prevents first road protection that outer net is attacked as the protection Intranet, and important effect is arranged.Comprise: limit other people and enter internal network, information filtering, the blocking-up network attack, access control is write down, is monitored network access and visit, the encrypted transmission between the setting network.
The daily record audit of fire compartment wall is the important component part of firewall system.Its record is by all connections and the network activity of firewall system.The keeper can the monitoring time stamp, behavior, source address, destination address, mistake, service or the like.The fire compartment wall daily record can be used as the important materials of later stage security audit.But at present, be used for large-scale and multiple users teaching experiment system log processing and lack effective means and carry out multi-user divide into groups classification, the format output of daily record, and laboratory report is integrated.Supporting the large-scale and multiple users teaching experiment system to develop today rapidly, multi-user's daily record classification output, laboratory report has been integrated into the bottleneck of system development, presses for accomplished.
According to investigation, the major function of commercial in the market fire compartment wall daily record product be open, various means of utilization in the complicated network system, analyze the daily record that draws this machine or its supervision network segment.This series products is fully to this machine or its supervision network segment log processing, still lacks for the classification of supporting large-scale and multiple users grouping daily record and handles, and does not accomplish the laboratory report integration.Owing to do not relate to the teaching, training purpose, integrate user grouping daily record output, classification daily record output such as laboratory report.Remaining exploitation aspect the support large-scale and multiple users teaching experiment system.
The log event of fire wall audit education experiment that with the teaching is purpose is intended to for the multi-user provides one to check the associated packets daily record multi-user's experimental situation of verification rule of classification implementation result.In this experimental system, the user by selecting Log Types, contrast fire compartment wall teaching experiment system regular understood firewall rule and effect thereof.Commercial firewall product is not owing to have fully at the purpose exploitation of imparting knowledge to students, so be not suitable for carrying out education experiment.Developing the large-scale and multiple users log event audit experimental system that is fit to teaching is an instant task.
Through further retrieval, do not find identical with theme of the present invention or similar bibliographical information as yet.
Summary of the invention
The objective of the invention is to overcome existing commercial firewall product and lack the daily record grouping and classifying, limitation such as laboratory report integration, a kind of method for auditing log event of fire wall and teaching experiment system are proposed, make it solve well that network security problem is serious day by day, network security technology further develops and the teaching practice link lacks contradiction between the corresponding education experiment, allow the student deepen understanding to the fire compartment wall daily record, the effect that rule is provided with, and be applicable to multi-user's applied environment.
The present invention is achieved through the following technical solutions: the present invention is in the controlled LAN environment of flow, the overall process that the daily record of true reappearance multiuser firewall generates, monitor the network traffics of the whole network segment by the firewall system of increasing income, by comparison Log Types and relevant rule setting thereof, deepen understanding and understanding that the user is provided with firewall rule.
Method for auditing log event of fire wall of the present invention, concrete implementation procedure is such: in the controlled LAN environment of flow, dispose typical open-source fire wall iptables of system and FWTK, by configuration iptables, log record is carried out in the visit success of the user grouping of its record and the flow of failure thereof; And the FWTK journal items generates automatically, aspect multi-user's daily record initialization,, then, extract the failure and the successful daily record thereof of this relevant grouping by the normal packet filter-type daily record the inside of each iptables generation temporarily without particular arrangement, after marking, finish file dumping.The journal file dump is also carried out in FWTK grouping daily record, and the normal packet of utilizing the classification output module that this grouping is related at last filters (iptables) and FWTK (application proxy) journal file launches, according to the output of tabulating of classification and time.Laboratory report part at the classification output module, the filtration of grouping normal packet or application proxy rule and corresponding daily record thereof that the user sets have been shown, by the contrast, can observe rule of classification and corresponding daily record thereof promptly verify the result in theory with the practice on matching degree.Matching degree.That is to say, the expection daily record result that this laboratory report focuses on the setting rule that the user can draw according to theory compares with the actual log result, by transformation rule repeatedly or change the sequencing of multiple rule, and compare the daily record that obtains, deepen the understanding that is provided with about firewall rule.
Described iptables is configured to that the user grouping flow of setting is carried out daily record and detects, and isolates success and failure flow thereof.Under this prerequisite, generate associated packets user's more detailed logging record.
Log event of fire wall audit experiment of the present invention allows the user understand various fire compartment wall daily records by multi-user's daily record being divided into groups and demonstration taxonomically, helps the user to understand the result that firewall rule is provided with all sidedly.
The present invention is based on the log event of fire wall audit teaching experiment system that said method is realized, comprising: normal packet is filtered daily record and is generated parsing module, and the daily record of application proxy type generates parsing module, daily record classification output module.In the time of user's login, promptly filter daily record and generate the log record that parsing module has started the normal packet filtration, and the application proxy daily record is with the application proxy program start by system and normal packet.The daily record of system has partly obtained initialization like this.The user carries out in the experimentation of network verification, and the daily record part has just been carried out record, has generated the original log file of system, leaves in the fixing file.When the user selects to check daily record, packet filtering daily record part has then started normal packet and has filtered daily record generation parsing module, resolve at the normal packet filtration fraction in the system journal and to have generated the normal packet that has user ID and filter journal file, leave under the catalogue of setting.And the daily record of application proxy type has partly started application proxy type daily record generation parsing module, partly resolves at the application proxy daily record in the system journal and has generated the application proxy journal file that has user ID, leaves under the catalogue of setting.Daily record classification output module reads the journal file of the Log Types of customer requirements, and Pagination Display is come out.
Described normal packet is filtered daily record and is generated parsing module, the control normal packet is filtered the generation action of relevant daily record, normal packet filter user grouping log record when comprising logging in system by user starts, the grouping user failure and the successful daily record part book of final entry thereof, set the normal packet filtering rule the user, carried out after the access to netwoks operation of proof rule, at first adding the grouping user sign in the system journal and in the failed access daily record, adding the failure sign, analytic induction goes out the grouping user daily record then, and be dumped in the normal packet filtration journal file that has grouping user ID, wait for the further processing of daily record classification output module.
Described application proxy type daily record generates parsing module, the daily record of control application proxy type generates action, comprise the analytical system daily record, according to User IP, in conjunction with user ID, and the distinctive identifier of application proxy type daily record, generate and set the user grouping daily record, and be dumped in the application proxy type journal file that has grouping user ID, and detailed log analysis is carried out in authenticating user identification success or failure and network of relation accessing operation.
Described daily record classification output module filters and the daily record of two types of application proxies for normal packet, according to resolving the classification journal file that generates, press forms mode and exports, and supports the paging of a large amount of daily records dynamically to show.
Effect of the present invention is significant, make the daily record that the multiuser firewall log event audit experimental system that designs has in this way merged current trend generate sorting technique: to discern as user grouping, daily record data classification or the like, fully showed the result that the multiuser firewall daily record generates to the user, help the user correctly to be familiar with the effect of the rule that oneself is provided with, and guide the user to make the optimization process that rule is provided with.Simultaneously, this experimental system supports the multi-user to operate simultaneously, uses typical open-source fire wall system and need not the commercial firewall product of purchasing price costliness, and cost is low but effect is remarkable, has good popularizing application prospect.
Description of drawings
Fig. 1 is based on the structure chart of teaching experiment system of the present invention.
Fig. 2 is based on the module frame chart of teaching experiment system of the present invention.
Fig. 3 is based on the workflow diagram of teaching experiment system of the present invention.
Embodiment
The content of the inventive method provides following embodiment.The log event of fire wall audit teaching experiment system of realizing based on the inventive method adopts browser/service end (B/S) structure, utilize the JSP programming technique, merged the daily record generation technique of current popular, supported that the multi-user experimentizes simultaneously, concrete implementation content is as follows:
1. the user logins the experimental system page.
2. the user selects experiment type, and promptly selecting the normal packet filtration experiment still is the experiment of application proxy type.
4. the user is provided with the normal packet filtering rule or the application proxy rule of experimental system of firewall.
5. user's access to netwoks operation of being correlated with, proof rule validity.
6. the user selects to check the corresponding daily record of relevant classification rule.
7. can find that log event audit part has found the normal packet of setting user grouping to filter daily record and the daily record of application proxy type, has successfully parsed user's failure and successful access to netwoks behavior thereof.
As shown in Figure 2, log event of fire wall audit teaching experiment system of the present invention comprises as lower module: normal packet is filtered daily record and is generated parsing module, and the daily record of application proxy type generates parsing module, daily record classification output module.Wherein each daily record generation parsing module has all partly carried out setting processing with reference to the grouping daily record, only exports and sets the grouping daily record, has supported the multi-user.
Described normal packet is filtered daily record and is generated parsing module, and the control normal packet is filtered the generation action of relevant daily record, logins experimental system the user and promptly starts grouping user success and failed access log record part thereof.The user sets dependency rule, when having carried out the access to netwoks operation of proof rule, according to adding the user ID in the common daily record in the log record process and visiting the failure sign that adds when failing, generate grouping user normal packet filtration journal file and deposit certain file that system pre-sets in.
Described application proxy type daily record generates parsing module, and its log record part starts before logging in system by user, carries out the trace log record at setting the grouping user behavior after the user logins.After the user sets rule and carries out the access to netwoks of proof rule, generated system journal.At this moment, generate parsing module analysis User IP by the daily record of application proxy type, in conjunction with special log symbol (the distinctive http-gw of application proxy daily record, the tn-gw of user ID and application proxy daily record, the ftp-gw identifier), generate the application proxy type journal file that has grouping user ID.And to the authenticating user identification success or failure, and next carried out analyzing and processing by the access to netwoks operating result of acting on behalf of.
Described daily record classification output module is pressed form output for two types journal file classification paging, supports the Pagination Display of a large amount of daily records.Support that with upper module the multi-user experimentizes simultaneously, can not interfere with each other.
Described normal packet is filtered daily record and application proxy daily record thereof, is stored by the relevant classification journal file on the SOCKS server, is used to write down multi-user that log event of fire wall the audits log event that divides into groups.
As shown in Figure 3, system works flow process of the present invention.Promptly started the log record part of filtering in the process of user login, and the daily record of application gateway type fire compartment wall is self registering about the normal packet of setting the user.So being in the whole process that experimentizes, the user sets under the log record.User's login, then two kinds of log records all start, i.e. the daily record partially-initialized.Then, the user selects experiment type, selects by the different pages, starts different daily records and generates parsing module.Filter daily record for normal packet and generate parsing module, on the basis of iptables conventional system daily record, increased associated user's login ID as prefix.And owing to increased data flow for user capture failure in advance as extra chain, the log record part prefix that this chain relates to adds user ID for the failure character.When system carried out log record, the system journal part had just stayed and has had the journal items that has the failure sign of setting user ID and filtering failed access at normal packet.When normal packet is filtered the daily record generation, at first scanning system daily record in conjunction with user ID with whether failure sign is arranged, obtains setting the daily record data of user's success or failure, write the user's normal packet that has user ID and filter in the journal file, deposit an enactment document folder that sets in.Application gateway type fire compartment wall is owing to there is special journal format, it is that FWTK carries out automatically that its daily record generates, so generating parsing module, the daily record of application gateway type can utilize its distinctive journal identifier, in resolving identifying, find correlated identities, with the ip address as setting user identifier, analyze the application gateway type daily record of setting the user, deposit in the user's application proxy type journal file that has user ID.After above each daily record generation parsing resume module, the page turns to checks relevant daily record part, in conjunction with user's request type journal file and user ID, reads file by daily record classification output module, transfers to the web paging and shows.
Claims (6)
1. method for auditing log event of fire wall, it is characterized in that, in the controlled LAN environment of flow, dispose typical open-source fire wall iptables of system and FWTK, by configuration iptables, log record is carried out in the visit success of the user grouping of its record and the flow of failure thereof, by on the basis of iptables conventional system daily record, increasing associated user's login ID as prefix, and increase data flow for the user capture failure as extra chain, the log record part prefix that this chain relates to adds user ID for the failure character, when system carried out log record, the system journal part had just stayed and has had the journal items that has the failure sign of setting user ID and filtering failed access at normal packet;
After the FWTK journal items generates automatically, the visit failure and the successful daily record thereof of this grouping that the normal packet filter-type daily record the inside extraction that is generated by each iptables is relevant, after marking, finish file dumping, by the scanning system daily record, in conjunction with user ID with whether failure sign is arranged, obtain setting the daily record data of user's success or failure, write the user's normal packet that has user ID and filter in the journal file, deposit an enactment document folder that sets in;
The journal file dump is also carried out in FWTK grouping daily record, by the analytical system daily record, according to User IP, in conjunction with user ID and the distinctive identifier of application proxy type daily record, generate and set the user grouping daily record, and be dumped in the application proxy type journal file that has grouping user ID;
The normal packet of utilizing the classification output module that this grouping is related at last filters iptables and the FWTK journal file launches, according to the output of tabulating of classification and time, laboratory report part in output, the filtration of grouping normal packet or application proxy rule and corresponding daily record thereof that the user sets have been shown, by contrast, observe that the grouping normal packet is filtered or application proxy rule and checking result thereof in theory with actual matching degree.
2. log event of fire wall audit teaching experiment system of realizing based on the described method of claim 1, comprise: normal packet is filtered daily record and is generated parsing module, application proxy type daily record generation parsing module and daily record classification output module, it is characterized in that, in the time of user's login, promptly filter daily record and generate the log record that parsing module has started the normal packet filtration by system and normal packet, and the daily record of application proxy type is with the application proxy program start, thereby makes the daily record of system partly obtain initialization; The user carries out in the experimentation of network verification, the daily record part has just been carried out record, generated the original log file of system, leave in the fixing file, when the user selects normal packet filtration daily record to check experiment, then started normal packet and filtered daily record generation parsing module, resolved at the normal packet filtration fraction in the system journal and generated the normal packet filtration journal file that has user ID, left under the catalogue of setting; And when the user selects the daily record of application proxy type to check experiment, then start the daily record of application proxy type and generated parsing module, partly resolve at the application proxy type daily record in the system journal and to have generated the application proxy journal file that has grouping user ID, leave under the catalogue of setting; Daily record classification output module reads the journal file of the Log Types of customer requirements, and Pagination Display is come out.
3. log event of fire wall audit teaching experiment system according to claim 2, it is characterized in that, described normal packet is filtered daily record and is generated parsing module, the control normal packet is filtered the generation action of relevant daily record, normal packet when comprising logging in system by user is filtered log record and is partly started, the grouping user failure and the successful daily record part book of final entry thereof, set the normal packet filtering rule the user, carried out after the access to netwoks operation of proof rule, at first adding grouping user ID in the system journal and in the failed access daily record, adding the failure sign, analytic induction goes out the grouping user daily record then, and be dumped in the normal packet kill file that has grouping user ID, wait for the further processing of daily record classification output module.
4. log event of fire wall audit teaching experiment system according to claim 2, it is characterized in that, described application proxy type daily record generates parsing module, the daily record of control application proxy type generates action, comprise the analytical system daily record, according to User IP, in conjunction with user ID and the distinctive identifier of application proxy type daily record, generate and set the user grouping daily record, and be dumped in the application proxy type journal file that has grouping user ID, and authenticating user identification success or failure and ensuing network of relation accessing operation thereof are carried out the analysis of application proxy type daily record.
5. log event of fire wall audit teaching experiment system according to claim 2, it is characterized in that, described daily record classification output module, filter the daily record of two types of daily record and the daily records of application proxy type for normal packet, according to resolving the classification journal file that generates, press forms mode output, support the paging of daily record dynamically to show.
6. log event of fire wall audit teaching experiment system according to claim 5, it is characterized in that, described normal packet is filtered daily record and the daily record of application proxy type, store by the relevant classification journal file on the SOCKS server, be used to write down multi-user that log event of fire wall the audits log event that divides into groups.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2006100309010A CN1917445B (en) | 2006-09-07 | 2006-09-07 | Method for auditing log event of fire wall, and teaching experimental system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2006100309010A CN1917445B (en) | 2006-09-07 | 2006-09-07 | Method for auditing log event of fire wall, and teaching experimental system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1917445A CN1917445A (en) | 2007-02-21 |
| CN1917445B true CN1917445B (en) | 2010-09-29 |
Family
ID=37738343
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2006100309010A Active CN1917445B (en) | 2006-09-07 | 2006-09-07 | Method for auditing log event of fire wall, and teaching experimental system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1917445B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101217547B (en) * | 2008-01-18 | 2012-05-09 | 南京邮电大学 | A flood request attaching filtering method based on the stateless open source core |
| CN101567888B (en) * | 2008-12-29 | 2011-12-21 | 郭世泽 | Safety protection method of network feedback host computer |
| CN101453378B (en) * | 2008-12-30 | 2011-01-12 | 杭州华三通信技术有限公司 | Method and system for log dump and audit |
| CN101931562B (en) * | 2010-09-29 | 2013-08-28 | 杭州华三通信技术有限公司 | Web log processing method and device |
| CN108366040B (en) * | 2017-01-26 | 2021-03-02 | 北京飞利信电子技术有限公司 | Programmable firewall logic code detection method and device and electronic equipment |
| CN108900505B (en) * | 2018-06-28 | 2020-08-11 | 中国科学院软件研究所 | Cluster audit management and control method based on block chain technology |
| CN113742192A (en) * | 2021-09-13 | 2021-12-03 | 杭州安恒信息技术股份有限公司 | Log rule quality analysis method, system, electronic device and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2806503A1 (en) * | 2000-03-15 | 2001-09-21 | Bull Sa | Security data analyzing method for building up security audit trail for computer network fire-walls in which data is processed locally before being sent to a central server to reduce data traffic and central processing |
| CN1492336A (en) * | 2003-09-04 | 2004-04-28 | 上海格尔软件股份有限公司 | Information system auditing method based on data storehouse |
| CN1561058A (en) * | 2004-03-04 | 2005-01-05 | 上海交通大学 | Method for implementing virtual fire wall teaching experiment to multi-user |
-
2006
- 2006-09-07 CN CN2006100309010A patent/CN1917445B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2806503A1 (en) * | 2000-03-15 | 2001-09-21 | Bull Sa | Security data analyzing method for building up security audit trail for computer network fire-walls in which data is processed locally before being sent to a central server to reduce data traffic and central processing |
| CN1492336A (en) * | 2003-09-04 | 2004-04-28 | 上海格尔软件股份有限公司 | Information system auditing method based on data storehouse |
| CN1561058A (en) * | 2004-03-04 | 2005-01-05 | 上海交通大学 | Method for implementing virtual fire wall teaching experiment to multi-user |
Non-Patent Citations (5)
| Title |
|---|
| CN 1561058 A,全文. |
| 周华平, 林浩伟.基于Linux防火墙的日志审计系统的研究与实现.自动化技术与应用24 11.2005,24(11),25-27. |
| 周华平, 林浩伟.基于Linux防火墙的日志审计系统的研究与实现.自动化技术与应用24 11.2005,24(11),25-27. * |
| 李 承, 王伟钊, 程 立, 汪为农, 李家滨.基于防火墙日志的网络安全审计系统研究与实现.计算机工程28 6.2002,28(6),17-19. |
| 李 承, 王伟钊, 程 立, 汪为农, 李家滨.基于防火墙日志的网络安全审计系统研究与实现.计算机工程28 6.2002,28(6),17-19. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1917445A (en) | 2007-02-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1917445B (en) | Method for auditing log event of fire wall, and teaching experimental system | |
| CN103888490B (en) | A kind of man-machine knowledge method for distinguishing of full automatic WEB client side | |
| Webb et al. | Introducing the Webb Spam Corpus: Using Email Spam to Identify Web Spam Automatically. | |
| Suneetha et al. | Identifying user behavior by analyzing web server access log file | |
| KR100848319B1 (en) | Harmful web site filtering method and apparatus using web structural information | |
| CN103118035B (en) | Method and the device of analyzing web site access request parameters legal range | |
| CN102098229B (en) | Method and device for optimizing and auditing uniform resource locator (URL) as well as network device | |
| CN101242307A (en) | Website access analysis system and method based on built-in code proxy log | |
| CN102750352A (en) | Method and device for classified collection of historical access records in browser | |
| JP2010512563A (en) | Log file analysis method and system based on distributed computer network | |
| CN102065147A (en) | Method and device for obtaining user login information based on enterprise application system | |
| CN102594934A (en) | Method and device for identifying hijacked website | |
| CN103166966A (en) | Method and device for distinguishing illegal access request to website | |
| CN104301180B (en) | A kind of service message processing method and equipment | |
| CN105516128A (en) | Detecting method and device of Web attack | |
| CN112039888B (en) | Domain name access control access method, device, equipment and medium | |
| CN103618742A (en) | Method and system for acquiring sub domain names and webmaster permission verification method | |
| Gulyás et al. | Comprehensive analysis of web privacy and anonymous web browsers: are next generation services based on collaborative filtering? | |
| Badawi et al. | Automatic detection and analysis of the “Game Hack” Scam | |
| Antunes et al. | Automatically complementing protocol specifications from network traces | |
| EP3361405A1 (en) | Enhancement of intrusion detection systems | |
| CN106559420A (en) | A kind of filter method and device of message | |
| JP5061316B1 (en) | Communication packet analyzer | |
| KR20220158533A (en) | Malicious site detection method | |
| Jaeger et al. | Fast Automated Processing and Evaluation of Identity Leaks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |