CN110636084B - Method for filtering access interface of user-mode firewall - Google Patents
Method for filtering access interface of user-mode firewall Download PDFInfo
- Publication number
- CN110636084B CN110636084B CN201911085133.2A CN201911085133A CN110636084B CN 110636084 B CN110636084 B CN 110636084B CN 201911085133 A CN201911085133 A CN 201911085133A CN 110636084 B CN110636084 B CN 110636084B
- Authority
- CN
- China
- Prior art keywords
- snort
- message
- interface
- rule
- matching
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an in-out interface filtering method of a user-mode firewall, wherein the user-mode firewall adopts a Netfilter firewall mechanism, and the method comprises the following steps: s1, the user-mode firewall acquires the in-out interface information of the message by entering the kernel Netfilter forwarding chain packet receiving point; s2, receiving the input and output interface information of the message and the message together into a user space for processing; s3, adding the acquired message in-out interface information in the snort rule; s4, analyzing the snort rule after adding the message access interface information to obtain access interface filtering configuration; and S5, adding the filter configuration of the access interface into the filter matching process to form a matching filter method, and implementing the filter matching operation by the matching filter method.
Description
Technical Field
The invention relates to the field of computers, in particular to a filtering method for an access interface of a user-mode firewall.
Background
The firewall is embedded in the processing process of the Linux kernel protocol stack and operates in the kernel address space, which requires a developer to deeply understand and master the kernel and the code of the kernel protocol stack, and the requirement is obviously too harsh for a common developer. Therefore, a method for receiving a message into a user state space for deep analysis and performing matched filtering on the message in the user state space is urgently needed to meet the use requirements of people.
Disclosure of Invention
The invention aims to solve the problems and provides an access interface filtering method based on a user-mode firewall.
In order to achieve the purpose, the technical scheme of the invention is as follows:
a filtering method for an access interface of a user-mode firewall adopts a Netfilter firewall mechanism, and comprises the following steps:
s1, the user-mode firewall acquires the in-out interface information of the message by entering the kernel Netfilter forwarding chain packet receiving point;
s2, receiving the input and output interface information of the message and the message together into a user space for processing;
s3, adding the acquired message in-out interface information in the snort rule;
s4, analyzing the snort rule after adding the message access interface information to obtain access interface filtering configuration;
and S5, adding the filter configuration of the access interface into the filter matching process to form a matching filter method, and implementing the filter matching operation by the matching filter method.
Further, the user-mode firewall in the step S1 includes a transparent mode and a routing mode; the transparent mode is processed by the network bridge before entering the NetFilter forwarding chain packet receiving point, and the routing mode is processed by the routing before entering the NetFilter forwarding chain packet receiving point.
Further, the Snort rule in step S3 includes a rule header part and a rule option part; the rule header part comprises the action, protocol, destination ip address and source and destination port information of the rule; the rule options section includes the alarm message content as well as the inspected data packet.
Further, the matching filtering method in step S5 includes the following steps:
s51, entering Snort rule matching processing;
s52, detecting whether the Snort input interface configuration is an any port, and when the Snort input interface is the any port, performing S53 operation; when the Snort input interface is not the any port, detecting whether the Snort input interface is consistent with the message input interface or not, when the Snort input interface is consistent with the message input interface, performing the operation of S53, and when the Snort input interface is inconsistent with the message input interface, returning to the step S51;
s53, detecting whether the Snort outgoing interface configuration is an any port, and when the Snort outgoing interface configuration is the any port, performing S54 operation; when the Snort outgoing interface is not an any port, detecting whether the Snort outgoing interface is consistent with the message outgoing interface or not, when the Snort outgoing interface is consistent with the message outgoing interface, performing the operation of S54, and when the Snort outgoing interface is inconsistent with the message outgoing interface, returning to the step S51;
and S54, matching subsequent information of the Snort rule, and finishing the matching filtering operation.
Compared with the prior art, the invention has the advantages and positive effects that:
the method firstly transmits the message in-out interface information to a user state at a Netfilter forwarding chain packet receiving point and analyzes the message, then adds the in-out interface information in a snort rule, and finally realizes the filtering function of the message in-out interface in a user space, so that the snort rule can be freely combined with quintuple filtering and depth detection in the user space; on the other hand, the invention combines a uniform matching filtering scheme, realizes the deep analysis of the message received into the user mode space, and performs the matching filtering operation on the message in the user mode space, and makes contribution to the development of the computer firewall.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a block flow diagram of a match filtering method.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived from the embodiments of the present invention by a person skilled in the art without any creative effort, should be included in the protection scope of the present invention.
As shown in FIG. 1, the present invention provides an IPQueue mechanism based on the Netfilter framework by using the Linux kernel.
Netfilter/IPtables is a new generation Linux firewall mechanism behind Linux2.4.x, and is a subsystem of Linux kernel. Netfilter adopts a modular design and has good expandability. The important tool modules IPtables are connected to the architecture of the NetFilter in the kernel mode from the IPTables command in the user mode, the NetFilter and the IP protocol stack are in seamless fit, and a user is allowed to perform operations such as filtering, address conversion and processing on the datagram.
The invention utilizes the forwarding chain packet receiving point to receive the incoming and outgoing interface information of the message and the message together to the user state analysis, then modifies the snort rule format, increases the incoming and outgoing interface information, provides a uniform matching filtering method in the user state and realizes the filtering function of the message incoming and outgoing interface in the user space.
The method comprises the following specific operation steps:
1. obtaining the in-out interface information of the message at the kernel Netfilter forwarding chain packet receiving point
The IPS firewall has a transparent mode and a routing mode, the transparent mode is processed by the network bridge before entering the forwarding chain, and the routing mode is processed by the routing before entering the forwarding chain, so that the ingress and egress interface information of the message can be determined in the forwarding chain, and then the ingress and egress interface information is obtained at the packet receiving point of the forwarding chain and is sent to a user space for filtering the ingress and egress interface.
Receiving the in-out interface information and message to the user space in the forwarding chain processing for processing
2. Adding filtering information of incoming and outgoing interface in snort rule
The Snort rule is divided into two logical parts: a rule header and a rule option. The rule header contains the action, protocol, source and destination ip addresses and network masks, and source and destination port information of the rule; the rule options section contains the alarm message content and the specific portion of the packet to be examined.
3. Parsing rule matching messages
And analyzing the snort rule of the new format to obtain the filtering configuration of the access interface, and adding the filtering matching processing of the message access interface on the basis of the original matching process. The matching filtering process is shown in figure 1;
the matching filtering method comprises the following steps:
(1) entering Snort rule matching processing;
(2) detecting whether the Snort input interface configuration is an any port or not, and carrying out the next operation when the Snort input interface is the any port; when the Snort input interface is not an any port, detecting whether the Snort input interface is consistent with the message input interface or not, when the Snort input interface is consistent with the message input interface, carrying out the next operation, and when the Snort input interface is inconsistent with the message input interface, restarting the operation;
(3) detecting whether the Snort outgoing interface configuration is an any port or not, and carrying out the next operation when the Snort outgoing interface is the any port; when the Snort outgoing interface is not an any port, detecting whether the Snort outgoing interface is consistent with the message outgoing interface or not, when the Snort outgoing interface is consistent with the message outgoing interface, carrying out the next operation, and when the Snort outgoing interface is inconsistent with the message outgoing interface, restarting the operation;
(4) and matching subsequent information of Snort rules to finish the matching and filtering operation.
The method firstly transmits the message in-out interface information to a user state at a Netfilter forwarding chain packet receiving point and analyzes the message, then adds the in-out interface information in a snort rule, and finally realizes the filtering function of the message in-out interface in a user space, so that the snort rule can be freely combined with quintuple filtering and depth detection in the user space; on the other hand, the invention combines a uniform matching filtering scheme, realizes the deep analysis of the message received into the user mode space, and performs the matching filtering operation on the message in the user mode space, and makes contribution to the development of the computer firewall.
Claims (1)
1. A filtering method for an access interface of a user-mode firewall is characterized in that: the user-mode firewall adopts a Netfilter firewall mechanism, and comprises the following steps:
s1, the user-mode firewall acquires the in-out interface information of the message by entering the kernel Netfilter forwarding chain packet receiving point;
s2, receiving the input and output interface information of the message and the message together into a user space for processing;
s3, adding the acquired message in-out interface information in the snort rule;
s4, analyzing the snort rule after adding the message access interface information to obtain access interface filtering configuration;
s5, adding the filter configuration of the access interface into the filter matching process to form a matching filter method, and implementing the filter matching operation by the matching filter method;
the user-mode firewall in the step S1 includes a transparent mode and a routing mode; the transparent mode is processed by the network bridge before entering the NetFilter forwarding chain packet receiving point, and the routing mode is processed by the routing before entering the NetFilter forwarding chain packet receiving point;
the Snort rule in step S3 includes a rule header part and a rule option part; the rule header part comprises the action, protocol, destination ip address and source and destination port information of the rule; the rule option part comprises alarm message content and checked data packets;
the matching filtering method in the step S5 includes the steps of:
s51, entering Snort rule matching processing;
s52, detecting whether the Snort input interface configuration is an any port, and when the Snort input interface is the any port, performing S53 operation; when the Snort input interface is not the any port, detecting whether the Snort input interface is consistent with the message input interface or not, when the Snort input interface is consistent with the message input interface, performing the operation of S53, and when the Snort input interface is inconsistent with the message input interface, returning to the step S51;
s53, detecting whether the Snort outgoing interface configuration is an any port, and when the Snort outgoing interface configuration is the any port, performing S54 operation; when the Snort outgoing interface is not an any port, detecting whether the Snort outgoing interface is consistent with the message outgoing interface or not, when the Snort outgoing interface is consistent with the message outgoing interface, performing the operation of S54, and when the Snort outgoing interface is inconsistent with the message outgoing interface, returning to the step S51;
and S54, matching subsequent information of the Snort rule, and finishing the matching filtering operation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911085133.2A CN110636084B (en) | 2019-11-08 | 2019-11-08 | Method for filtering access interface of user-mode firewall |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911085133.2A CN110636084B (en) | 2019-11-08 | 2019-11-08 | Method for filtering access interface of user-mode firewall |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110636084A CN110636084A (en) | 2019-12-31 |
CN110636084B true CN110636084B (en) | 2022-02-22 |
Family
ID=68979209
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911085133.2A Active CN110636084B (en) | 2019-11-08 | 2019-11-08 | Method for filtering access interface of user-mode firewall |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110636084B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113691458A (en) * | 2021-08-19 | 2021-11-23 | 北京指掌易科技有限公司 | Network packet processing method and device, electronic equipment and storage medium |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103746996A (en) * | 2014-01-03 | 2014-04-23 | 汉柏科技有限公司 | Packet filtering method for firewall |
CN107682312A (en) * | 2017-08-25 | 2018-02-09 | 中国科学院信息工程研究所 | A kind of security protection system and method |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8789202B2 (en) * | 2008-11-19 | 2014-07-22 | Cupp Computing As | Systems and methods for providing real time access monitoring of a removable media device |
-
2019
- 2019-11-08 CN CN201911085133.2A patent/CN110636084B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103746996A (en) * | 2014-01-03 | 2014-04-23 | 汉柏科技有限公司 | Packet filtering method for firewall |
CN107682312A (en) * | 2017-08-25 | 2018-02-09 | 中国科学院信息工程研究所 | A kind of security protection system and method |
Non-Patent Citations (5)
Title |
---|
"Design and implementation of Linux firewall based on the frame of Netfilter/IPtable";Baoliang Wang 等;《2016 11th International Conference on Computer Science & Education (ICCSE)》;20161006;全文 * |
"基于Netfilter的轻量级防火墙的设计与实现";刘玄;《中国优秀硕士学位论文全文数据库 信息科技辑》;20170215;正文第32-48页 * |
"基于Snort的IPS模型";刘影 等;《网络安全技术与应用》;20090106;正文第45页 * |
"浅谈防火墙配置中路由模式和透明模式的区别与应用";黄安详;《消费导刊》;20181008;正文第10页 * |
刘玄."基于Netfilter的轻量级防火墙的设计与实现".《中国优秀硕士学位论文全文数据库 信息科技辑》.2017,第32-48页. * |
Also Published As
Publication number | Publication date |
---|---|
CN110636084A (en) | 2019-12-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
NZ520984A (en) | System for rapid packet filtering and processing using a pre-filtering module to supplement the firewall | |
CN109587255B (en) | Method, system and storage medium for constructing service dependency graph | |
JP2018519604A (en) | Malware detection | |
US10454777B2 (en) | Network data processing driver for a cognitive artifical intelligence system | |
WO2011134739A1 (en) | Method for searching for message sequences, protocol analysis engine and protocol analyzer | |
CN114398156B (en) | Data channel construction method and device | |
CN113691460B (en) | Data transmission method, device, equipment and storage medium based on load balancing | |
US20230208721A1 (en) | Determining network topology based on packet traffic | |
CN103220287A (en) | Method for service matching of messages by means of access control list (ACL) | |
KR101378115B1 (en) | Intrusion detection apparatus and method using pattern matching technology based on perl compatible regular expressions | |
CN110636084B (en) | Method for filtering access interface of user-mode firewall | |
CN111600852A (en) | Firewall design method based on programmable data plane | |
CN114518969A (en) | Inter-process communication method, system, storage medium and computer device | |
US10666616B2 (en) | Application identification and control in a network device | |
US10659368B2 (en) | Transparent control and transfer of network protocols | |
CN108881247B (en) | Message conversion method, device, gateway equipment and storage medium | |
CN101795273A (en) | Method and device for a filtering junk mail | |
CN113672416A (en) | Method and device for positioning reasons of memory resource leakage | |
WO2020170802A1 (en) | Detection device and detection method | |
CN103731345A (en) | Network message processing method and equipment | |
US11863630B2 (en) | Connection establishment method, server, accessed node, access node, and storage medium | |
US10129147B2 (en) | Network-on-chip flit transmission method and apparatus | |
CN113301049B (en) | Industrial control equipment auditing method, device, equipment and readable storage medium | |
KR20200092744A (en) | Apparatus for detecting abnormal branch based on machine learning and method therefor | |
CN115134096B (en) | RAT connection detection method, flow auditing equipment and medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |