A kind of online script detection method in real timeAnd system
Technical field
The present invention relates to webpage embedded script detection technique, particularly to one real-time script detection method and system online.
Background technology
Along with popularizing and fast-developing of the Internet, sharply increasing of netizen's quantity, Web content and network application are enriched greatly;The actual demand of user has promoted the fast development of Web Site Interactive ability.Network development engineer usually by the mode of script embedded in webpage, realizes the effect of its interaction.
The browser that domestic consumer's online is used, due to a variety of causes, it is understood that there may be such or such leak.These leaks are often utilized by hacker, by script embedded in webpage, trigger the execution of malicious code code, reach to propagate the purpose of malicious code, seek unlawful interests.
But network exists substantial amounts of web page access and connects, if be analyzed after all of web cache, may be far beyond the load of Network Security Device.This will cause cannot detecting script virus in network.Therefore, actual requirement Network Security Device is capable of a kind of efficient script detection system.
Summary of the invention
The present invention provides one online script detection method and system in real time, by the method for the present invention, solves and accesses the problem that cannot detect script virus in network that connection too much causes in network, it is possible to realizes the script detection that device resource real-time, low consumes.
A kind of online script detection method in real time, including:
Step 1, capture network packet;
Step 2, to capture network packet carry out protocol-decoding, isolate HTTP message;
Step 3, judge whether Connection Cache mark, if it is, current HTTP message has cached content for script, perform step 4, otherwise perform step 8;
Whether step 4, scanning message exist script end mark, if it is, perform step 5, otherwise performs step 6;
Step 5, remove Connection Cache mark, and by after the script in current message and the content for script restructuring cached, send into script engine and detect, if it find that threaten, then send warning, after script engine detection, perform step 8;
Step 6, judge current message length and the content for script length sum cached, if beyond preset length threshold values, if it is, perform step 7, otherwise cache the full content of message, return step 1;
Step 7, remove Connection Cache mark, and by after the script in current message and the content for script restructuring cached, send into script engine and detect, if it find that threaten, then send warning, terminate current message detection;
Step 8, from message processed to position scanning whether there is script beginning flag, if it is, perform step 9, otherwise terminate current message detection;
Step 9, from message processed to position scanning whether there is script end mark, if it is, perform step 10, otherwise perform step 11;
Step 10, from message, extract script beginning flag to the content of script end mark, send into script engine detection, if it find that threaten, then send warning, after script engine detection, return step 8;
In step 11, caching message, script beginning flag is to the content of script end mark, and returns step 1.
In described method, when scanning beginning flag or the end mark of message, automat reduction is used to there is script beginning flag and the script end mark of deformation.
A kind of online script detecting system in real time, including:
Data capture module, is used for capturing network packet;
Protocol-decoding module, carries out protocol-decoding to the network packet of capture, isolates HTTP message;
Caching judge module, is used for judging whether Connection Cache mark, if it is, current HTTP message has cached content for script, whether there is script end mark in scanning message, if it is, perform recombination module, otherwise performs script detection module;If there is not Connection Cache mark, then judge current message length and the content for script length sum cached, if beyond preset length threshold values, if it is perform recombination module, otherwise perform cache module;
Recombination module, is used for removing Connection Cache mark, and by after the script in current message and the content for script restructuring cached, sends into engine detection module and detect
Script detection module, for from message processed to position scanning whether there is script beginning flag, if, then from message processed to position scanning whether there is script end mark, if, then extracting script beginning flag from message to the content of script end mark, send into engine detection module, otherwise in caching message, script beginning flag to the content of script end mark and returns data capture module;Otherwise terminate current message detection;
Engine detection module, for detecting the content for script of caching, if it find that threaten, then sends warning, after script engine detection, performs script detection module, or terminates current message detection;
In described system, when scanning beginning flag or the end mark of message, automat reduction is used to there is script beginning flag and the script end mark of deformation.
The invention has the beneficial effects as follows, it is possible to reduce cache contents to the full extent, and in order to prevent from mixing the content that village is too much, set the threshold values of caching, if beyond threshold values, then stop caching, reduce the demand to detection equipment caching, improve disposal ability and the operational efficiency of Network Security Device;According to script coding characteristic in webpage, the most each section of embedded script all has beginning flag and end mark, by scan script beginning flag and end mark, quickly positions content for script, improves detection speed.
The invention provides a kind of online script detection method and system in real time, method includes: the beginning flag of scan script and end mark in each data message, if above-mentioned mark can be found in a message simultaneously, then call script detecting and alarm and script is detected;If only finding script beginning flag, then embedded script in current message being cached, then recombinate with the subsequent packet in same connection, until finding out the end mark of script, restoring complete script, calling script detecting and alarm, script is detected;Simultaneously in order to prevent cache contents too much, setting largest buffered length threshold values, if in regrouping process, the length of caching exceeds threshold values, then stop caching, existing cache contents is sent directly into script detecting and alarm and detects.Present invention also offers online script detecting system in real time.By the method for the present invention, greatly reduce web cache quantity, improve the process performance of equipment.
Accompanying drawing explanation
In order to be illustrated more clearly that the present invention or technical scheme of the prior art, the accompanying drawing used required in embodiment or description of the prior art will be briefly described below, apparently, accompanying drawing in describing below is only some embodiments described in the present invention, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is a kind of online script detection method flow chart in real time of the present invention;
Fig. 2 is a kind of online script detecting system structural representation in real time of the present invention.
Detailed description of the invention
For the technical scheme making those skilled in the art be more fully understood that in the embodiment of the present invention, and it is understandable to enable the above-mentioned purpose of the present invention, feature and advantage to become apparent from, and is described in further detail technical scheme in the present invention below in conjunction with the accompanying drawings.
The present invention provides one online script detection method and system in real time, by the method for the present invention, solves and accesses the problem that cannot detect script virus in network that connection too much causes in network, it is possible to realizes the script detection that device resource real-time, low consumes.
A kind of online script detection method in real time, as it is shown in figure 1, include:
S101: capture network packet;The mode of capture network packet can catch bag to use pcap, zero-copy catches bag or special network adapter catches the modes such as bag;
S102: the network packet of capture is carried out protocol-decoding, isolates HTTP message;Can be whether that the initial key word (such as: get, post, http) of HTTP identifies http protocol according to the starting content that the port information of Transmission Control Protocol or transport layer load, and the server response content of HTTP connection is carried out protocol-decoding, isolate web page contents;
S103: judge whether Connection Cache mark, if it is, current HTTP message has cached content for script, performs S104, otherwise performs S105;
S104: whether there is script end mark in scanning message, if it is, perform S105, otherwise perform S106;
The script generally used in webpage is javascript, and its end mark is</script>, in actual web page code, the compatibility of browser can allow occur that some deform, and such as centre is mingled with the characters such as space, it is possible to use data convert after deformation is by automat</script>;
S105: remove Connection Cache mark, and by after the script in current message and the content for script restructuring cached, send into script engine and detect, if it find that threaten, then send warning, after script engine detection, perform S108;The detection of script virus can use existing commercial anti-virus engine, it is also possible to writes voluntarily;
S106: judge current message length and the content for script length sum cached, if beyond preset length threshold values, if it is, perform S107, otherwise caches the full content of message, returns S101;
Actual buffer storage length threshold values can be with self-defining, and as being set to 4096 bytes or 8192 bytes, the too short recall rate of length declines, and the utilization ratio of long caching reduces;
S107: remove Connection Cache mark, and by after the script in current message and the content for script restructuring cached, send into script engine and detect, if it find that threaten, then send warning, terminate current message detection;
S108: from message processed to position scanning whether there is script beginning flag, if it is, perform S109, otherwise terminate current message detection;
The script generally used in webpage is javascript, its opening flag be < script, in actual web page code, the compatibility of browser can allow occur that some deform, it is mingled with the characters such as space, it is possible to use after automat will deform, data convert is < script in the middle of such as;
S109: from message processed to position scanning whether there is script end mark, if it is, perform S110, otherwise perform S111;
S110: extract the script beginning flag content to script end mark from message, sends into script engine detection, if it find that threaten, then sends warning, after script engine detection, returns S108;
S111: in caching message, script beginning flag is to the content of script end mark, and returns S101.
In described method, when scanning beginning flag or the end mark of message, automat reduction is used to there is script beginning flag and the script end mark of deformation.
A kind of online script detecting system in real time, as in figure 2 it is shown, include:
Data capture module 201, is used for capturing network packet;
Protocol-decoding module 202, carries out protocol-decoding to the network packet of capture, isolates HTTP message;
Caching judge module 203, is used for judging whether Connection Cache mark, if it is, current HTTP message has cached content for script, whether there is script end mark in scanning message, if it is, perform recombination module, otherwise performs script detection module;If there is not Connection Cache mark, then judge current message length and the content for script length sum cached, if beyond preset length threshold values, if it is perform recombination module, otherwise perform cache module;
Recombination module 204, is used for removing Connection Cache mark, and by after the script in current message and the content for script restructuring cached, sends into engine detection module and detect
Script detection module 205, for from message processed to position scanning whether there is script beginning flag, if, then from message processed to position scanning whether there is script end mark, if, then extracting script beginning flag from message to the content of script end mark, send into engine detection module, otherwise in caching message, script beginning flag to the content of script end mark and returns data capture module;Otherwise terminate current message detection;
Engine detection module 206, for detecting the content for script of caching, if it find that threaten, then sends warning, after script engine detection, performs script detection module, or terminates current message detection;
In described system, when scanning beginning flag or the end mark of message, automat reduction is used to there is script beginning flag and the script end mark of deformation.
The invention has the beneficial effects as follows, it is possible to reduce cache contents to the full extent, and in order to prevent from mixing the content that village is too much, set the threshold values of caching, if beyond threshold values, then stop caching, reduce the demand to detection equipment caching, improve disposal ability and the operational efficiency of Network Security Device;According to script coding characteristic in webpage, the most each section of embedded script all has beginning flag and end mark, by scan script beginning flag and end mark, quickly positions content for script, improves detection speed.
The invention provides a kind of online script detection method and system in real time, method includes: the beginning flag of scan script and end mark in each data message, if above-mentioned mark can be found in a message simultaneously, then call script detecting and alarm and script is detected;If only finding script beginning flag, then embedded script in current message being cached, then recombinate with the subsequent packet in same connection, until finding out the end mark of script, restoring complete script, calling script detecting and alarm, script is detected;Simultaneously in order to prevent cache contents too much, setting largest buffered length threshold values, if in regrouping process, the length of caching exceeds threshold values, then stop caching, existing cache contents is sent directly into script detecting and alarm and detects.Present invention also offers online script detecting system in real time.By the method for the present invention, greatly reduce web cache quantity, improve the process performance of equipment.
Each embodiment in this specification all uses the mode gone forward one by one to describe, and between each embodiment, identical similar part sees mutually, and what each embodiment stressed is the difference with other embodiments.For system embodiment, owing to it is substantially similar to embodiment of the method, so describe is fairly simple, relevant part sees the part of embodiment of the method and illustrates.
Although depicting the present invention by embodiment, it will be appreciated by the skilled addressee that the present invention has many deformation and the change spirit without deviating from the present invention, it is desirable to appended claim includes these deformation and the change spirit without deviating from the present invention.