CN108268774A - The determination method and device of query-attack - Google Patents
The determination method and device of query-attack Download PDFInfo
- Publication number
- CN108268774A CN108268774A CN201710005255.0A CN201710005255A CN108268774A CN 108268774 A CN108268774 A CN 108268774A CN 201710005255 A CN201710005255 A CN 201710005255A CN 108268774 A CN108268774 A CN 108268774A
- Authority
- CN
- China
- Prior art keywords
- request
- attack
- file
- query
- parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides a kind of determination method and device of query-attack, this method application on the server, including:The request for files different in website is received, and the request for being directed toward different files is redirected to the safety detection program based on script;The parameter of the request is analyzed based on the safety detection program, whether is query-attack based on the analysis result judgement request.Pass through the technical solution of the application, it solves the problems, such as effectively identify the query-attack for backdoor file in the prior art, it can realize the automatic identification to all requests received, and it is intercepted when being judged as query-attack, it is not necessary to modify document code, so as to which query-attack be avoided to cause to attack to website.
Description
Technical field
This application involves technical field of network security more particularly to the determination methods and device of a kind of query-attack.
Background technology
In the prior art, Waf (Website Application Firewall, website application firewall) can be to Web
The query-attack being subject in (Website, website) application is protected and is intercepted, and is that one kind is based on known attack characterization rules pair
Http (Hyper Text Transfer Protocol, the hypertext transfer protocol) requests and response flowed through is detected and blocks
The fire wall cut.
Waf based on script is used with current Web using identical script, such as php (Hypertext
Preprocessor, HyperText Preprocessor), the language such as asp (Active Server Page, Active Server Pages) carry out
It writes, it, will by the way that the Waf write script files are written in a global profile all quoted by other most files
Native codes are injected into the filtering and interception realized in application to be protected to query-attack, but attacker is sent
Backdoor file, since it will not quote global profile, then Waf can not perform based on Waf feet the request for being directed to backdoor file
The identification of this document also can not just perform interception.
Invention content
The application provides the determination method and device of query-attack, in the prior art can not be effectively to backdoor file with solution
The problems such as being identified and intercepting.
According to the embodiment of the present application in a first aspect, provide a kind of determination method of query-attack, using on the server,
Including:
The request for files different in website is received, and the request for being directed toward different files is redirected to based on script
Safety detection program;
The parameter of the request is analyzed based on the safety detection program, based on the analysis result judgement request whether be
Query-attack.
According to the second aspect of the embodiment of the present application, a kind of server is provided, including:
Overall situation request trapping module for capturing the request for files different in website, and will be directed toward different files
Request is redirected to the safety detection program based on script;When being run under fastcgi patterns, it is requested to scan the request
The first configuration file under catalogue where file;The configuration item in first configuration file is loaded, the configuration item is obtained and refers to
Specified script file in fixed path;And the specified script file is introduced into the requested file destination of request
Head;When being run under non-fastcgi patterns, the request is redirected to specified script file;
Attacks results decision module, for analyzing the parameter of the request based on the safety detection program, by the parameter of request
It is compared with parameter preset, whether is query-attack based on the comparison result judgement request.
According to the third aspect of the embodiment of the present application, a kind of decision maker of query-attack is provided, is applied in server
On, including:
Unit is redirected, for receiving the request for files different in website, and the request weight that different files will be directed toward
It is directed to the safety detection program based on script;
Identifying unit for being analyzed the parameter of the request based on the safety detection program, is judged based on analysis result
Whether the request is query-attack.
According to the fourth aspect of the embodiment of the present application, a kind of decision maker of query-attack is provided, the equipment is service
Device, including:Processor;For storing the memory of the processor-executable instruction;Wherein, the processor is configured as:
The request for files different in website is received, and the request for being directed toward different files is redirected to based on script
Safety detection program;
The parameter of the request is analyzed based on the safety detection program, based on the analysis result judgement request whether be
Query-attack.
According to the fifth aspect of the invention, a kind of computer storage media is provided, journey is stored in the storage medium
Sequence instructs, and described instruction includes:
The request for files different in website is received, and the request for being directed toward different files is redirected to based on script
Safety detection program;
The parameter of the request is analyzed based on the safety detection program, based on the analysis result judgement request whether be
Query-attack.
By above technical scheme as it can be seen that when server is run under fastcgi patterns in embodiments herein, pass through by
Specified script file is introduced into the head of the requested file destination of request of reception;When being run under non-fastcgi patterns, lead to
The redirection characteristic using configuration file is crossed, is redirected requests in specified script file, can be realized and be received to all
Request, the automatic identification of the request including being directed to backdoor file, it is not necessary to modify document codes, realize Noninvasive, so as to
Query-attack is avoided to cause to attack to website;And the application can be disposed under low rights and be come into force, and realize lightweight.
Description of the drawings
Fig. 1 is the schematic diagram of a scenario of the determination method of the application query-attack;
Fig. 2 is one embodiment flow chart of the determination method of the application query-attack;
Fig. 3 is one embodiment flow chart of the determination method of the application query-attack;
Fig. 4 is one embodiment block diagram of the application server;
Fig. 5 is a kind of hardware structure diagram of equipment where the decision maker of the application query-attack;
Fig. 6 is one embodiment block diagram of the decision maker of the application query-attack.
Specific embodiment
It is only merely for the purpose of description specific embodiment in term used in this application, and is not intended to be limiting the application.
It is also intended in the application and " one kind " of singulative used in the attached claims, " described " and "the" including majority
Form, unless context clearly shows that other meanings.It is also understood that term "and/or" used herein refers to and wraps
Containing one or more associated list items purposes, any or all may be combined.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only used for same type of information being distinguished from each other out.For example, not departing from
In the case of the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determining ".
In the prior art, the application firewall based on script, need to find one all referred to by most of file it is complete
Then Waf codes are written in the global profile in office file, to detect whether the request received is malicious attack request.It is this
One drawback of mode is needed manually to the code of global profile into edlin, this this may result in Edit Error or causes
Situations such as global profile is unavailable.Another drawback is:If there is the orphan file of unreferenced global profile, then in addition to
It needs to global profile into edlin, it is also necessary to which, to the orphan file into edlin, this adds increased the cumbersome journeys of artificial treatment
Degree, and it can not be identified if without being directed to the orphan file into edlin;And for the back door of attacker's upload
File due to its unreferenced global profile, also can not be identified and edit, thus server can not capture be sent to orphan file or
The request of backdoor file also can not just be judged and intercepted to this component requests.
Embodiments herein proposes a kind of determination method and device of query-attack, and server is in fastcgi (Common
Gateway Interface, common gateway interface) when running under pattern, by the way that specified Waf script files are written to reception
In first request, the automatic identification to the first request and interception can be realized;When being run under non-fastcgi patterns, pass through profit
With the redirection characteristic of configuration file, the second request of reception is redirected in specified Waf script files and is identified and blocks
It cuts, it is not necessary to modify document codes, and all the second requests received can be identified, be also achieved that all scripts text
The protection of part.Embodiments herein can be applied in server, and server can be a physically or logically server,
Can share the physically or logically server of different responsibilities by two or more, mutually cooperate with to realize that the application is implemented
The various functions of server in example.The embodiment of the present application between the type and server of server the type of communication network,
Agreement etc. does not limit.
It is the schematic diagram of a scenario of the determination method of the query-attack of the embodiment of the present application referring to Fig. 1, Fig. 1 includes:First
Server, such as Web server, Web server handle the request received, which is user for parsing Http agreements
Pass through second server, such as the request for files different in website that browser server is sent, of second server
Number can be multiple, and three are illustrated only in Fig. 1 and is illustrated, Web server comes from the request that script inlet receives
Second server, the Waf shell scripts being then based on Web server are judged and are handled to request, if it is determined that receiving
The request arrived is malicious attack, then the query-attack is handled, without the request is reached its requested target text
Part, so as to avoid file destination by malicious attack.Specifically, when Web server is run under fastcgi patterns, such as
Fruit decision request is query-attack, then setting processing is carried out, such as intercept, ignore, if it is determined that not being query-attack, then
The request is continued to execute in the requested file destination of the request.When Web server is run under non-fastcgi patterns, such as
If it is determined that fruit request is query-attack, then setting processing is carried out, such as intercept, ignore, if it is determined that not being that attack please
It asks, is then sent in its requested file destination in the request and continues to execute the request.
The flow of the determination method of the query-attack in first server is applied as shown in Fig. 2, including the following steps:
Step 201, server receive the first request for files different in website, and the request that will be directed toward different files
It is redirected to the safety detection program based on script.
In the embodiment of the present application, first server is required for being made whether for each request from second server
For malicious attack request judgement, to ensure the safety of network.The request includes submitting in a manner of get or post etc. various
Request, such as Http requests.Wherein server receives request and is asked it can be appreciated that capturing and being sent to all of different files
It asks.
In the embodiment of the present application, server can be in fastcgi patterns (first mode) and non-fastcgi patterns (second
Pattern) under run.Since the first configuration file only comes into force when server is run under fastcgi patterns, and the second configuration text
Part only comes into force when server is run under non-fastcgi patterns, thus the application discuss respectively under both modes how
The request received is identified.And embodiment illustrated in fig. 2 is mainly used for explanation in the flrst mode, how to receiving
First request be identified.
In step 201, when being run under fastcgi patterns, specified script file is introduced into the first request and is asked
File destination head.
Specifically, step 201 can be accomplished in the following manner:
First, the first configuration file under catalogue where server scans the requested file destination of the first request.
Then, after server scanning to the first configuration file, the configuration item in the first configuration file is loaded, this is obtained and matches
Put the specified Waf script files in the path that item is specified.
Finally, the specified Waf script files in configuration item are introduced into the first requested mesh of request of reception by server
Mark the head of file.
In the embodiment of the present application, Web scripts, the language such as including php, asp, Web script files all support dynamically
Comprising another script file, i.e., the code copies in another script file to current location are run.In the configuration of php
In file, the configuration file for the .user.ini that can be loaded dynamically there are one, that is, the first configuration text being mentioned above
Part when server is run under fastcgi patterns, can scan the catalogue where current perform script file, receive
Catalogue where the first requested file destination of request, abbreviation current directory, server scan the .user.ini under current directory
Configuration file, and the configuration item of the .user.ini configuration files is loaded, the effect of configuration item is specified one automatic comprising finger
Determine the path of file auto_append_file (file included automatically in top of file), then, all feet under current directory
For this document before being parsed by server, meeting includes the text specified in auto_append_file in top of file automatically
Part, that is, the specified file is written in the first request.The specified file can be such as Waf script files, as this
The safety detection program of application, in the Waf script files, can be realized based on Waf shell scripts global request filtering and
It intercepts.
Since specified file is introduced into top of file by the effect of configuration item, thus will be specified in the embodiment of the present application
Waf script files are introduced into the head of the first requested file destination of request of reception, so that first request enters Waf feet
This program performs Waf script files to judge whether being query-attack.
Step 202, based on safety detection program analyze this first request parameter, based on analysis result judge this first please
No Seeking Truth is query-attack.
In step 202, server can specify the parameter in the first request of Waf script files extraction based on this.
Wherein, the URL of file that server is directed to the first request in specified Waf script files is parsed, so as to
Extracting parameter, the parameter can include:The filename of request, source IP address, the data, that is, get/post/cookie numbers submitted
According to, Http request headers etc.
Then, the first parameter of extraction is compared server with parameter preset.
The parameter preset is it can be appreciated that default rule.For example, the first requested file of request is entitled
Rule is hit when aux.asp, shell.asp, shell.php, hit rule when source ip addresses are preset address, such as user
IP blacklists can be set, and GET/POST/COOKIE data are with SQL (Structured Query Language, structure
Change query language) injection request data when hit rule, Http request headers be with put methods, head methods submit request
Hit rule during head.It is thus possible to determine whether first request is malicious attack request.Malicious attack request includes:SQL is noted
Enter loophole, file uploads loophole, file includes loophole and xss (Cross Site Scripting, cross-site scripting attack) leaks
A variety of situations such as hole.Based on different loophole types is counted, corresponding request feature can be sorted out and be converted to rule, by this
Rule is default in the server, so that the first request is identified in server.Comparison result at least two parameters with it is pre-
When setting parameter is consistent, determine that first request is query-attack.
Since the first request is all initiated for file, can all be passed in the file of request, for the malice of backdoor file
Query-attack can be passed to backdoor file and be run.Backdoor file is static file in itself, will not generate any attack function, only
Have and ask to trigger by malicious attack, can just run, generate attack function, such as obtain information that hacker wants etc..The application is real
It applies in example, malicious attack is asked to carry out setting processing, such as intercept, ignore or pursuit attack path etc., thus malice is attacked
Hitting request will not be passed in backdoor file, and backdoor file will not be run, and would not also generate any attack function.
In the embodiment of the present application, malicious attack determined by interception is asked, and first request is prevented to perform original program, and defeated
Go out attack prompting, it is current under attack to remind, and record the information of this attack.
After step 202, if it is determined that first request is not query-attack, when being run under fastcgi patterns,
First request is continued to execute in file destination.
Substantially it is to be introduced into Waf codes when calling Waf shell scripts using .user.ini modes in the application
The head of current location, i.e. file destination performs, therefore specified Waf script files are finished can perform suceeding generation automatically
Code.
The determination method of query-attack provided by the embodiments of the present application when server is operated under fastcgi patterns, leads to
The configuration item auto_append_file using .user.ini configuration files is crossed, specified Waf script files can be introduced into first
The head of requested file destination is asked, so as to which the place of fire wall code can be carried out before the first request performs original code
Reason is filtered and intercepts to determining malicious attack request, it is made not enter subsequent execution program, is avoided under attack.
In the prior art since backdoor file does not quote global profile, thus the request for backdoor file can not be detected, with showing
There is technology to compare, head of the present invention since specified Waf script files to be introduced into the requested file destination of the first request, because
And any request can be detected, query-attack is handled, even if the first requested file destination of request is lonely
Found file, specified Waf script files can also be introduced into the orphan file by backdoor file, the progress of the head of backdoor file is above-mentioned
Processing, because without omitting any request for orphan file and backdoor file, the safety of network is effectively ensured.The opposing party
Face, application firewall needs to go to install using administrator right in deployment in the prior art, and implementation method is complicated, flexibility
Difference, and the method that the application provides only needs have file that permission is written to Web catalogues, thus be easy to dispose, it can be low
Deployment comes into force under permission, realizes lightweight;And due to without Web server, thus tool are modified and restarted to original code
There is Noninvasive.
In one embodiment, server receives the first request, and it is requested which is passed to the first request
In file destination index.php, when index.php is ready to carry out, the .user.ini configuration texts under current directory are retrieved
The code of specified Waf script files by the configuration item in loading configuration file, is introduced into file destination by part automatically
The head of index.php, then starts the code that sequence performs specified Waf script files, specified Waf script files find this
Attack signature (parameter preset) is contained in the username parameters of one request, has hit rule, then judges that first request is
Query-attack, stopping continue to execute the original codes of file destination index.php, and return to one interception message of visitor.
If specified Waf script files check the parameter of the first request, do not find to include parameter preset, then start performance objective file
The original codes of index.php.
The flow of another embodiment of the determination method of the query-attack in first server is applied as shown in figure 3, packet
Include following steps:
Step 301, server receive the second request for different files, will be directed toward the second request weight of different files
It is directed to the safety detection program based on script.
In the embodiment of the present application, first server is required for being made whether for each request from second server
For malicious attack request judgement, to ensure the safety of network.The request includes submitting in a manner of get or post etc. various
Request, such as Http requests.Wherein server receives request and is asked it can be appreciated that capturing and being sent to all of different files
It asks.
Step 302, when being run under non-fastcgi patterns, based on the parameter of the second request of safety detection program analysis, base
Judge whether the second request is query-attack in analysis result.
In the embodiment of the present application, when server is run under non-fastcgi patterns, the second configuration under root is scanned
File.
In the configuration file of apache, there are one the configuration file that file name is .htaccess, i.e., the second configuration texts
Part, second configuration file are placed in Web roots the URL rewritings, it can be achieved that various requests, the request weight that will be specified
It is directed in another script file.Based on the characteristic, server can be held by the .htaccess configuration files by all
The specified Waf scripts that this second request is redirected in above-mentioned specified Waf script files, i.e. embodiment illustrated in fig. 2 of traveling far and wide are literary
It is handled in part, to judge whether second request is malicious attack request.
Then, server obtains the configuration information of the second configuration file, and is reset the second request based on the configuration information
To in specified Waf script files.
In the embodiment of the present application, living document will be sent to, that is, the second request for including parameter input by user redirects
Into Waf shell scripts, the data in the second request include in this case:The filename of request, the parameter of request.
.htaccess the configuration information of configuration file has many functions, including not handling, redirecting, changing and forwarding
Deng, but the function of its redirection has only been used in the embodiment of the present application.
When it is not query-attack to be judged as the second request, Web request is sent to requested file destination and continues to hold
Row.
In the embodiment of the present disclosure, using .htaccessc configuration files come when redirecting the second request, due to this second
Request has been redirected to Waf scripts, therefore when the second request for being judged as receiving is not query-attack, needs in Waf feet
After present treatment, the second request is passed back to be sent to file destination, return to former application and continue to execute follow-up code.
The determination method of query-attack provided by the embodiments of the present application, when server is operated under non-fastcgi patterns,
By using the redirection function of the configuration information of .htaccess configuration files, the second request can be redirected to this and specified
In Web script files, so as to which the processing of fire wall code can be carried out before the second request performs original code, determine this
Two requests make it not enter subsequent execution program, avoid being attacked for it is filtered and is intercepted during malicious attack request
It hits.In the prior art since backdoor file does not quote global profile, thus it can not detect and be asked for the second of backdoor file
It asks, compared with prior art, the present invention can be detected any second request, and query-attack is handled, even if should
The second requested file destination of request is that orphan file, backdoor file can also be redirected to specified script file, into
The above-mentioned processing of row, it is thus possible to accurately comprehensively the second request is detected and be identified, will not be omitted any for back door
Second request of file, is effectively ensured the safety of network.On the other hand, application firewall is needed in deployment in the prior art
It goes to install using administrator right, and implementation method is complicated, flexibility is poor, and the method that the application provides can be under low rights
Deployment comes into force, and realizes lightweight;And due to being invaded without Web server is modified and restarted to original code, thus with non-
Entering property.
In one embodiment, when server receives the second request, the parameter of the second request is redirected to specified Waf
Script file, such as waf.php, and the code of specified Waf script files is performed, to judge whether wrapped in the parameter of the second request
Containing predefined parameter, when containing attack signature during specified Waf script files identify username parameters, illustrate the second request
Rule is hit, server stops the second request being redirected back to the operation of the file destination index.php of its request, and returns
Give attacker one interception message.If specified Waf script files check the parameter of the second request, do not find to include attack spy
Second request is then redirected back to its requested file destination index.php, then starts performance objective file by sign
Code in index.php.
It is the module diagram of the server of the embodiment of the present application referring to Fig. 4, Fig. 4 includes:Request capture global module
11, attacks results decision module 12 and execution module 13.
Wherein, global request trapping module 11 is for capturing the request for files different in website, and will be directed toward different
The request of file is redirected to the safety detection program based on script.
Specifically, when global request trapping module 11 is run under fastcgi patterns, it is requested to scan the request
The first configuration file under catalogue where file;The configuration item in first configuration file is loaded, the configuration item is obtained and refers to
Specified script file in fixed path;The specified script file is introduced into the head of the requested file destination of request
Portion.When being run under non-fastcgi patterns, which is redirected to specified script file.
Attacks results decision module 12 be used for the parameter based on safety detection program analysis request, by the parameter of request with it is preset
Whether parameter compares, and be query-attack based on comparison result decision request.
In one embodiment, which can also include:Execution module 13, for being asked in the judgement of attacks results decision module 12
When asking as query-attack, setting processing is carried out to query-attack, which includes:Interception, pursuit attack path, in ignoring
It is one or more.
Corresponding with the embodiment of the determination method of the application query-attack, present invention also provides the judgements of query-attack
The embodiment of device and equipment.
The embodiment of the decision maker of the application query-attack can be applied on the server.Device embodiment can pass through
Software is realized, can also be realized by way of hardware or software and hardware combining.For implemented in software, anticipate as a logic
Device in justice is to be read computer program instructions corresponding in nonvolatile memory by the processor of equipment where it
Into memory, operation is formed.For hardware view, as shown in figure 5, to be set where the decision maker of the application query-attack
A kind of standby hardware structure diagram in addition to processor 510 shown in fig. 5, memory 520, network interface 530 and non-volatile is deposited
Except reservoir 550, the equipment in embodiment where device 550 can also include other generally according to the actual functional capability of the equipment
Hardware is no longer shown one by one in Fig. 5.
It is one embodiment block diagram of the decision maker of the application query-attack, which, which can apply, is taking referring to Fig. 6
It is engaged on device, which includes:Redirect unit 610 and identifying unit 620.
Wherein, unit 610 is redirected, for receiving the request for files different in website, and different files will be directed toward
Request be redirected to the safety detection program based on script;
Identifying unit 620 for the parameter based on safety detection program analysis request, judges described ask based on analysis result
No Seeking Truth is query-attack.
In an optional realization method, (being not shown in Fig. 6) can be included by redirecting unit 610:
First processing subelement, during for running in the flrst mode, the request institute is introduced by specified script file
The head of the file destination of request.
In an optional realization method, the first processing subelement can include (being not shown in Fig. 6):
First scan module, for scanning the first configuration file under the requested file place catalogue of the request;
Acquisition module for loading the configuration item in first configuration file, obtains the path that the configuration item is specified
In specified script file;
Module is introduced, for specified script file to be introduced into the head of the requested file destination of request.
In another optional realization method, which can also include (being not shown in Fig. 6):
First execution unit, if not being query-attack for the request, when running in the first mode, described
It asks to continue to execute the request in requested file destination.
In an optional realization method, (being not shown in Fig. 6) can be included by redirecting unit 610:
The request during for running under the second mode, is redirected to specified script file by second processing subelement.
In another optional realization method, second processing subelement includes (being not shown in Fig. 6):
Second scan module, for scanning the second configuration file under root;
The request is redirected to specified foot by redirection module for the configuration information based on second configuration file
This document.
In another optional realization method, which can also include (being not shown in Fig. 6):
Second execution unit, if not being query-attack for the request, when running in the second mode, by described in
Request is sent to requested file destination and continues to execute.
In another optional realization method, identifying unit 620 can include (being not shown in Fig. 6):
Subelement is extracted, is extracted in the request under the safety detection program for being based on the specified script file
Parameter;
Comparison subunit, for the website parameter of extraction to be compared with parameter preset;
Subelement is judged, for when comparison result is consistent with the parameter preset at least two parameters, described in judgement
It asks as query-attack.
In another optional realization method,
The parameter of the extraction includes:The filename of request, submits data and http request at source internet protocol IP address
It is one or more in head.
In another optional realization method, which can also include (being not shown in Fig. 6):
Processing unit, for when judging the request for query-attack, setting processing, institute to be carried out to the query-attack
Setting processing is stated to include:Interception, pursuit attack path, ignore in it is one or more.
The function of each unit and the realization process of effect specifically refer to and step are corresponded in the above method in above device
Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related part is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separating component
The unit of explanation may or may not be physically separate, and the component shown as unit can be or can also
It is not physical unit, you can be located at a place or can also be distributed in multiple network element.It can be according to reality
It needs that some or all of module therein is selected to realize the purpose of application scheme.Those of ordinary skill in the art are not paying
In the case of going out creative work, you can to understand and implement.
As seen from the above-described embodiment, when server is run under fastcgi patterns, by the way that specified script file is introduced into
The head of the requested file destination of request of reception;When being run under non-fastcgi patterns, by using the weight of configuration file
Directional characteristic is redirected requests in specified script file, can realize the automatic knowledge to all Web requests received
Not, and when being judged as query-attack it is intercepted, it is not necessary to modify document code, so as to which query-attack be avoided to cause to attack to website
It hits.
Those skilled in the art will readily occur to the application its after considering specification and putting into practice invention disclosed herein
Its embodiment.This application is intended to cover any variations, uses, or adaptations of the application, these modifications, purposes or
Person's adaptive change follows the general principle of the application and including the undocumented common knowledge in the art of the application
Or conventional techniques.Description and embodiments are considered only as illustratively, and the true scope and spirit of the application are by following
Claim is pointed out.
It should be understood that the precision architecture that the application is not limited to be described above and be shown in the drawings, and
And various modifications and changes may be made without departing from the scope thereof.Scope of the present application is only limited by appended claim.
Claims (24)
1. a kind of determination method of query-attack, using on the server, which is characterized in that including:
The request for files different in website is received, and the request for being directed toward different files is redirected to the safety based on script
Detect program;
The parameter of the request is analyzed based on the safety detection program, whether is attack based on the analysis result judgement request
Request.
2. according to the method described in claim 1, it is characterized in that, described be redirected to the request for being directed toward different files is based on
The safety detection program of script, including:
When running in the flrst mode, specified script file is introduced into the head of the requested file destination of request.
3. according to the method described in claim 2, it is characterized in that, described be introduced into described ask by specified script file
The head for the file destination asked, including:
The first configuration file under catalogue where scanning the requested file of request;
The configuration item in first configuration file is loaded, obtains the specified script file in the path that the configuration item is specified;
The specified script file is introduced into the head of the requested file destination of request.
4. according to the method described in claim 2, it is characterized in that, described judge whether the request is to attack based on analysis result
It hits after request, the method further includes:
If the request is not query-attack, when running in the first mode, in the requested file destination of request
In continue to execute the request.
5. according to the method described in claim 1, it is characterized in that, described be redirected to the request for being directed toward different files is based on
The safety detection program of script, including:
When running under the second mode, the request is redirected to specified script file.
6. according to the method described in claim 5, it is characterized in that, it is described by it is described request be redirected to specified script file,
Including:
Scan the second configuration file under root;
The request is redirected to specified script file by the configuration information based on second configuration file.
7. according to the method described in claim 5, it is characterized in that, described judge whether the request is to attack based on analysis result
It hits after request, the method further includes:
If the request is not query-attack, when running in the second mode, the request is sent to requested mesh
Mark file continues to execute.
8. according to the method described in claim 1, it is characterized in that, described analyze the request based on the safety detection program
Parameter, based on analysis result judgement it is described request whether be query-attack, including:
Parameter in extracting the request under the safety detection program based on specified script file;
The parameter of extraction is compared with parameter preset;
When comparison result is consistent with the parameter preset at least two parameters, it is query-attack to judge the request.
9. according to the method described in claim 8, it is characterized in that, the parameter of the extraction includes:The filename of request, source are mutual
It is one or more in networking protocol IP address, submission data and hypertext transfer protocol http request head.
10. according to the method described in any one of claim 1-9, which is characterized in that described based on described in analysis result judgement
After whether request is query-attack, the method further includes:
When judging the request for query-attack, setting processing is carried out to the query-attack, the setting processing includes:It blocks
Cut, pursuit attack path, ignore in it is one or more.
11. a kind of server, which is characterized in that including:
Overall situation request trapping module, for capturing the request for files different in website, and the request that different files will be directed toward
It is redirected to the safety detection program based on script;When being run under fastcgi patterns, the requested file of request is scanned
The first configuration file under the catalogue of place;The configuration item in first configuration file is loaded, obtains what the configuration item was specified
Specified script file in path;And the specified script file is introduced into the head of the requested file destination of request
Portion;When being run under non-fastcgi patterns, the request is redirected to specified script file;
Attacks results decision module, for analyzing the parameter of the request based on the safety detection program, by the parameter of request and in advance
Whether setting parameter is compared, be query-attack based on the comparison result judgement request.
12. server according to claim 11, which is characterized in that the server further includes:
Execution module, for the attacks results decision module judgement it is described request for query-attack when, to the query-attack into
Row setting processing, the setting processing include:Interception, pursuit attack path, ignore in it is one or more.
13. a kind of blocking apparatus of query-attack, using on the server, which is characterized in that including:
Unit is redirected, for receiving the request for files different in website, and the request for being directed toward different files is redirected
To the safety detection program based on script;
Identifying unit, for analyzing the parameter of the request based on the safety detection program, based on described in analysis result judgement
Whether request is query-attack.
14. device according to claim 13, which is characterized in that the redirection unit includes:
First processing subelement, during for running in the flrst mode, described asked is introduced by specified script file
File destination head.
15. device according to claim 12, which is characterized in that the first processing subelement includes:
First scan module, for scanning the first configuration file under the requested file place catalogue of the request;
Acquisition module for loading the configuration item in first configuration file, is obtained in the path that the configuration item is specified
Specified script file;
Module is introduced, for the specified script file to be introduced into the head of the requested file destination of request.
16. device according to claim 14, which is characterized in that described device further includes:
First execution unit, if not being query-attack for the request, when running in the first mode, in the request
The request is continued to execute in requested file destination.
17. device according to claim 13, which is characterized in that the redirection unit includes:
The request during for running under the second mode, is redirected to specified script file by second processing subelement.
18. device according to claim 17, which is characterized in that the second processing subelement includes:
Second scan module, for scanning the second configuration file under root;
The request is redirected to specified script text by redirection module for the configuration information based on second configuration file
Part.
19. device according to claim 17, which is characterized in that described device further includes:
Second execution unit, if not being query-attack for the request, when running in the second mode, by the request
Requested file destination is sent to continue to execute.
20. device according to claim 13, which is characterized in that the identifying unit includes:
Subelement is extracted, for the parameter in extracting the request under the safety detection program based on specified script file;
Comparison subunit, for the parameter of extraction to be compared with parameter preset;
Subelement is judged, for when comparison result is consistent with the parameter preset at least two parameters, judging the request
For query-attack.
21. device according to claim 20, which is characterized in that the parameter of the extraction includes:The filename of request, source
It is one or more in internet protocol address, submission data and hypertext transfer protocol http request head.
22. according to the device described in any one of claim 12-21, which is characterized in that described device further includes:
Processing unit, it is described to set for when judging the request for query-attack, carrying out setting processing to the query-attack
Fixed processing includes:Interception, pursuit attack path, ignore in it is one or more.
23. a kind of blocking apparatus of query-attack, which is characterized in that the equipment is server, including:Processor;For depositing
Store up the memory of the processor-executable instruction;Wherein, the processor is configured as:
The request for files different in website is received, and the request for being directed toward different files is redirected to the safety based on script
Detect program;
The parameter of the request is analyzed based on the safety detection program, whether is attack based on the analysis result judgement request
Request.
24. a kind of computer storage media, have program stored therein instruction in the storage medium, which is characterized in that described instruction packet
It includes:
The request for files different in website is received, and the request for being directed toward different files is redirected to the safety based on script
Detect program;
The parameter of the request is analyzed based on the safety detection program, whether is attack based on the analysis result judgement request
Request.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710005255.0A CN108268774B (en) | 2017-01-04 | 2017-01-04 | Method and device for judging attack request |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710005255.0A CN108268774B (en) | 2017-01-04 | 2017-01-04 | Method and device for judging attack request |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108268774A true CN108268774A (en) | 2018-07-10 |
CN108268774B CN108268774B (en) | 2021-07-23 |
Family
ID=62770707
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710005255.0A Active CN108268774B (en) | 2017-01-04 | 2017-01-04 | Method and device for judging attack request |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108268774B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111428237A (en) * | 2020-03-06 | 2020-07-17 | 支付宝(杭州)信息技术有限公司 | Attack risk identification method, system and device and electronic equipment |
CN113329032A (en) * | 2021-06-23 | 2021-08-31 | 深信服科技股份有限公司 | Attack detection method, device, equipment and medium |
CN113626106A (en) * | 2021-08-19 | 2021-11-09 | 吉林亿联银行股份有限公司 | Method and system for realizing data interception |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101789947A (en) * | 2010-02-21 | 2010-07-28 | 成都市华为赛门铁克科技有限公司 | Method and firewall for preventing HTTP POST flooding attacks |
CN102316087A (en) * | 2010-07-05 | 2012-01-11 | 潘塔安全***公司 | The detection method that network application is attacked |
CN103916389A (en) * | 2014-03-19 | 2014-07-09 | 汉柏科技有限公司 | Method for preventing HttpFlood attack and firewall |
US9443012B2 (en) * | 2012-01-31 | 2016-09-13 | Ncr Corporation | Method of determining http process information |
-
2017
- 2017-01-04 CN CN201710005255.0A patent/CN108268774B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101789947A (en) * | 2010-02-21 | 2010-07-28 | 成都市华为赛门铁克科技有限公司 | Method and firewall for preventing HTTP POST flooding attacks |
CN102316087A (en) * | 2010-07-05 | 2012-01-11 | 潘塔安全***公司 | The detection method that network application is attacked |
US9443012B2 (en) * | 2012-01-31 | 2016-09-13 | Ncr Corporation | Method of determining http process information |
CN103916389A (en) * | 2014-03-19 | 2014-07-09 | 汉柏科技有限公司 | Method for preventing HttpFlood attack and firewall |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111428237A (en) * | 2020-03-06 | 2020-07-17 | 支付宝(杭州)信息技术有限公司 | Attack risk identification method, system and device and electronic equipment |
CN111428237B (en) * | 2020-03-06 | 2022-08-12 | 支付宝(杭州)信息技术有限公司 | Attack risk identification method, system and device and electronic equipment |
CN113329032A (en) * | 2021-06-23 | 2021-08-31 | 深信服科技股份有限公司 | Attack detection method, device, equipment and medium |
CN113329032B (en) * | 2021-06-23 | 2023-02-03 | 深信服科技股份有限公司 | Attack detection method, device, equipment and medium |
CN113626106A (en) * | 2021-08-19 | 2021-11-09 | 吉林亿联银行股份有限公司 | Method and system for realizing data interception |
Also Published As
Publication number | Publication date |
---|---|
CN108268774B (en) | 2021-07-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10785254B2 (en) | Network attack defense method, apparatus, and system | |
US10021129B2 (en) | Systems and methods for malware detection and scanning | |
Seifert et al. | Honeyc-the low-interaction client honeypot | |
US9197664B1 (en) | System and method for malware containment | |
US9558355B2 (en) | Security scan based on dynamic taint | |
EP3557843B1 (en) | Content delivery network (cdn) bot detection using compound feature sets | |
US10474811B2 (en) | Systems and methods for detecting malicious code | |
US20080222299A1 (en) | Method for preventing session token theft | |
Alosefer et al. | Honeyware: a web-based low interaction client honeypot | |
US20190394228A1 (en) | Mitigating attacks on server computers by enforcing platform policies on client computers | |
GB2512954A (en) | Detecting and marking client devices | |
KR20080100204A (en) | Client side attack resistant phishing detection | |
CN105939326A (en) | Message processing method and device | |
US20170032147A1 (en) | Obscuring user web usage patterns | |
CN113098835A (en) | Honeypot implementation method based on block chain, honeypot client and honeypot system | |
CN108268774A (en) | The determination method and device of query-attack | |
Djanali et al. | SQL injection detection and prevention system with raspberry Pi honeypot cluster for trapping attacker | |
US20170374099A1 (en) | Attack content analysis program, attack content analysis method, and attack content analysis apparatus | |
CN117544335A (en) | Bait activation method, device, equipment and storage medium | |
CN116781331A (en) | Reverse proxy-based honeypot trapping network attack tracing method and device | |
CN107294994B (en) | CSRF protection method and system based on cloud platform | |
CN115688100A (en) | Method, device, equipment and medium for placing bait file | |
US20220131877A1 (en) | Neutralizing Evasion Techniques of Malicious Websites | |
CN110602104B (en) | Method and device for preventing public cloud disk from being maliciously utilized by botnet | |
de Sousa | XS-Leaks Crutch: Assisted Detection & Exploitation of Cross-Site Leaks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |