CN113282932B - POC (Point of sale) generation method and device, electronic equipment and storage medium - Google Patents
POC (Point of sale) generation method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN113282932B CN113282932B CN202110827842.4A CN202110827842A CN113282932B CN 113282932 B CN113282932 B CN 113282932B CN 202110827842 A CN202110827842 A CN 202110827842A CN 113282932 B CN113282932 B CN 113282932B
- Authority
- CN
- China
- Prior art keywords
- rule
- poc
- content
- file
- data set
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The application discloses a POC generating method, a POC generating device, electronic equipment and a storage medium, wherein the method comprises the following steps: when a POC generation request is received, reading the rule file, and extracting the rule content in the rule file according to the characteristic field; wherein, the rule file belongs to the file in the open source IDS system; analyzing keywords in the rule content according to the rule grammar of the rule file to generate a feature data set; and formatting the feature data set POC to generate the POC. The method utilizes the rules in the existing rule file to directly convert the rules into the POC, so as to detect the loophole, realize another way for generating the POC, automatically generate the POC, effectively reduce the labor cost, simultaneously improve the efficiency of loophole coverage rate of the safety product, and avoid the defects that the manual analysis and the characteristic extraction are needed in the related technology, and the manual script writing of the POC is carried out by depending on safety researchers, so that the efficiency is low, and the time of loophole coverage rate of the safety product is prolonged.
Description
Technical Field
The present application relates to the field of network security detection technologies, and in particular, to a POC generation method, apparatus, electronic device, and computer-readable storage medium.
Background
Security products such as waf (Web Application Firewall), IDS, vulnerability scanners need to support detecting vulnerabilities, which require vulnerability-related POC (Proof of Concept test for detecting whether vulnerabilities exist). At present, the POC of vulnerabilities is usually obtained by building an environment to obtain a data packet, extracting features through manual analysis, and manually writing POC by depending on security researchers, so that the efficiency is low, and when a certain amount of vulnerabilities exist, the POC writing cannot be quickly and timely completed, and the vulnerability covering time of a security product is prolonged.
Disclosure of Invention
The application aims to provide a POC generation method, a POC generation device, electronic equipment and a computer readable storage medium, so that another way for generating POC is realized, the POC can be automatically generated, the labor cost is effectively reduced, and the efficiency of the loophole coverage rate of a secure product is improved. The specific scheme is as follows:
in a first aspect, the present application discloses a POC generation method, including:
when a POC generation request is received, reading a rule file, and extracting rule contents in the rule file according to a characteristic field; wherein the rule files belong to open source IDS intra-system files;
analyzing keywords in the rule content according to the rule grammar of the rule file to generate a feature data set;
and formatting the feature data set POC to generate the POC.
Optionally, the extracting the rule content in the rule file according to the feature field includes:
when the rule file belongs to a file in a Snort open source system or a Suricata open source system, reading line content in the rule file, selecting target content beginning with alert, wherein the line content has a class type and a sid field, and taking the alert, the class type and the sid as feature fields;
and taking the target content as the rule content.
Optionally, the parsing, according to the rule grammar of the rule file, the keywords in the rule content to generate a feature data set includes:
determining the rule content of the target vulnerability type from the rule content according to the rule protocol field corresponding to the rule grammar of the rule file;
determining a port where the vulnerability of the target vulnerability type is located according to the rule content of the target vulnerability type;
and extracting keywords in the rule content of the target vulnerability type by using regular matching according to the port and the protocol type in the rule protocol field to generate the feature data set.
Optionally, the extracting, according to the port and the protocol type in the rule protocol field, a keyword in the rule content of the target vulnerability type by using regular matching to generate the feature data set includes:
when the target vulnerability type is a web vulnerability, extracting vulnerability names, request modes, request paths and request parameters in the rule content of the target vulnerability type by using the regular matching according to the port where the web vulnerability is located and the protocol type in the rule protocol field to obtain the feature data set.
Optionally, after the generating the feature data set, the method further includes:
converting the characteristic data set into a json format to generate a characteristic json file;
correspondingly, the formatting the feature data set POC to generate POC includes:
and formatting the POC of the characteristic json file to generate the POC.
Optionally, the formatting the POC of the data set to generate the POC includes:
and acquiring a pre-created POC template, filling the feature data in the feature data set into the POC template, and generating the POC.
In a second aspect, the present application discloses a POC generating apparatus, comprising:
the reading module is used for reading the rule file and extracting the rule content in the rule file according to the characteristic field when receiving the POC generation request; wherein the rule files belong to open source IDS intra-system files;
the analysis module is used for analyzing the keywords in the rule content according to the rule grammar of the rule file to generate a characteristic data set;
and the generating module is used for formatting the characteristic data set POC to generate the POC.
Optionally, the reading module includes:
when the rule file belongs to a file in a Snort open source system or a Suricata open source system, reading line content in the rule file, selecting target content beginning with alert, wherein the line content has a class type and a sid field, and taking the alert, the class type and the sid as feature fields;
and taking the target content as the rule content.
In a third aspect, the present application discloses an electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the above POC generation method when executing the computer program.
In a fourth aspect, the present application discloses a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the POC generation method as described above.
The application provides a POC generation method, which comprises the following steps: when a POC generation request is received, reading a rule file, and extracting rule contents in the rule file according to a characteristic field; wherein the rule files belong to open source IDS intra-system files; analyzing keywords in the rule content according to the rule grammar of the rule file to generate a feature data set; and formatting the feature data set POC to generate the POC.
It can be seen that the present application generates POC by extracting the rule content in the rule file and parsing the keywords in the rule content to perform POC formatting, which is different from the POC manually extracted and characterized in the related art, and the present application directly converts the rule into POC by using the rules in the existing rule file to perform leak detection, wherein the rule file belongs to a file in an open source IDS system and is periodically updated, thereby implementing another way of generating POC, improving POC formation efficiency, without manually analyzing and extracting the features, and manually scripting POC by security researchers, only by extracting the rule file, parsing the rule content and performing POC formatting, the POC can be generated, avoiding the defects that the POC manually analyzed and extracted features by related art are manually scripted by security researchers, which results in lower efficiency and prolongs POC coverage time of security products, the method and the device can realize automatic generation of POC, effectively reduce labor cost and improve the efficiency of loophole coverage rate of the security product. The application also provides a POC generating device, an electronic device and a computer readable storage medium, which have the beneficial effects and are not repeated herein.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a POC generation method according to an embodiment of the present application;
FIG. 2 is a block diagram of a system architecture according to an embodiment of the present application;
FIG. 3 is a schematic workflow diagram of an embodiment provided by the present application;
fig. 4 is a schematic structural diagram of a POC generation apparatus according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
At present, when POC of related vulnerabilities is obtained, the POC is limited to vulnerability information obtaining, analysis efficiency and other reasons, characteristics are often manually analyzed and extracted, and then the POC is manually scripted by means of security researchers, so that efficiency is low.
Based on the foregoing technical problem, this embodiment provides a POC generating method, which can realize automatic POC generation, effectively reduce labor cost, and improve efficiency of security product vulnerability coverage, specifically refer to fig. 1, where fig. 1 is a flowchart of a POC generating method provided in this embodiment of the present application, and specifically includes:
s101, when a POC generation request is received, reading a rule file, and extracting rule contents in the rule file according to a characteristic field; wherein the rule files belong to files within an open source IDS system.
The trigger action for generating the POC generation request is not limited in this embodiment, and may be, for example, a user inputting an IDS rule storage path and inputting a rule file suffix name (the rule file suffix names of security vendors are different, such as rules and rule), or others. The rule file in this embodiment is a file in the open source IDS system, and this embodiment does not limit the specific system of the open source IDS system, and may be a Snort open source system or a surfaca open source system, or may be another open source system. It is understood that an Intrusion Detection System (IDS) is a network security device that monitors network transmissions on-the-fly, alerts when suspicious transmissions are found, or takes proactive steps. Snort and subcata are open source IDS systems, and many communities under Snort support, form their own rule sets, update periodically and allow users to download. The rule grammar is also simple, which can make the user enter the door more conveniently. Suricata may use the same rules as Snort, with a substantially consistent rule syntax, with the use of only a small number of fields being different, and with its own rule set. Snort, subcata rules cover the 10 most severe related vulnerability detections of owasp (open Web application security project) and update the new rule file every week, including the latest outbreak of vulnerabilities.
The embodiment extracts the rule content in the rule file according to the characteristic field by reading the rule file in the open source IDS system. The embodiment does not limit the specific content of the characteristic field, and depends on which rule file in the open-source IDS system is specifically used, that is, the characteristic fields of the rule files in different open-source IDS systems are different. For example, in Snort and subcatea open source systems, rule content typically begins with an alert (scripting language) with a classtype to indicate the vulnerability type of the rule and a sid field to indicate the rule number. In this specific embodiment, extracting the rule content in the rule file according to the feature field may include:
when the rule file belongs to a file in a Snort open source system or a Suricata open source system, reading line contents in the rule file, selecting target contents beginning with alert and having class type and sid fields, and taking alert, class type and sid as characteristic fields;
and taking the target content as the rule content.
That is, in this embodiment, when the rule file belongs to a file in a Snort open source system or a sureta open source system, the feature fields are alert, class type, and sid, specifically, the target content beginning with alert and having the line content with the class type and sid fields may be selected, that is, the rule content may be determined.
And S102, analyzing the keywords in the rule content according to the rule grammar of the rule file to generate a feature data set.
It will be appreciated that different open source IDS systems have different rule grammars, and therefore, the keywords in the rule content need to be parsed according to the rule grammars corresponding to the rule files within the open source IDS system. It is further understood that the key information, i.e. keywords, of the rules for different types of vulnerabilities are different, for example, web vulnerabilities are classified into http protocol and tcp protocol, where for http protocol there are keywords http, keyword http _ uri (request path), keyword http _ request _ body (request parameter), and so on. All the keywords obtained by analysis form a feature data set, namely the feature data set comprises the keywords obtained by analyzing the rule content.
The embodiment does not limit the specific process of analyzing the keywords in the rule content and generating the feature data set. In a specific embodiment, parsing the keywords in the rule content according to the rule grammar of the rule file to generate the feature data set may include:
determining the rule content of the target vulnerability type from the rule content according to the rule protocol field corresponding to the rule grammar of the rule file;
determining a port where the vulnerability of the target vulnerability type is located according to the rule content of the target vulnerability type;
and extracting keywords in the rule content of the target vulnerability type by using regular matching according to the protocol types in the port and the rule protocol field to generate a characteristic data set.
It can be understood that the rule file may include more than one rule protocol, for example, the rule file for the web vulnerability includes an http rule protocol and a tcp rule protocol (transmission control protocol), and therefore, it is necessary to determine the rule content of the vulnerability type to be detected and generated, i.e., the target vulnerability type, and the rule content of the non-target vulnerability type can be called in the parsing process, so as to effectively improve the parsing efficiency. For example, the target vulnerability type to be resolved is a web vulnerability of http rule protocol, and usually, a rule protocol field http is provided after the content field, such as http _ uri, http _ request _ body, and the like. And a rule protocol field of a general binary vulnerability or other vulnerabilities related to an unconventional port is generally tcp or udp (transmission control protocol), and an http key does not exist after a content field, the rule content can be skipped in the parsing process.
And after the rule content of the target vulnerability type is determined, further analyzing and determining the port where the vulnerability of the target vulnerability type is located. It can be understood that, in this embodiment, the process of parsing and determining the port where the vulnerability is located is determined according to specific rule content and corresponding rule syntax, for example, taking a rule content of a web vulnerability as an example, alert http any- > any any is representative of capturing any source address source port to any destination address destination port of an http rule protocol, a fourth any refers to any source port, and a default value of any is generally 80 or 8080 (which may be set in a configuration file), so that the port where the vulnerability occurs can be obtained according to this position.
And extracting keywords in the rule content by utilizing regular matching according to the port and the protocol type to generate a characteristic data set. For example, with regular matching, the protocol type, vulnerability name msg, http uri, http client body, etc. are matched, e.g.,
http _ uri, etc. In particular, the method comprises the following steps of,msg: "ATTACK [PTsecurity] Arbitrary PHP RCE in Drupal 8 <8.5.11,8.6.10 (CVE-2019-6340) ", the msg field indicates the name of the vulnerability to be obtained. content, GET, http _ method, content, hal _ json, http _ uri, content, link, http _ client _ body, wherein the content field before the key modification of the http _ method is in an http request mode and is in a GET request; modifying the previous content by the http _ uri keyword to be a request path, and showing that the path of vulnerability triggering access contains a hal _ json keyword; the http _ client _ body key modifies the previous content request parameter, including the link key. pcre: "/\\ x22options \ x22\ s: \ s \ x22O: \ d +: P"; the pcre field represents a regular match, and/p specifies that the location of the match is in the http request body.
In this specific embodiment, extracting, by using regular matching, a keyword in rule content of a target vulnerability type according to a protocol type in a port and a rule protocol field, and generating a feature data set may include:
when the target vulnerability type is a web vulnerability, extracting vulnerability names, request modes, request paths and request parameters in the rule content of the target vulnerability type by using regular matching according to the port where the web vulnerability is located and the protocol type in the rule protocol field to obtain a feature data set.
That is, in this embodiment, taking a web vulnerability type as an example, according to a port (default 80 or 8080) where the web vulnerability is located and a protocol type, that is, http or tcp, since important information of the web vulnerability is a vulnerability name, a request mode, a request path and a request parameter, the vulnerability name, the request mode, the request path and the request parameter in rule content are extracted by using regular matching, so as to obtain a feature data set.
In a specific embodiment, in order to make each feature data appear clearly and intuitively and facilitate development and maintenance of developers, after generating the feature data set in this embodiment, the method may further include:
converting the characteristic data set into a json format to generate a characteristic json file
It can be understood that the json format file is clear and intuitive in presentation, and development and maintenance are facilitated for developers. Therefore, in this embodiment, the generated feature data set is converted into a json format, so as to obtain a json file.
Accordingly, formatting the feature data set POC to generate the POC may include:
and formatting the POC of the characteristic json file to generate the POC.
And converting the characteristic data set into a json file in a json (JavaScript Object Notation) format, and formatting the POC of the characteristic json file to generate the POC.
S103, formatting the feature data set POC to generate the POC.
The embodiment does not limit the specific way of formatting the feature data set POC to generate the POC. In this particular embodiment, formatting the feature data set POC to generate the POC may include:
and acquiring a pre-created POC template, filling the feature data in the feature data set into the POC template, and generating the POC.
In this embodiment, POC can be generated by obtaining a POC template created in advance, and formatting the feature data in the feature data set to be used in the POC template. For example, taking a python script as an example, according to http _ method as a post, a request manner of the POC takes requests, the request path is a target address plus a value in http _ uri, a post parameter page = log, a pcre regular expression is parsed, a matching content of the match is obtained as a key parameter including a vertical line, a semicolon and an inverse quotation number, and the vulnerability is related to a command injection vulnerability.
Based on the technical scheme, the embodiment extracts the rule content in the rule file, analyzes the keywords in the rule content, and formats the POC, so that the POC is generated, which is different from the POC which is manually extracted and characterized by being compiled in the related technology.
Specific embodiments of a generating POC system are provided below. In the related art, the existing vulnerability information is generally converted into the IDS rule, and then the IDS rule is converted into the vulnerability information in turn, so that the vulnerability information can be used for solving the problem of insufficient coverage of the security product. The system includes an IDS rule extraction module, a vulnerability feature extraction module, a POC generation module, and 3 modules in total, and fig. 2 is a system architecture diagram of a specific embodiment provided in this embodiment, and the function distribution of each module is as follows:
1. and the IDS rule extraction module is used for identifying rules from IDS rule files such as Snort, Suricata and the like, removing unnecessary factors such as comments and the like, and extracting and storing the unnecessary factors in a database or a unified path.
2. And the vulnerability characteristic extraction module is used for extracting important characteristics such as vulnerability names, request modes, request paths, request parameters and the like according to the extracted rules and the Suricata and Snort rule grammars and forming a characteristic data set.
3. And the POC generating module is used for formatting and sleeving the integrated data set into a POC generating template.
Fig. 3 is a schematic diagram of a work flow of a specific embodiment provided in this embodiment, and a main work flow is as follows:
1. starting to operate;
2. receiving an IDS rule storage path input by a user and a rule file suffix name input by the user (the rule file suffix names of all security manufacturers are different, such as rules and rule);
3. reading the rule file according to the suffix name, reading the content line by line and removing blank characters on two sides, and judging the content as a rule and storing the content when the content begins with an alert character and contains class type and sid;
4. and (3) reading the rule obtained in the step (3), extracting various keywords of the rule protocol, the rule name, the flow field, the content field and the modified content field according to Suricata and Snort rule grammars, and if the rule protocol is HTTP and the value of the flow field contains to _ server, reintegrating the various keywords of the rule name, the content field and the modified content field into a set. In the present embodiment, for Snort and subcat rules, the syntax of the two rules is similar, and the syntax is simpler. In the rule file, there are some comments and descriptions besides the rule, so it is necessary to remove these interference items. Whereas in Snort and subcata, a rule typically begins with an alert and usually carries a class type and sid to indicate the vulnerability type and rule number of the rule. The line contents may be read and the blank characters on both sides removed, and a determination may be made as to whether to begin with an alert, with classtype and sid fields in the line contents.
5. And D, applying a POC template according to the characteristic data set obtained in the step 4, and formatting to generate POC.
Take openrepeat 2.2 unauthorized remote code execution (CVE-2019-25024) as an example. The rule is as follows:
the vulnerability name of the template is msg information in the rule, the request mode is a POST mode corresponding to http _ method, the vulnerability path is/functions/ajax _ system.php corresponding to http _ uri keywords, the POST request parameter is POST _ service corresponding to http _ client _ body keywords, and conventional POC methods for executing vulnerability aiming at rce remote codes are dnslog detection, so the payload used here is dnslog address generated by ping.
The acquired information set is { "vulnerability name": openrepeat 2.2 unauthorized remote code execution "," request mode ": POST", "vulnerability path"/functions/ajax _ system.php "," request parameter ": POST _ service" }, and the template can be generated by directly using a regular replacement mode, such as re.sub ("vulnerability name", data set [ "vulnerability name" ], POC template), or by using a formatting character, POC template, format (data set [ "vulnerability name" ]), and the final POC is obtained.
Based on above-mentioned technical scheme, this embodiment provides a new mode of obtaining the vulnerability information for safe product can be better covers the part vulnerability, and the automation forms POC, can reduce the human cost effectively, and the security staff also can be according to these POC, further perfect on these bases and refine, has avoided forming POC earlier and has spent a large amount of time.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a POC generating apparatus provided in an embodiment of the present application, where the POC generating apparatus described below and the POC generating method described above are referred to in correspondence, and the POC generating apparatus described below and the POC generating method described above are all disposed in the POC generating apparatus, and fig. 4 is a schematic structural diagram of a POC generating apparatus provided in an embodiment of the present application, and includes:
in some specific embodiments, the method specifically includes:
a reading module 401, configured to read the rule file when receiving the POC generation request, and extract rule content in the rule file according to the feature field; wherein, the rule file belongs to the file in the open source IDS system;
the parsing module 402 is configured to parse the keywords in the rule content according to the rule syntax of the rule file to generate a feature data set;
a generating module 403, configured to format the feature data set POC to generate the POC.
In some specific embodiments, the reading module 401 includes:
the reading unit is used for reading the line content in the rule file when the rule file belongs to a file in a Snort open source system or a Suricata open source system, selecting target content which starts with alert and is provided with a class type field and a sid field, and taking alert, class type and sid as characteristic fields;
and the rule content unit is used for taking the target content as the rule content.
In some specific embodiments, the parsing module 402 includes:
the first determining unit is used for determining the rule content of the target vulnerability type from the rule content according to the rule protocol field corresponding to the rule grammar of the rule file;
the second determining unit is used for determining a port where the target vulnerability type vulnerability is located according to the rule content of the target vulnerability type;
and the extraction unit is used for extracting keywords in the rule content of the target vulnerability type by using regular matching according to the port and the protocol type in the rule protocol field to generate a characteristic data set.
In some specific embodiments, the extraction unit includes:
and the extraction subunit is used for extracting the vulnerability name, the request mode, the request path and the request parameter in the rule content of the target vulnerability type by using regular matching according to the port where the web vulnerability is located and the protocol type in the rule protocol field to obtain a feature data set when the target vulnerability type is the web vulnerability.
In some specific embodiments, the method further comprises:
the conversion module is used for converting the characteristic data set into a json format to generate a characteristic json file;
accordingly, the generating module 403 includes:
and the generating unit is used for formatting the POC of the characteristic json file to generate the POC.
In some specific embodiments, the generating module 403 includes:
and the obtaining unit is used for obtaining the pre-created POC template, filling the feature data in the feature data set into the POC template and generating the POC.
Since the embodiment of the POC generation apparatus part and the embodiment of the POC generation method part correspond to each other, please refer to the description of the embodiment of the POC generation method part for the embodiment of the POC generation apparatus part, which is not repeated here.
In the following, an electronic device provided in an embodiment of the present application is introduced, and the electronic device described below and the POC generation method described above may be referred to correspondingly.
The application also discloses an electronic device, including:
a memory for storing a computer program;
a processor for implementing the steps of the above POC generation method when executing a computer program.
Since the embodiment of the electronic device portion and the embodiment of the POC generation method portion correspond to each other, please refer to the description of the embodiment of the POC generation method portion for the embodiment of the electronic device portion, and details are not repeated here.
A computer-readable storage medium provided in an embodiment of the present application is described below, and the computer-readable storage medium described below and the POC generation method described above may be referred to correspondingly.
The present application also discloses a computer readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of the above POC generation method.
Since the embodiment of the computer-readable storage medium portion corresponds to the embodiment of the POC generation method portion, please refer to the description of the embodiment of the POC generation method portion for the embodiment of the computer-readable storage medium portion, which is not repeated here.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
A POC generation method, apparatus, electronic device and computer-readable storage medium provided by the present application are described in detail above. The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
Claims (7)
1. A POC generation method, comprising:
when a POC generation request is received, reading a rule file, and extracting rule contents in the rule file according to a characteristic field; wherein the rule files belong to open source IDS intra-system files;
analyzing keywords in the rule content according to the rule grammar of the rule file to generate a feature data set;
formatting the feature data set POC to generate POC; wherein:
the extracting the rule content in the rule file according to the characteristic field comprises the following steps:
when the rule file belongs to a file in a Snort open source system or a Suricata open source system, reading line content in the rule file, selecting target content beginning with alert, wherein the line content has a class type and a sid field, and taking the alert, the class type and the sid as feature fields;
taking the target content as the rule content;
analyzing the keywords in the rule content according to the rule grammar of the rule file to generate a feature data set, wherein the feature data set comprises the following steps:
determining the rule content of the target vulnerability type from the rule content according to the rule protocol field corresponding to the rule grammar of the rule file;
determining a port where the vulnerability of the target vulnerability type is located according to the rule content of the target vulnerability type;
and extracting keywords in the rule content of the target vulnerability type by using regular matching according to the port and the protocol type in the rule protocol field to generate the feature data set.
2. The POC generation method according to claim 1, wherein the extracting, according to the port and the protocol type in the rule protocol field, the keyword in the rule content of the target vulnerability type by using regular matching to generate the feature data set includes:
when the target vulnerability type is a web vulnerability, extracting vulnerability names, request modes, request paths and request parameters in the rule content of the target vulnerability type by using the regular matching according to the port where the web vulnerability is located and the protocol type in the rule protocol field to obtain the feature data set.
3. The POC generation method according to claim 1, further comprising, after said generating the set of feature data:
converting the characteristic data set into a json format to generate a characteristic json file;
correspondingly, the formatting the feature data set POC to generate POC includes:
and formatting the POC of the characteristic json file to generate the POC.
4. The POC generation method of claim 1, wherein said formatting said set of data POC to generate POC comprises:
and acquiring a pre-created POC template, filling the feature data in the feature data set into the POC template, and generating the POC.
5. A POC generation apparatus, comprising:
the reading module is used for reading the rule file and extracting the rule content in the rule file according to the characteristic field when receiving the POC generation request; wherein the rule files belong to open source IDS intra-system files;
the analysis module is used for analyzing the keywords in the rule content according to the rule grammar of the rule file to generate a characteristic data set;
a generating module, configured to format the feature data set POC to generate POC; wherein:
the reading module comprises:
when the rule file belongs to a file in a Snort open source system or a Suricata open source system, reading line content in the rule file, selecting target content beginning with alert, wherein the line content has a class type and a sid field, and taking the alert, the class type and the sid as feature fields;
taking the target content as the rule content;
analyzing the keywords in the rule content according to the rule grammar of the rule file to generate a feature data set, wherein the feature data set comprises the following steps:
determining the rule content of the target vulnerability type from the rule content according to the rule protocol field corresponding to the rule grammar of the rule file;
determining a port where the vulnerability of the target vulnerability type is located according to the rule content of the target vulnerability type;
and extracting keywords in the rule content of the target vulnerability type by using regular matching according to the port and the protocol type in the rule protocol field to generate the feature data set.
6. An electronic device, comprising:
a memory for storing a computer program;
processor for implementing the steps of the POC generation method as claimed in any one of claims 1 to 4 when executing the computer program.
7. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the POC generation method as set forth in any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110827842.4A CN113282932B (en) | 2021-07-22 | 2021-07-22 | POC (Point of sale) generation method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110827842.4A CN113282932B (en) | 2021-07-22 | 2021-07-22 | POC (Point of sale) generation method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113282932A CN113282932A (en) | 2021-08-20 |
| CN113282932B true CN113282932B (en) | 2021-10-08 |
Family
ID=77286931
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110827842.4A Active CN113282932B (en) | 2021-07-22 | 2021-07-22 | POC (Point of sale) generation method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113282932B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116170243B (en) * | 2023-04-26 | 2023-07-25 | 北京安博通科技股份有限公司 | POC (point-of-care) -based rule file generation method and device, electronic equipment and medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106778280A (en) * | 2016-11-02 | 2017-05-31 | 北京知道未来信息技术有限公司 | A kind of long-range leak PoC write methods of filled type and leak detection method |
| CN111694746A (en) * | 2020-06-15 | 2020-09-22 | 荆门汇易佳信息科技有限公司 | Flash defect fuzzy evaluation tool for compilation type language AS3 |
| CN112202763B (en) * | 2020-09-28 | 2022-04-22 | 杭州安恒信息技术股份有限公司 | IDS strategy generation method, device, equipment and medium |
| CN112398809B (en) * | 2020-09-29 | 2023-03-24 | 曙光网络科技有限公司 | Protocol rule conversion method, device, computer equipment and storage medium |
-
2021
- 2021-07-22 CN CN202110827842.4A patent/CN113282932B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN113282932A (en) | 2021-08-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107370763B (en) | Asset safety early warning method and device based on external threat information analysis | |
| US8359653B2 (en) | Portable program for generating attacks on communication protocols and channels | |
| CN106961419B (en) | WebShell detection method, device and system | |
| CN110855676B (en) | Network attack processing method and device and storage medium | |
| US8881278B2 (en) | System and method for detecting malicious content | |
| WO2011032094A1 (en) | Extracting information from unstructured data and mapping the information to a structured schema using the naive bayesian probability model | |
| CN111835777B (en) | Abnormal flow detection method, device, equipment and medium | |
| CN109862021B (en) | Method and device for acquiring threat information | |
| CN104601573A (en) | Verification method and device for Android platform URL (Uniform Resource Locator) access result | |
| CN110704816B (en) | Interface cracking recognition method, device, equipment and storage medium | |
| CN113282932B (en) | POC (Point of sale) generation method and device, electronic equipment and storage medium | |
| CN113472791A (en) | Attack detection method and device, electronic equipment and readable storage medium | |
| CN114035789A (en) | Log analysis template generation method, log analysis device and log analysis equipment | |
| CN110457900B (en) | Website monitoring method, device and equipment and readable storage medium | |
| CN108959659B (en) | Log access analysis method and system for big data platform | |
| CN111274461A (en) | Data auditing method, data auditing device and storage medium | |
| CN112202763B (en) | IDS strategy generation method, device, equipment and medium | |
| CN112738068B (en) | Network vulnerability scanning method and device | |
| CN113872964A (en) | Vulnerability rule generation method and related device | |
| CN113051876A (en) | Malicious website identification method and device, storage medium and electronic equipment | |
| CN113852625A (en) | Weak password monitoring method, device, equipment and storage medium | |
| KR101148705B1 (en) | Signature generation apparatus for network behavior of applications, collection server, detection system for network behavior, and signature generation method for network behavior | |
| US9049170B2 (en) | Building filter through utilization of automated generation of regular expression | |
| CN112580048A (en) | Malicious file static discrimination method, device, equipment and storage medium | |
| KR102001814B1 (en) | A method and apparatus for detecting malicious scripts based on mobile device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |