Firewall equipment regular matching method and device and computer readable storage medium

Abstract

The invention discloses a firewall equipment regular matching method and device and a computer readable storage medium, belongs to the technical field of firewall equipment auditing and safety protection, and solves the problems of more protocol configurations and poor regular matching ductility when a protocol segment uses regularities in the prior art. The firewall equipment regular matching method comprises the following steps: determining a regular expression containing a protocol position modifier, and configuring the regular expression to a firewall engine; determining a protocol segmentof the regular expression, and setting a protocol segment matching flag bit of the regular expression; and after the firewall receives the network message, extracing a corresponding protocol segmentin the network message, matching the protocol segment corresponding to the network message with the protocol segment of the regular expression to obtain a matching result, and determining whether to perform corresponding action processing and log sending according to the matching result. According to the method provided by the invention, the protocol configuration when the protocol segment uses the regularization is reduced, and the ductility of the regular matching is improved.

Description

technical field [0001] The invention relates to the technical field of firewall equipment auditing and security protection, in particular to a firewall equipment regular matching method, device and computer-readable storage medium. Background technique [0002] At present, the common auditing function and security protection function software implemented in the firewall equipment of various manufacturers basically use regular matching for the bottom matching. This is because regular matching can complete the work faster than string matching, and also In terms of capturing strings, such as intercepting the domain name of the url or other content, etc., regularization can also complete the work very well. [0003] However, at present, manufacturers use regular expressions in fixed fields, that is, only when a certain protocol field is configured under a policy or rule to use regular expressions. After the rules are loaded, regular expressions can be matched during the engine m...

AI Technical Summary

Problems solved by technology

[0003] However, at present, manufacturers use regular expressions in fixed fields, that is, only when a certain protocol field is configured under a policy or rule to use regular expressions. After the rules are loaded, regular expressions can be matched during the engine matching process. This method has disadvantages. , which protocol segment you want to use regularization needs to increase the configuration of the corresponding protocol. If there are too many fields, the configuration will be too many

[0004] Since most of the existing schemes add policies or rule configurations according to the protocol field to determine whether to perform regular matching and how to perform matching, these schemes will cause a lot of configurations, the device restart configuration recovery time will be long, and the flexibility is poor. If you want to use regular To match whether there is an "abc" field in the request body of the HTTP protocol POST method and the corresponding response body, two configurations need to be added. If you need to check whether a certain string exists in more fields, you need to add more Configuration is not very convenient for users, and the scalability of regular matching is poor. According to the current implementation plan, if only the rule matching of the HTTP protocol is considered in the early stage of development, the front end and the firewall background only develop the matching process related to the HTTP protocol. If it is necessary to develop the DNS protocol, it is necessary to re-invest in human resources to develop and test the front-end and back-end

Images