CN104243228A - Method for detecting HTTP tunnel data based on conversation and HTTP protocol standard - Google Patents
- ️Wed Dec 24 2014
Info
-
Publication number
- CN104243228A CN104243228A CN201310248911.1A CN201310248911A CN104243228A CN 104243228 A CN104243228 A CN 104243228A CN 201310248911 A CN201310248911 A CN 201310248911A CN 104243228 A CN104243228 A CN 104243228A Authority
- CN
- China Prior art keywords
- http
- data
- conversation
- session
- http protocol Prior art date
- 2013-06-07 Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention belongs to the technical field of computer networks, and provides a method for detecting HTTP tunnel data based on a conversation and the HTTP protocol standard. A system captures a data packet of an HTTP port and establishes a conversation linked list according to the IP address and the port. When the data packet arrives at a detection system, firstly, the system examines and maintains the conversation linked list, a record is added if not record exists, and the record is deleted from the conversation linked list if the RST data packet or the FIN data packet exists; secondly, the system examines the content of the data packet and judges whether the conversation connection meets the standard HTTP protocol, such as a client-side command GET, a client-side command POST, a server-side response HTTP/1.0 and a server-side response HTTP/1.1, or not, if the conversation connection meets the standard HTTP protocol, the conversation is marked as HTTP protocol data, and if the conversation connection does not meet the standard HTTP protocol, the conversation is marked as HTTP tunnel data. By means of the method, the HTTP tunnel data can be recognized, differential service can be conducted on the HTTP tunnel data, or data which are not the HTTP protocol data can be prevented from penetrating through the HTTP port.
Description
Technical field
The invention belongs to technical field of the computer network, is a kind of method distinguishing standard HTTP data and HTTP tunneling data.
Background technology
Along with the development of Internet technology, how to control Intranet user access the Internet and become the emphasis of network management.Traditional network management distinguishes various network service with port, is realized the control of extranet access by open or closedown certain port.WEB browses to be needed to open to user's use as the most basic Internet service usually, and its http protocol that uses, default port is TCP80.In view of http port is generally open, all kinds of software employs HTTP tunneling technique one after another and outside connects.Http data and HTTP tunneling data all use identical port, therefore can not simply by close port control HTTP tunneling data, otherwise user cannot browsing page.Traditional port controlling method cannot tackle HTTP penetration tunnel technology, and the safety of internal network in unwarranted extranet access serious threat.
Summary of the invention
The object of the invention is to propose a kind of method distinguishing standard HTTP data and HTTP tunneling data, use the present invention can identify HTTP tunneling data and differentiated services is carried out to it, or stoping non-http data to penetrate http port.
Conveniently describe, first the Essential Terms that the present invention relates to and mark be described below:
1.SrcIP, SrcPort, DstIP, DstPort: represent source IP, source port, Target IP, target port respectively.
2. session (Session): all information datas in client and server connection procedure.
3. session connection table (Session Table): for preserving the tables of data of multiple session, usually can adopt Hash table.
HTTP tunneling data Cleaning Principle:
The http protocol of standard defers to RFC2616 (Hypertext Transfer Protocol--HTTP/1.1) and RFC1945 (Hypertext Transfer Protocol--HTTP/1.0) standard.
Description according to RFC document:
1, when HTTP client initiates request to HTTP service end, order will be sent request: as " GET ", " HEAD ", " POST ", " PUT ", " DELETE ", " CONNECT " etc.Wherein " GET ", " HEAD ", " POST " are modal HTTP order, other HTTP orders then less use or for Connection Proxy server.Http protocol standard specifies, request command should be positioned at the data first trip start-up portion that client issues service end.
Such as:
GET/index.html?HTTP/1.1
Host:www.example.com
Connection:keep-alive
Accept:text/html
......
2, after HTTP service end receives the request command of HTTP client, response message will be returned: as " HTTP/1.1200OK ", " HTTP/1.0404 Not Found " etc.Http protocol standard specifies, response message should be positioned at the data first trip start-up portion that service end issues client.
Such as:
HTTP/1.1?200OK
Server:Apache
Content-Type:text/html;charset=utf-8
Connection:keep-alive
......
HTTP tunneling data then adopts proprietary protocol, and it does not defer to http protocol standard.The data start-up portion that client issues service end is not the request command such as " GET ", " HEAD ", " POST "; Service end returns to the data start-up portion of client neither the condition responsive information such as " HTTP/1.1 200OK ", " HTTP/1.0404 Not Found ".
According to these difference, the request command that we can be started by inspection session connection client most and the response message that service end starts most, judge that this session is http protocol session or HTTP tunnel session.
Accompanying drawing explanation
Fig. 1 is present system network design mode figure
Fig. 2 is that process chart safeguarded by present system session connection table
Fig. 3 is that present system is to client data bag overhaul flow chart
Fig. 4 is that present system is to service end packet overhaul flow chart
Embodiment
Below in conjunction with accompanying drawing, the present invention is further described in detail.
Grid deployment way:
See Fig. 1, present system is deployed in the egress gateways place of local area network (LAN) connecting Internet usually, catches the packet of designated port from network.This port is generally TCP80, also can specify or increase other ports if desired.
The maintenance of session connection table:
See Fig. 2, system captures designated port packet from network, from packet, extract the information such as SrcIP, DstIP, SrcPort, DstPort, contrasts with project existing in session connection table.If there is not this conversation recording in session connection table, then this session information newly-increased is in session connection table.If there is this session connection record, then more new session last activity time.When receiving conversation end packet (TCPRST, TCP FIN) or session timeout then deletes this session information from session connection table.
Session protocol detection method:
The standard detected is to judge whether session data meets http protocol, can judge that this session is http protocol session, otherwise be HTTP tunnel session as long as meet.Here select for the efficient detection mode of one: by detecting front 4 bytes of session data, determine whether http protocol.But and do not mean that the present invention can only in this, as unique detection method.
1, client data detects
See Fig. 3, system acquisition issues the session data of service end to client, and first package the operations such as sequence.Then extract front 4 bytes of client data content, and be converted to upper case character by unified for these 4 bytes.Mate with the request command such as " GET ", " HEAD ", " POST " again.(" GET " order only has 3 bytes, but after the HTTP request order of http protocol standard regulation followed by space as separator.Therefore add a space character with " GET " order to mate.In like manner " CONNECT " order then intercepts front 4 bytes, mates with " CONN ".) if the match is successful, marking this session is http protocol session, otherwise is labeled as HTTP tunnel session.
2, service end Data Detection
See Fig. 4, system acquisition issues the session data of client to service end, and first package the operations such as sequence.Then extract front 4 bytes of service end data content, and be converted to upper case character by unified for these 4 bytes.Mate with response messages such as " HTTP " again.If the match is successful, marking this session is http protocol session, otherwise is labeled as HTTP tunnel session.
In a session connection, client data and service end data are two-way.Therefore can select only to detect client data, also can select only to detect service end data, can also select to detect client data and service end data simultaneously.
Above embodiment is only unrestricted for illustration of the present invention.Those of ordinary skill in the art should be appreciated that and revise distortion to the present invention or equivalent to replace, and do not depart from scope of the present invention, and it all should be encompassed in the middle of claim of the present invention.
Claims (3)
1. distinguish the method for standard HTTP data and HTTP tunneling data for one kind.It at least comprises following steps:
(1): system initialization session connection table;
(2): system acquisition designated port packet;
(3): analyze the IP address in packet and port information, the session status in maintain sessions connection table;
(4): the data content of analysis session, judge whether session meets http protocol standard.If met, marking this session is http data, otherwise is labeled as HTTP tunneling data.
2. method according to claim 1, described step (4) judges whether session meets http protocol standard.It is characterized in that: whether the request command that inspection client issues service end meets http protocol standard.
3. method according to claim 1, described step (4) judges whether session meets http protocol standard.It is characterized in that: whether the response message that inspection service end issues client meets http protocol standard.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310248911.1A CN104243228A (en) | 2013-06-07 | 2013-06-07 | Method for detecting HTTP tunnel data based on conversation and HTTP protocol standard |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310248911.1A CN104243228A (en) | 2013-06-07 | 2013-06-07 | Method for detecting HTTP tunnel data based on conversation and HTTP protocol standard |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104243228A true CN104243228A (en) | 2014-12-24 |
Family
ID=52230625
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310248911.1A Pending CN104243228A (en) | 2013-06-07 | 2013-06-07 | Method for detecting HTTP tunnel data based on conversation and HTTP protocol standard |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104243228A (en) |
Cited By (2)
* Cited by examiner, † Cited by third party| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110581780A (en) * | 2019-08-27 | 2019-12-17 | 杭州安恒信息技术股份有限公司 | An automatic identification method for WEB server assets |
| CN111327596A (en) * | 2020-01-19 | 2020-06-23 | 深信服科技股份有限公司 | Method and device for detecting hypertext transfer protocol tunnel and readable storage medium |
Citations (5)
* Cited by examiner, † Cited by third party| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1475930A (en) * | 2002-08-15 | 2004-02-18 | 联想(北京)有限公司 | Chain path layer location information filtering based on state detection |
| US20080077788A1 (en) * | 2006-09-26 | 2008-03-27 | Microsoft Corporation | Secure Tunnel Over HTTPS Connection |
| CN101834777A (en) * | 2009-03-11 | 2010-09-15 | 丛林网络公司 | HTTP acceleration based on session cache |
| CN101917476A (en) * | 2010-08-11 | 2010-12-15 | 美商威睿电通公司 | Hyper text transmission protocol (HTTP) message processing method and client system thereof |
| CN102123155A (en) * | 2011-03-21 | 2011-07-13 | 曾湘宁 | Web server attack filtering and comprehensive protecting method based on NDIS (Network Driver Interface Standard) drive |
-
2013
- 2013-06-07 CN CN201310248911.1A patent/CN104243228A/en active Pending
Patent Citations (5)
* Cited by examiner, † Cited by third party| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1475930A (en) * | 2002-08-15 | 2004-02-18 | 联想(北京)有限公司 | Chain path layer location information filtering based on state detection |
| US20080077788A1 (en) * | 2006-09-26 | 2008-03-27 | Microsoft Corporation | Secure Tunnel Over HTTPS Connection |
| CN101834777A (en) * | 2009-03-11 | 2010-09-15 | 丛林网络公司 | HTTP acceleration based on session cache |
| CN101917476A (en) * | 2010-08-11 | 2010-12-15 | 美商威睿电通公司 | Hyper text transmission protocol (HTTP) message processing method and client system thereof |
| CN102123155A (en) * | 2011-03-21 | 2011-07-13 | 曾湘宁 | Web server attack filtering and comprehensive protecting method based on NDIS (Network Driver Interface Standard) drive |
Cited By (4)
* Cited by examiner, † Cited by third party| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110581780A (en) * | 2019-08-27 | 2019-12-17 | 杭州安恒信息技术股份有限公司 | An automatic identification method for WEB server assets |
| CN110581780B (en) * | 2019-08-27 | 2022-10-21 | 杭州安恒信息技术股份有限公司 | Automatic identification method for WEB server assets |
| CN111327596A (en) * | 2020-01-19 | 2020-06-23 | 深信服科技股份有限公司 | Method and device for detecting hypertext transfer protocol tunnel and readable storage medium |
| CN111327596B (en) * | 2020-01-19 | 2022-08-05 | 深信服科技股份有限公司 | Method and device for detecting hypertext transfer protocol tunnel and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100493094C (en) | 2009-05-27 | P2P data message detection method based on feature code |
| Chen et al. | 2017 | An effective conversation‐based botnet detection method |
| CN102035698B (en) | 2012-07-25 | HTTP tunnel detection method based on decision tree classification algorithm |
| CN104394122B (en) | 2017-06-27 | A HTTP Service Firewall Based on Adaptive Proxy Mechanism |
| CN104394164A (en) | 2015-03-04 | Method of identifying HTTPS port data based on sessions and protocols |
| CN102202064A (en) | 2011-09-28 | Method for extracting behavior characteristics of Trojan communication based on network data flow analysis |
| CN104753732A (en) | 2015-07-01 | Distribution based network traffic analysis system and method |
| CN103905406B (en) | 2017-09-12 | A kind of detection method and device of the firewall policy that fails |
| US20050108434A1 (en) | 2005-05-19 | In-band firewall for an embedded system |
| CN103780610A (en) | 2014-05-07 | Network data recovery method based on protocol characteristics |
| CN109391704B (en) | 2022-06-14 | Cross-private-network access method and device for video monitoring equipment |
| CN107666486A (en) | 2018-02-06 | A kind of network data flow restoration methods and system based on message protocol feature |
| CN101764748B (en) | 2011-11-09 | Method for identifying application program, device and system thereof |
| CN104754071A (en) | 2015-07-01 | Method for detecting DNS (Domain Name-implementation and Specification) tunnel data based on DNS protocol standard |
| CN104243228A (en) | 2014-12-24 | Method for detecting HTTP tunnel data based on conversation and HTTP protocol standard |
| CN104702591A (en) | 2015-06-10 | Method and system for penetrating through firewall based on port forwarding multiplexing technology |
| CN102546548B (en) | 2015-04-01 | Method and device for recognizing layer protocol |
| CN109104424A (en) | 2018-12-28 | A kind of safety protecting method and device of OPC communication |
| CN105812324A (en) | 2016-07-27 | Method, device and system for IDC information safety management |
| CN106899616A (en) | 2017-06-27 | A kind of safety regulation collocation method without IP fire walls |
| CN104270371A (en) | 2015-01-07 | CDN cache server selecting method based on fuzzy logic |
| CN202424749U (en) | 2012-09-05 | Intranet flow control system |
| CN105025028B (en) | 2018-07-24 | The black holes IP based on flow analysis find method |
| CN104967675A (en) | 2015-10-07 | Method for file transmission on financial network counter by avoiding start and spread of virus |
| JP2013243534A (en) | 2013-12-05 | Delay time evaluation device and method for evaluating delay time |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 2014-12-24 | C06 | Publication | |
| 2014-12-24 | PB01 | Publication | |
| 2015-01-14 | C10 | Entry into substantive examination | |
| 2015-01-14 | SE01 | Entry into force of request for substantive examination | |
| 2018-06-12 | WD01 | Invention patent application deemed withdrawn after publication | |
| 2018-06-12 | WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20141224 |