My most respected database security product is a traffic-based database audit, because it does not need to change the network structure, and the most critical is that it does not affect the performance of the database server, do not have to earnestly persuade the database administrator to install monitoring software. It can be better to find the drag library behavior through the Web vulnerability, as well as the database management process based on the database communication protocol violation behavior. In essence, the traffic-based database audit is a special kind of traffic audit, or for the ids,10-11 of the database, by analyzing the database protocol from the network full flow, further restore to the database common additions and deletions of the operation, and then in accordance with the pre-defined rules to audit.
Figure 10-11 Schematic diagram of the database audit based on traffic
Here is a domestic security company open source available for traffic-based database audit software, MySQL Sniffer. Mysqlsniffer is a MySQL-based capture toolkit that fetches requests in real time and formats the output. The output includes access time, user access, source IP, Access Database, command time, number of rows returned, execution statement, and so on.
Download and installMySQL sniffer corresponds to the GitHub address:
Https://github.com/Qihoo360/mysql-sniffer
The installation method is as follows.
Yum Install Glib2-devel libpcap-devel libnet-devel
git clone https://github.com/Qihoo360/mysql-sniffer
CD Mysql-sniffer
mkdir proj
CD proj
CMake. /
Cd..
Make
Audit MySQL TrafficCommon parameters supported by MySQL sniffer are shown below.
Usage./mysql-sniffer [-d]-I eth0-p 3306,3307,3308-l/var/log/mysql-sniffer/-e stderr
Since our web and MySQL are deployed on a single machine, there is no MySQL traffic on the eth0, we need to listen for the LO interface.
./mysql-sniffer-i Lo-p 3306
Log in to MySQL using your pig account.
./mysql-h127.0.0.1-upig–p
The audit information is displayed as follows.
2017-07-26 17:06:36 Pig 127.0.0.1 NULL 0ms 1 SELECT @ @version_commentlimit 1
View plug-in installation scenarios.
Mysql> Show plugins;
The audit information is displayed as follows, where 2ms indicates the query consumes time, and 43 indicates the number of data rows returned by the query.
2017-07-26 17:10:28 pig 127.0.0.1 NULL 2ms Show plugins
Query the MySQL user for more information.
mysql> use MySQL;
Reading table information for completion of table and column names
Can turn off this feature to get a quicker startup with-a
Database changed
Mysql> select * from user;
The audit information is displayed as follows.
2017-07-26 17:12:32 pig 127.0.0.1 mysql 0ms 0 use MySQL
2017-07-26 17:12:32 pig 127.0.0.1 mysql 0ms 5 show databases
2017-07-26 17:12:32 pig 127.0.0.1 mysql 0ms show tables
2017-07-26 17:12:44 pig 127.0.0.1 mysql 1ms 8 select * from user
MySQL sniffer also supports saving logs, 10-12 shows that logs can be sent to the SOC system for further analysis.
Figure 10-12mysql Sniffer sending audit logs to SOC systems
0818 based on 360 open source database traffic audit MySQL Sniffer
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
