/**
* {@inheritDoc}
*/
public override Collection<Attack> findAttacks(SearchCriteria criteria) {
if (criteria == null) {
throw new ArgumentException("criteria must be non-null");
}
Collection<Attack> matches = new Collection<Attack>();
User user = criteria.GetUser();
DetectionPoint detectionPoint = criteria.GetDetectionPoint();
//Collection<string> detectionSystemIds = criteria.getDetectionSystemIds();
HashSet<string> detectionSystemIds = criteria.getDetectionSystemIds();
DateTime? earliest = DateUtils.fromString(criteria.getEarliest());
foreach (Attack attack in attacks) {
//check user match if user specified
bool userMatch = (user != null) ? user.Equals(attack.GetUser()) : true;
//check detection system match if detection systems specified
bool detectionSystemMatch = (detectionSystemIds != null && detectionSystemIds.Count > 0) ?
detectionSystemIds.Contains(attack.GetDetectionSystemId()) : true;
//check detection point match if detection point specified
bool detectionPointMatch = (detectionPoint != null) ?
detectionPoint.getId().Equals(attack.GetDetectionPoint().getId()) : true;
bool earliestMatch = (earliest != null) ? earliest < DateUtils.fromString(attack.GetTimestamp()) : true;
if (userMatch && detectionSystemMatch && detectionPointMatch && earliestMatch) {
matches.Add(attack);
}
}
return matches;
}
/**
* This method analyzes statistical {@link Event}s that are added to the system and
* detects if the configured {@link Threshold} has been crossed. If so, an {@link Attack} is
* created and added to the system.
*
* @param event the {@link Event} that was added to the {@link EventStore}
*/
//public override void analyze(Event Event) {
public void analyze(Event Event) {
SearchCriteria criteria = new SearchCriteria().
setUser(Event.GetUser()).
setDetectionPoint(Event.GetDetectionPoint()).
setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(Event.GetDetectionSystemId()));
Collection<Event> existingEvents = appSensorServer.getEventStore().findEvents(criteria);
DetectionPoint configuredDetectionPoint = appSensorServer.getConfiguration().findDetectionPoint(Event.GetDetectionPoint());
int eventCount = countEvents(configuredDetectionPoint.getThreshold().getInterval().toMillis(), existingEvents, Event);
//4 examples for the below code
//1. count is 5, t.count is 10 (5%10 = 5, No Violation)
//2. count is 45, t.count is 10 (45%10 = 5, No Violation)
//3. count is 10, t.count is 10 (10%10 = 0, Violation Observed)
//4. count is 30, t.count is 10 (30%10 = 0, Violation Observed)
int thresholdCount = configuredDetectionPoint.getThreshold().getCount();
if (eventCount % thresholdCount == 0) {
Logger.Info("Violation Observed for user <" + Event.GetUser().getUsername() + "> - storing attack");
//have determined this event triggers attack
appSensorServer.getAttackStore().addAttack(new Attack(Event));
}
}
/**
* {@inheritDoc}
*/
public override Collection<Response> findResponses(SearchCriteria criteria) {
if(criteria == null) {
throw new ArgumentException("criteria must be non-null");
}
Collection<Response> matches = new Collection<Response>();
User user = criteria.GetUser();
//Collection<string> detectionSystemIds = criteria.getDetectionSystemIds();
HashSet<string> detectionSystemIds = criteria.getDetectionSystemIds();
DateTime? earliest = DateUtils.fromString(criteria.getEarliest());
Collection<Response> responses = loadResponses();
foreach(Response response in responses) {
//check user match if user specified
bool userMatch = (user != null) ? user.Equals(response.GetUser()) : true;
//check detection system match if detection systems specified
bool detectionSystemMatch = (detectionSystemIds != null && detectionSystemIds.Count > 0) ?
detectionSystemIds.Contains(response.GetDetectionSystemId()) : true;
bool earliestMatch = (earliest != null) ? earliest < DateUtils.fromString(response.GetTimestamp()) : true;
if(userMatch && detectionSystemMatch && earliestMatch) {
matches.Add(response);
}
}
return matches;
}
/**
* {@inheritDoc}
*/
//public override Collection<Response> getResponses(string earliest) {
public Collection<Response> getResponses(string earliest) {
/// <exception cref="NotAuthorizedException"></exception>
SearchCriteria criteria = new SearchCriteria().
setDetectionSystemIds(StringUtils.toCollection(detectionSystemId != null ? detectionSystemId : "")).
setEarliest(earliest);
return appSensorServer.getResponseStore().findResponses(criteria);
}
/**
* {@inheritDoc}
*/
//@Override
//@GET
//@Path("/responses")
//@Produces(MediaType.APPLICATION_JSON)
//public Collection<Response> getResponses(@QueryParam("earliest") String earliest) { // throws NotAuthorizedException
public Collection<Response> getResponses(String earliest) { // throws NotAuthorizedException
accessControlUtils.checkAuthorization(org.owasp.appsensor.accesscontrol.Action.GET_RESPONSES, requestContext);
SearchCriteria criteria = new SearchCriteria().
setDetectionSystemIds(StringUtils.toCollection(getClientApplicationName())).
setEarliest(earliest);
return appSensorServer.getResponseStore().findResponses(criteria);
}
public void testAttackCreation() {
//IApplicationContext context = new XmlApplicationContext("Resources/appsensor-client-config.xml", "Resources/appsensor-server-config.xml");
//IApplicationContext contextClient = new XmlApplicationContext("Resources/base-context.xml", "Resources/appsensor-client-config.xml");
//IApplicationContext context = ContextRegistry.GetContext();
//AppSensorServer appSensorServer = (AppSensorServer)context.GetObject("AppSensorServer");
//AppSensorClient appSensorClient = (AppSensorClient)context.GetObject("AppSensorClient");
ServerConfiguration updatedConfiguration = appSensorServer.getConfiguration();
updatedConfiguration.setDetectionPoints(loadMockedDetectionPoints());
appSensorServer.setConfiguration(updatedConfiguration);
SearchCriteria criteria = new SearchCriteria().
setUser(bob).
setDetectionPoint(detectionPoint1).
setDetectionSystemIds(detectionSystems1);
Assert.AreEqual(0, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(0, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(1, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(0, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(2, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(0, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(3, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(1, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(4, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(1, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(5, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(1, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(6, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(2, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(7, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(2, appSensorServer.getAttackStore().findAttacks(criteria).Count);
}
/**
* Find/generate {@link Response} appropriate for specified {@link Attack}.
*
* @param attack {@link Attack} that is being analyzed
* @return {@link Response} to be executed for given {@link Attack}
*/
protected Response findAppropriateResponse(Attack attack) {
DetectionPoint triggeringDetectionPoint = attack.GetDetectionPoint();
SearchCriteria criteria = new SearchCriteria().
setUser(attack.GetUser()).
setDetectionPoint(triggeringDetectionPoint).
setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(attack.GetDetectionSystemId()));
//grab any existing responses
Collection<Response> existingResponses = appSensorServer.getResponseStore().findResponses(criteria);
string responseAction = null;
Interval interval = null;
Collection<Response> possibleResponses = findPossibleResponses(triggeringDetectionPoint);
//if (existingResponses == null || existingResponses.Size() == 0) {
if(existingResponses == null || existingResponses.Count == 0) {
//no responses yet, just grab first configured response from detection point
// Response response = possibleResponses.iterator().next();
IEnumerator <Response> enumerator = possibleResponses.GetEnumerator();
enumerator.MoveNext();
Response response = enumerator.Current;
responseAction = response.getAction();
interval = response.getInterval();
} else {
foreach (Response configuredResponse in possibleResponses) {
responseAction = configuredResponse.getAction();
interval = configuredResponse.getInterval();
if (! isPreviousResponse(configuredResponse, existingResponses)) {
//if we find that this response doesn't already exist, use it
break;
}
//if we reach here, we will just use the last configured response (repeat last response)
}
}
if(responseAction == null) {
//throw new IllegalArgumentException("No appropriate response was configured for this detection point: " + triggeringDetectionPoint.getId());
throw new ArgumentException("No appropriate response was configured for this detection point: " + triggeringDetectionPoint.getId());
}
Response responses = new Response();
responses.setUser(attack.GetUser());
responses.setTimestamp(attack.GetTimestamp());
responses.setAction(responseAction);
responses.setInterval(interval);
responses.setDetectionSystemId(attack.GetDetectionSystemId());
return responses;
}
/**
* A finder for Event objects in the EventStore
*
* @param criteria the {@link org.owasp.appsensor.criteria.SearchCriteria} object to search by
* @return a {@link java.util.Collection} of {@link org.owasp.appsensor.Event} objects matching the search criteria.
*/
public abstract Collection<Event> findEvents(SearchCriteria criteria);
/**
* Find most recent {@link Attack} matching the given {@link Event} ({@link User}, {@link DetectionPoint}, detection system)
* and find it's timestamp.
*
* The {@link Event} should only be counted if they've occurred after the most recent {@link Attack}.
*
* @param event {@link Event} to use to find matching {@link Attack}s
* @return timestamp representing last matching {@link Attack}, or -1L if not found
*/
protected DateTime? findMostRecentAttackTime(Event Event) {
DateTime? newest = DateUtils.epoch();
SearchCriteria criteria = new SearchCriteria().
setUser(Event.GetUser()).
setDetectionPoint(Event.GetDetectionPoint()).
setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(Event.GetDetectionSystemId()));
Collection<Attack> attacks = appSensorServer.getAttackStore().findAttacks(criteria);
foreach (Attack attack in attacks) {
// if (DateUtils.fromString(attack.GetTimestamp()).isafter(newest)) {
if (DateUtils.fromString(attack.GetTimestamp())>newest) {
newest = DateUtils.fromString(attack.GetTimestamp());
}
}
return newest;
}
/**
* Finder for responses in the ResponseStore
*
* @param criteria the {@link org.owasp.appsensor.criteria.SearchCriteria} object to search by
* @return a {@link java.util.Collection} of {@link org.owasp.appsensor.Response} objects matching the search criteria.
*/
public abstract Collection<Response> findResponses(SearchCriteria criteria);
/**
* Finder for attacks in the AttackStore.
*
* @param criteria the {@link org.owasp.appsensor.criteria.SearchCriteria} object to search by
* @return a {@link java.util.Collection} of {@link org.owasp.appsensor.Attack} objects matching the search criteria.
*/
public abstract Collection<Attack> findAttacks(SearchCriteria criteria);
