/**
* This method analyzes statistical {@link Event}s that are added to the system and
* detects if the configured {@link Threshold} has been crossed. If so, an {@link Attack} is
* created and added to the system.
*
* @param event the {@link Event} that was added to the {@link EventStore}
*/
//public override void analyze(Event Event) {
public void analyze(Event Event)
{
SearchCriteria criteria = new SearchCriteria().
setUser(Event.GetUser()).
setDetectionPoint(Event.GetDetectionPoint()).
setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(Event.GetDetectionSystemId()));
Collection <Event> existingEvents = appSensorServer.getEventStore().findEvents(criteria);
DetectionPoint configuredDetectionPoint = appSensorServer.getConfiguration().findDetectionPoint(Event.GetDetectionPoint());
int eventCount = countEvents(configuredDetectionPoint.getThreshold().getInterval().toMillis(), existingEvents, Event);
//4 examples for the below code
//1. count is 5, t.count is 10 (5%10 = 5, No Violation)
//2. count is 45, t.count is 10 (45%10 = 5, No Violation)
//3. count is 10, t.count is 10 (10%10 = 0, Violation Observed)
//4. count is 30, t.count is 10 (30%10 = 0, Violation Observed)
int thresholdCount = configuredDetectionPoint.getThreshold().getCount();
if (eventCount % thresholdCount == 0)
{
Logger.Info("Violation Observed for user <" + Event.GetUser().getUsername() + "> - storing attack");
//have determined this event triggers attack
appSensorServer.getAttackStore().addAttack(new Attack(Event));
}
}
public void testAttackCreation()
{
//IApplicationContext context = new XmlApplicationContext("Resources/appsensor-client-config.xml", "Resources/appsensor-server-config.xml");
//IApplicationContext contextClient = new XmlApplicationContext("Resources/base-context.xml", "Resources/appsensor-client-config.xml");
//IApplicationContext context = ContextRegistry.GetContext();
//AppSensorServer appSensorServer = (AppSensorServer)context.GetObject("AppSensorServer");
//AppSensorClient appSensorClient = (AppSensorClient)context.GetObject("AppSensorClient");
ServerConfiguration updatedConfiguration = appSensorServer.getConfiguration();
updatedConfiguration.setDetectionPoints(loadMockedDetectionPoints());
appSensorServer.setConfiguration(updatedConfiguration);
SearchCriteria criteria = new SearchCriteria().
setUser(bob).
setDetectionPoint(detectionPoint1).
setDetectionSystemIds(detectionSystems1);
Assert.AreEqual(0, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(0, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(1, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(0, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(2, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(0, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(3, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(1, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(4, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(1, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(5, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(1, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(6, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(2, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(7, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(2, appSensorServer.getAttackStore().findAttacks(criteria).Count);
}
/**
* {@inheritDoc}
*/
//@Override
//@POST
//@Path("/events")
public void addEvent(Event Event) // throws NotAuthorizedException
{
accessControlUtils.checkAuthorization(org.owasp.appsensor.accesscontrol.Action.ADD_EVENT, requestContext);
Event.setDetectionSystemId(getClientApplicationName());
appSensorServer.getEventStore().addEvent(Event);
}
private static string detectionSystemId = null; //start with blank
/**
* {@inheritDoc}
*/
//public override void addEvent(Event Event) {
public void addEvent(Event Event)
{
/// <exception cref="NotAuthorizedException"></exception>
if (detectionSystemId == null)
{
detectionSystemId = Event.GetDetectionSystemId();
}
appSensorServer.getEventStore().addEvent(Event);
}
public void deleteTestFiles()
{
//IApplicationContext context = new XmlApplicationContext("Resources/base-context.xml", "Resources/appsensor-server-config.xml");
IApplicationContext context = new XmlApplicationContext("Resources/base-context.xml", "Resources/appsensor-server-config.xml");
AppSensorServer appSensorServer = (AppSensorServer)context.GetObject("AppSensorServer");
FileBasedEventStore eventStore = (FileBasedEventStore)appSensorServer.getEventStore();
FileBasedAttackStore attackStore = (FileBasedAttackStore)appSensorServer.getAttackStore();
FileBasedResponseStore responseStore = (FileBasedResponseStore)appSensorServer.getResponseStore();
File.Delete(eventStore.getPath());
File.Delete(attackStore.getPath());
File.Delete(responseStore.getPath());
}
