Example #1
0
	/**
	 * Count the number of {@link Event}s over a time {@link Interval} specified in milliseconds.
	 * 
	 * @param intervalInMillis {@link Interval} as measured in milliseconds
	 * @param existingEvents set of {@link Event}s matching triggering {@link Event} id/user pulled from {@link Event} storage
	 * @return number of {@link Event}s matching time {@link Interval}
	 */
	protected int countEvents(long intervalInMillis, Collection<Event> existingEvents, Event triggeringEvent) {
		int count = 0;
		
		//grab the startTime to begin counting from based on the current time - interval
        //DateTime startTime = DateUtils.getCurrentTimestamp().MinusMillis((int)intervalInMillis);
        DateTime startTime = DateUtils.getCurrentTimestamp().AddMilliseconds(-(intervalInMillis));
		//count events after most recent attack.
		DateTime? mostRecentAttackTime = findMostRecentAttackTime(triggeringEvent);
		
		foreach (Event Event in existingEvents) {
			DateTime? eventTimestamp = DateUtils.fromString(Event.GetTimestamp());
			//ensure only events that have occurred since the last attack are considered
			// if (eventTimestamp.isAfter(mostRecentAttackTime)) {
            if (eventTimestamp > mostRecentAttackTime) {
				if (intervalInMillis > 0) {
					// if (DateUtils.fromString(Event.GetTimestamp()).IsAfter(startTime)) {
                    if (DateUtils.fromString(Event.GetTimestamp()) > startTime) {
						//only increment when event occurs within specified interval
						count++;
					}
				} else {
					//no interval - all events considered
					count++;
				}
			}
		}
		
		return count;
	}
Example #2
0
	public Attack (Event Event) {
		setUser(Event.GetUser());
		setDetectionPoint(Event.GetDetectionPoint());
		setTimestamp(Event.GetTimestamp());
		setDetectionSystemId(Event.GetDetectionSystemId());
		setResource(Event.getResource());
	}
Example #3
0
	/**
	 * This method analyzes statistical {@link Event}s that are added to the system and 
	 * detects if the configured {@link Threshold} has been crossed. If so, an {@link Attack} is 
	 * created and added to the system.
	 * 
	 * @param event the {@link Event} that was added to the {@link EventStore}
	 */
	//public override void analyze(Event Event) {
    public void analyze(Event Event) {
		SearchCriteria criteria = new SearchCriteria().
				setUser(Event.GetUser()).
				setDetectionPoint(Event.GetDetectionPoint()).
				setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(Event.GetDetectionSystemId()));

		Collection<Event> existingEvents = appSensorServer.getEventStore().findEvents(criteria);

		DetectionPoint configuredDetectionPoint = appSensorServer.getConfiguration().findDetectionPoint(Event.GetDetectionPoint());
		
		int eventCount = countEvents(configuredDetectionPoint.getThreshold().getInterval().toMillis(), existingEvents, Event);

		//4 examples for the below code
		//1. count is 5, t.count is 10 (5%10 = 5, No Violation)
		//2. count is 45, t.count is 10 (45%10 = 5, No Violation) 
		//3. count is 10, t.count is 10 (10%10 = 0, Violation Observed)
		//4. count is 30, t.count is 10 (30%10 = 0, Violation Observed)

		int thresholdCount = configuredDetectionPoint.getThreshold().getCount();

		if (eventCount % thresholdCount == 0) {
			Logger.Info("Violation Observed for user <" + Event.GetUser().getUsername() + "> - storing attack");
			//have determined this event triggers attack
			appSensorServer.getAttackStore().addAttack(new Attack(Event));
		}
	}
Example #4
0
        /**
         * {@inheritDoc}
         */
        public override void addEvent(Event Event) {
            Logger.Warn("Security event " + Event.GetDetectionPoint().getId() + " triggered by user: " + Event.GetUser().getUsername());

            writeEvent(Event);

            //super.notifyListeners(Event);
            base.notifyListeners(Event);
        }
Example #5
0
	private static string detectionSystemId = null;	//start with blank
	
	/**
	 * {@inheritDoc}
	 */
	//public override void addEvent(Event Event) {
    public void addEvent(Event Event) {
        /// <exception cref="NotAuthorizedException"></exception>
		if (detectionSystemId == null) {
			detectionSystemId = Event.GetDetectionSystemId();
		}
		
		appSensorServer.getEventStore().addEvent(Event);
	}
Example #6
0
	/**
	 * Add an {@link org.owasp.appsensor.Event} to the EventStore
	 * 
	 * @param event the {@link org.owasp.appsensor.Event} to Add to the EventStore
	 */
	public abstract void addEvent(Event Event);
Example #7
0
        protected void writeEvent(Event Event) {
            string json = ser.ToString();

            try {
                //Files.write(getPath(), Arrays.asList(json), StandardCharsets.UTF_8, StandardOpenOption.APPEND, StandardOpenOption.WRITE);
                File.WriteAllText(getPath().ToString(), json, System.Text.Encoding.UTF8);
            } catch(IOException e) {
                Logger.Error("Error occurred loading writing event file to path: " + getPath(), e);
            }
        }
Example #8
0
	/**
	 * Find most recent {@link Attack} matching the given {@link Event} ({@link User}, {@link DetectionPoint}, detection system)
	 * and find it's timestamp. 
	 * 
	 * The {@link Event} should only be counted if they've occurred after the most recent {@link Attack}.
	 * 
	 * @param event {@link Event} to use to find matching {@link Attack}s
	 * @return timestamp representing last matching {@link Attack}, or -1L if not found
	 */
	protected DateTime? findMostRecentAttackTime(Event Event) {
		DateTime? newest = DateUtils.epoch();
		
		SearchCriteria criteria = new SearchCriteria().
				setUser(Event.GetUser()).
				setDetectionPoint(Event.GetDetectionPoint()).
				setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(Event.GetDetectionSystemId()));
		
		Collection<Attack> attacks = appSensorServer.getAttackStore().findAttacks(criteria);
		
		foreach (Attack attack in attacks) {
            // if (DateUtils.fromString(attack.GetTimestamp()).isafter(newest)) {
            if (DateUtils.fromString(attack.GetTimestamp())>newest) {
				newest = DateUtils.fromString(attack.GetTimestamp());
			}
		}
		return newest;
	}
Example #9
0
	/**
	 * {@inheritDoc}
	 */
	//public override void onAdd(Event Event) {
    public void onAdd(Event Event) {
		Logger.Info("Reporter observed event by user [" + Event.GetUser().getUsername() + "]");
	}
Example #10
0
 /**
 * Add an {@link Event}.
 * 
 * @param event {@link Event} to Add
 */
 public void addEvent(Event Event) {
 }
Example #11
0
        //TODO: do a rest request based on configuration 
	
	    /**
	     * {@inheritDoc}
	     */
	    //@Override
	    public void addEvent(Event Event) {
		    //make request
	    }
Example #12
0
	/**
	 * Add an Event.
	 * 
	 * @param event Event to Add
	 */
    /// <exception cref="NotAuthorizedException"></exception>
	//public void addEvent (Event Event);
    void addEvent(Event Event) {
    }
Example #13
0
 public void onAdd(Event Event) {
     analyze(Event);
 }
Example #14
0
 //public abstract void analyze(Event Event) {
 public void analyze(Event Event) {
 }
Example #15
0
	/**
	 * Notify each {@link EventListener} of the specified {@link Event}
	 * 
	 * @param response the {@link Event} to notify each {@link EventListener} about
	 */
	public void notifyListeners(Event Event) {
		foreach (EventListener listener in listeners) {
			listener.OnAdd(Event);
		}
	}
Example #16
0
	/**
	 * {@inheritDoc}
	 */
	//public override void onAdd(Event Event) {
    public void onAdd(Event Event) {
		notifyWebSocket("event", Event);
		
		Logger.Info("Reporter observed event by user [" + Event.GetUser().getUsername() + "]");
	}
Example #17
0
	/**
	 * {@inheritDoc}
	 */
    // public override void addEvent(Event Event) {
    public void addEvent(Event Event) {
		requestHandler.addEvent(Event);
	}