/** * Count the number of {@link Event}s over a time {@link Interval} specified in milliseconds. * * @param intervalInMillis {@link Interval} as measured in milliseconds * @param existingEvents set of {@link Event}s matching triggering {@link Event} id/user pulled from {@link Event} storage * @return number of {@link Event}s matching time {@link Interval} */ protected int countEvents(long intervalInMillis, Collection<Event> existingEvents, Event triggeringEvent) { int count = 0; //grab the startTime to begin counting from based on the current time - interval //DateTime startTime = DateUtils.getCurrentTimestamp().MinusMillis((int)intervalInMillis); DateTime startTime = DateUtils.getCurrentTimestamp().AddMilliseconds(-(intervalInMillis)); //count events after most recent attack. DateTime? mostRecentAttackTime = findMostRecentAttackTime(triggeringEvent); foreach (Event Event in existingEvents) { DateTime? eventTimestamp = DateUtils.fromString(Event.GetTimestamp()); //ensure only events that have occurred since the last attack are considered // if (eventTimestamp.isAfter(mostRecentAttackTime)) { if (eventTimestamp > mostRecentAttackTime) { if (intervalInMillis > 0) { // if (DateUtils.fromString(Event.GetTimestamp()).IsAfter(startTime)) { if (DateUtils.fromString(Event.GetTimestamp()) > startTime) { //only increment when event occurs within specified interval count++; } } else { //no interval - all events considered count++; } } } return count; }
public Attack (Event Event) { setUser(Event.GetUser()); setDetectionPoint(Event.GetDetectionPoint()); setTimestamp(Event.GetTimestamp()); setDetectionSystemId(Event.GetDetectionSystemId()); setResource(Event.getResource()); }
/** * This method analyzes statistical {@link Event}s that are added to the system and * detects if the configured {@link Threshold} has been crossed. If so, an {@link Attack} is * created and added to the system. * * @param event the {@link Event} that was added to the {@link EventStore} */ //public override void analyze(Event Event) { public void analyze(Event Event) { SearchCriteria criteria = new SearchCriteria(). setUser(Event.GetUser()). setDetectionPoint(Event.GetDetectionPoint()). setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(Event.GetDetectionSystemId())); Collection<Event> existingEvents = appSensorServer.getEventStore().findEvents(criteria); DetectionPoint configuredDetectionPoint = appSensorServer.getConfiguration().findDetectionPoint(Event.GetDetectionPoint()); int eventCount = countEvents(configuredDetectionPoint.getThreshold().getInterval().toMillis(), existingEvents, Event); //4 examples for the below code //1. count is 5, t.count is 10 (5%10 = 5, No Violation) //2. count is 45, t.count is 10 (45%10 = 5, No Violation) //3. count is 10, t.count is 10 (10%10 = 0, Violation Observed) //4. count is 30, t.count is 10 (30%10 = 0, Violation Observed) int thresholdCount = configuredDetectionPoint.getThreshold().getCount(); if (eventCount % thresholdCount == 0) { Logger.Info("Violation Observed for user <" + Event.GetUser().getUsername() + "> - storing attack"); //have determined this event triggers attack appSensorServer.getAttackStore().addAttack(new Attack(Event)); } }
/** * {@inheritDoc} */ public override void addEvent(Event Event) { Logger.Warn("Security event " + Event.GetDetectionPoint().getId() + " triggered by user: " + Event.GetUser().getUsername()); writeEvent(Event); //super.notifyListeners(Event); base.notifyListeners(Event); }
private static string detectionSystemId = null; //start with blank /** * {@inheritDoc} */ //public override void addEvent(Event Event) { public void addEvent(Event Event) { /// <exception cref="NotAuthorizedException"></exception> if (detectionSystemId == null) { detectionSystemId = Event.GetDetectionSystemId(); } appSensorServer.getEventStore().addEvent(Event); }
/** * Add an {@link org.owasp.appsensor.Event} to the EventStore * * @param event the {@link org.owasp.appsensor.Event} to Add to the EventStore */ public abstract void addEvent(Event Event);
protected void writeEvent(Event Event) { string json = ser.ToString(); try { //Files.write(getPath(), Arrays.asList(json), StandardCharsets.UTF_8, StandardOpenOption.APPEND, StandardOpenOption.WRITE); File.WriteAllText(getPath().ToString(), json, System.Text.Encoding.UTF8); } catch(IOException e) { Logger.Error("Error occurred loading writing event file to path: " + getPath(), e); } }
/** * Find most recent {@link Attack} matching the given {@link Event} ({@link User}, {@link DetectionPoint}, detection system) * and find it's timestamp. * * The {@link Event} should only be counted if they've occurred after the most recent {@link Attack}. * * @param event {@link Event} to use to find matching {@link Attack}s * @return timestamp representing last matching {@link Attack}, or -1L if not found */ protected DateTime? findMostRecentAttackTime(Event Event) { DateTime? newest = DateUtils.epoch(); SearchCriteria criteria = new SearchCriteria(). setUser(Event.GetUser()). setDetectionPoint(Event.GetDetectionPoint()). setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(Event.GetDetectionSystemId())); Collection<Attack> attacks = appSensorServer.getAttackStore().findAttacks(criteria); foreach (Attack attack in attacks) { // if (DateUtils.fromString(attack.GetTimestamp()).isafter(newest)) { if (DateUtils.fromString(attack.GetTimestamp())>newest) { newest = DateUtils.fromString(attack.GetTimestamp()); } } return newest; }
/** * {@inheritDoc} */ //public override void onAdd(Event Event) { public void onAdd(Event Event) { Logger.Info("Reporter observed event by user [" + Event.GetUser().getUsername() + "]"); }
/** * Add an {@link Event}. * * @param event {@link Event} to Add */ public void addEvent(Event Event) { }
//TODO: do a rest request based on configuration /** * {@inheritDoc} */ //@Override public void addEvent(Event Event) { //make request }
/** * Add an Event. * * @param event Event to Add */ /// <exception cref="NotAuthorizedException"></exception> //public void addEvent (Event Event); void addEvent(Event Event) { }
public void onAdd(Event Event) { analyze(Event); }
//public abstract void analyze(Event Event) { public void analyze(Event Event) { }
/** * Notify each {@link EventListener} of the specified {@link Event} * * @param response the {@link Event} to notify each {@link EventListener} about */ public void notifyListeners(Event Event) { foreach (EventListener listener in listeners) { listener.OnAdd(Event); } }
/** * {@inheritDoc} */ //public override void onAdd(Event Event) { public void onAdd(Event Event) { notifyWebSocket("event", Event); Logger.Info("Reporter observed event by user [" + Event.GetUser().getUsername() + "]"); }
/** * {@inheritDoc} */ // public override void addEvent(Event Event) { public void addEvent(Event Event) { requestHandler.addEvent(Event); }