/**
* This method analyzes statistical {@link Event}s that are added to the system and
* detects if the configured {@link Threshold} has been crossed. If so, an {@link Attack} is
* created and added to the system.
*
* @param event the {@link Event} that was added to the {@link EventStore}
*/
//public override void analyze(Event Event) {
public void analyze(Event Event)
{
SearchCriteria criteria = new SearchCriteria().
setUser(Event.GetUser()).
setDetectionPoint(Event.GetDetectionPoint()).
setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(Event.GetDetectionSystemId()));
Collection <Event> existingEvents = appSensorServer.getEventStore().findEvents(criteria);
DetectionPoint configuredDetectionPoint = appSensorServer.getConfiguration().findDetectionPoint(Event.GetDetectionPoint());
int eventCount = countEvents(configuredDetectionPoint.getThreshold().getInterval().toMillis(), existingEvents, Event);
//4 examples for the below code
//1. count is 5, t.count is 10 (5%10 = 5, No Violation)
//2. count is 45, t.count is 10 (45%10 = 5, No Violation)
//3. count is 10, t.count is 10 (10%10 = 0, Violation Observed)
//4. count is 30, t.count is 10 (30%10 = 0, Violation Observed)
int thresholdCount = configuredDetectionPoint.getThreshold().getCount();
if (eventCount % thresholdCount == 0)
{
Logger.Info("Violation Observed for user <" + Event.GetUser().getUsername() + "> - storing attack");
//have determined this event triggers attack
appSensorServer.getAttackStore().addAttack(new Attack(Event));
}
}
/// <exception cref="Exception"></exception>
private void populateData()
{
AppSensorClient appSensorClient = (AppSensorClient)contextClient.GetObject("AppSensorClient");
AppSensorServer appSensorServer = (AppSensorServer)contextServer.GetObject("AppSensorServer");
int delay = 500;
detectionPoint1.setId("IE1");
detectionSystems1.Add(detectionSystem1);
ServerConfiguration updatedConfiguration = appSensorServer.getConfiguration();
updatedConfiguration.setDetectionPoints(loadMockedDetectionPoints());
appSensorServer.setConfiguration(updatedConfiguration);
Thread.Sleep(delay);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Thread.Sleep(delay);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Thread.Sleep(delay);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Thread.Sleep(delay);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Thread.Sleep(delay);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Thread.Sleep(delay);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Thread.Sleep(delay);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Thread.Sleep(delay);
}
/**
* Check authz before performing action.
*
* @param action desired action
* @throws NotAuthorizedException thrown if user does not have role.
*/
public void checkAuthorization(Action action, IncomingWebRequestContext context) // throws NotAuthorizedException
{
string clientApplicationName = (string)context.GetType().GetProperty(RequestHandler.APPSENSOR_CLIENT_APPLICATION_IDENTIFIER_ATTR).ToString();
ClientApplication clientApplication = appSensorServer.getConfiguration().findClientApplication(clientApplicationName);
appSensorServer.getAccessController().assertAuthorized(clientApplication, action, new Context());
}
public void testAttackCreation()
{
//IApplicationContext context = new XmlApplicationContext("Resources/appsensor-client-config.xml", "Resources/appsensor-server-config.xml");
//IApplicationContext contextClient = new XmlApplicationContext("Resources/base-context.xml", "Resources/appsensor-client-config.xml");
//IApplicationContext context = ContextRegistry.GetContext();
//AppSensorServer appSensorServer = (AppSensorServer)context.GetObject("AppSensorServer");
//AppSensorClient appSensorClient = (AppSensorClient)context.GetObject("AppSensorClient");
ServerConfiguration updatedConfiguration = appSensorServer.getConfiguration();
updatedConfiguration.setDetectionPoints(loadMockedDetectionPoints());
appSensorServer.setConfiguration(updatedConfiguration);
SearchCriteria criteria = new SearchCriteria().
setUser(bob).
setDetectionPoint(detectionPoint1).
setDetectionSystemIds(detectionSystems1);
Assert.AreEqual(0, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(0, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(1, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(0, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(2, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(0, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(3, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(1, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(4, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(1, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(5, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(1, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(6, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(2, appSensorServer.getAttackStore().findAttacks(criteria).Count);
appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme"));
Assert.AreEqual(7, appSensorServer.getEventStore().findEvents(criteria).Count);
Assert.AreEqual(2, appSensorServer.getAttackStore().findAttacks(criteria).Count);
}
private void updateHeaderFromConfiguration()
{
String configuredHeaderName = appSensorServer.getConfiguration().getClientApplicationIdentificationHeaderName();
if (configuredHeaderName != null && configuredHeaderName.Trim().Length > 0)
{
HEADER_NAME = configuredHeaderName;
}
}
/**
* Find/generate {@link Response} appropriate for specified {@link Attack}.
*
* @param attack {@link Attack} that is being analyzed
* @return {@link Response} to be executed for given {@link Attack}
*/
protected Response findAppropriateResponse(Attack attack)
{
DetectionPoint triggeringDetectionPoint = attack.GetDetectionPoint();
SearchCriteria criteria = new SearchCriteria().
setUser(attack.GetUser()).
setDetectionPoint(triggeringDetectionPoint).
setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(attack.GetDetectionSystemId()));
//grab any existing responses
Collection <Response> existingResponses = appSensorServer.getResponseStore().findResponses(criteria);
string responseAction = null;
Interval interval = null;
Collection <Response> possibleResponses = findPossibleResponses(triggeringDetectionPoint);
//if (existingResponses == null || existingResponses.Size() == 0) {
if (existingResponses == null || existingResponses.Count == 0)
{
//no responses yet, just grab first configured response from detection point
// Response response = possibleResponses.iterator().next();
IEnumerator <Response> enumerator = possibleResponses.GetEnumerator();
enumerator.MoveNext();
Response response = enumerator.Current;
responseAction = response.getAction();
interval = response.getInterval();
}
else
{
foreach (Response configuredResponse in possibleResponses)
{
responseAction = configuredResponse.getAction();
interval = configuredResponse.getInterval();
if (!isPreviousResponse(configuredResponse, existingResponses))
{
//if we find that this response doesn't already exist, use it
break;
}
//if we reach here, we will just use the last configured response (repeat last response)
}
}
if (responseAction == null)
{
//throw new IllegalArgumentException("No appropriate response was configured for this detection point: " + triggeringDetectionPoint.getId());
throw new ArgumentException("No appropriate response was configured for this detection point: " + triggeringDetectionPoint.getId());
}
Response responses = new Response();
responses.setUser(attack.GetUser());
responses.setTimestamp(attack.GetTimestamp());
responses.setAction(responseAction);
responses.setInterval(interval);
responses.setDetectionSystemId(attack.GetDetectionSystemId());
return(responses);
}
