/** * This method analyzes statistical {@link Event}s that are added to the system and * detects if the configured {@link Threshold} has been crossed. If so, an {@link Attack} is * created and added to the system. * * @param event the {@link Event} that was added to the {@link EventStore} */ //public override void analyze(Event Event) { public void analyze(Event Event) { SearchCriteria criteria = new SearchCriteria(). setUser(Event.GetUser()). setDetectionPoint(Event.GetDetectionPoint()). setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(Event.GetDetectionSystemId())); Collection <Event> existingEvents = appSensorServer.getEventStore().findEvents(criteria); DetectionPoint configuredDetectionPoint = appSensorServer.getConfiguration().findDetectionPoint(Event.GetDetectionPoint()); int eventCount = countEvents(configuredDetectionPoint.getThreshold().getInterval().toMillis(), existingEvents, Event); //4 examples for the below code //1. count is 5, t.count is 10 (5%10 = 5, No Violation) //2. count is 45, t.count is 10 (45%10 = 5, No Violation) //3. count is 10, t.count is 10 (10%10 = 0, Violation Observed) //4. count is 30, t.count is 10 (30%10 = 0, Violation Observed) int thresholdCount = configuredDetectionPoint.getThreshold().getCount(); if (eventCount % thresholdCount == 0) { Logger.Info("Violation Observed for user <" + Event.GetUser().getUsername() + "> - storing attack"); //have determined this event triggers attack appSensorServer.getAttackStore().addAttack(new Attack(Event)); } }
public void testAttackCreation() { //IApplicationContext context = new XmlApplicationContext("Resources/appsensor-client-config.xml", "Resources/appsensor-server-config.xml"); //IApplicationContext contextClient = new XmlApplicationContext("Resources/base-context.xml", "Resources/appsensor-client-config.xml"); //IApplicationContext context = ContextRegistry.GetContext(); //AppSensorServer appSensorServer = (AppSensorServer)context.GetObject("AppSensorServer"); //AppSensorClient appSensorClient = (AppSensorClient)context.GetObject("AppSensorClient"); ServerConfiguration updatedConfiguration = appSensorServer.getConfiguration(); updatedConfiguration.setDetectionPoints(loadMockedDetectionPoints()); appSensorServer.setConfiguration(updatedConfiguration); SearchCriteria criteria = new SearchCriteria(). setUser(bob). setDetectionPoint(detectionPoint1). setDetectionSystemIds(detectionSystems1); Assert.AreEqual(0, appSensorServer.getEventStore().findEvents(criteria).Count); Assert.AreEqual(0, appSensorServer.getAttackStore().findAttacks(criteria).Count); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Assert.AreEqual(1, appSensorServer.getEventStore().findEvents(criteria).Count); Assert.AreEqual(0, appSensorServer.getAttackStore().findAttacks(criteria).Count); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Assert.AreEqual(2, appSensorServer.getEventStore().findEvents(criteria).Count); Assert.AreEqual(0, appSensorServer.getAttackStore().findAttacks(criteria).Count); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Assert.AreEqual(3, appSensorServer.getEventStore().findEvents(criteria).Count); Assert.AreEqual(1, appSensorServer.getAttackStore().findAttacks(criteria).Count); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Assert.AreEqual(4, appSensorServer.getEventStore().findEvents(criteria).Count); Assert.AreEqual(1, appSensorServer.getAttackStore().findAttacks(criteria).Count); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Assert.AreEqual(5, appSensorServer.getEventStore().findEvents(criteria).Count); Assert.AreEqual(1, appSensorServer.getAttackStore().findAttacks(criteria).Count); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Assert.AreEqual(6, appSensorServer.getEventStore().findEvents(criteria).Count); Assert.AreEqual(2, appSensorServer.getAttackStore().findAttacks(criteria).Count); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Assert.AreEqual(7, appSensorServer.getEventStore().findEvents(criteria).Count); Assert.AreEqual(2, appSensorServer.getAttackStore().findAttacks(criteria).Count); }
/** * {@inheritDoc} */ //@Override //@POST //@Path("/events") public void addEvent(Event Event) // throws NotAuthorizedException { accessControlUtils.checkAuthorization(org.owasp.appsensor.accesscontrol.Action.ADD_EVENT, requestContext); Event.setDetectionSystemId(getClientApplicationName()); appSensorServer.getEventStore().addEvent(Event); }
private static string detectionSystemId = null; //start with blank /** * {@inheritDoc} */ //public override void addEvent(Event Event) { public void addEvent(Event Event) { /// <exception cref="NotAuthorizedException"></exception> if (detectionSystemId == null) { detectionSystemId = Event.GetDetectionSystemId(); } appSensorServer.getEventStore().addEvent(Event); }
public void deleteTestFiles() { //IApplicationContext context = new XmlApplicationContext("Resources/base-context.xml", "Resources/appsensor-server-config.xml"); IApplicationContext context = new XmlApplicationContext("Resources/base-context.xml", "Resources/appsensor-server-config.xml"); AppSensorServer appSensorServer = (AppSensorServer)context.GetObject("AppSensorServer"); FileBasedEventStore eventStore = (FileBasedEventStore)appSensorServer.getEventStore(); FileBasedAttackStore attackStore = (FileBasedAttackStore)appSensorServer.getAttackStore(); FileBasedResponseStore responseStore = (FileBasedResponseStore)appSensorServer.getResponseStore(); File.Delete(eventStore.getPath()); File.Delete(attackStore.getPath()); File.Delete(responseStore.getPath()); }