/**
* Locate detection point configuration from server-side config file.
*
* @param search detection point that has been added to the system
* @return DetectionPoint populated with configuration information from server-side config
*/
public DetectionPoint findDetectionPoint(DetectionPoint search)
{
DetectionPoint detectionPoint = null;
//detectionPoint = detectionPointCache.get(search.getId());
detectionPoint = detectionPointCache[search.getId()];
if (detectionPoint == null)
{
foreach (DetectionPoint configuredDetectionPoint in getDetectionPoints())
{
if (configuredDetectionPoint.getId().Equals(search.getId()))
{
detectionPoint = configuredDetectionPoint;
//cache
detectionPointCache.Add(detectionPoint.getId(), detectionPoint);
break;
}
}
}
return(detectionPoint);
}
/**
* Lookup configured {@link Response} objects for specified {@link DetectionPoint}
*
* @param triggeringDetectionPoint {@link DetectionPoint} that triggered {@link Attack}
* @return collection of {@link Response} objects for given {@link DetectionPoint}
*/
protected Collection <Response> findPossibleResponses(DetectionPoint triggeringDetectionPoint)
{
//Collection<Response> possibleResponses = new List<Response>();
Collection <Response> possibleResponses = new Collection <Response>();
foreach (DetectionPoint configuredDetectionPoint in appSensorServer.getConfiguration().getDetectionPoints())
{
if (configuredDetectionPoint.getId().Equals(triggeringDetectionPoint.getId()))
{
possibleResponses = configuredDetectionPoint.getResponses();
break;
}
}
return(possibleResponses);
}
/**
* {@inheritDoc}
*/
public override Collection <Attack> findAttacks(SearchCriteria criteria)
{
if (criteria == null)
{
//throw new IllegalArgumentException("criteria must be non-null");
throw new ArgumentException("criteria must be non-null");
}
//Collection<Attack> matches = new List<Attack>();
Collection <Attack> matches = new Collection <Attack>();
User user = criteria.GetUser();
DetectionPoint detectionPoint = criteria.GetDetectionPoint();
//Collection<string> detectionSystemIds = criteria.getDetectionSystemIds();
HashSet <string> detectionSystemIds = criteria.getDetectionSystemIds();
DateTime? earliest = DateUtils.fromString(criteria.getEarliest());
Collection <Attack> attacks = loadAttacks();
foreach (Attack attack in attacks)
{
//check user match if user specified
bool userMatch = (user != null) ? user.Equals(attack.GetUser()) : true;
//check detection system match if detection systems specified
//bool detectionSystemMatch = (detectionSystemIds != null && detectionSystemIds.size() > 0) ?
bool detectionSystemMatch = (detectionSystemIds != null && detectionSystemIds.Count > 0) ?
detectionSystemIds.Contains(attack.GetDetectionSystemId()) : true;
//check detection point match if detection point specified
bool detectionPointMatch = (detectionPoint != null) ?
detectionPoint.getId().Equals(attack.GetDetectionPoint().getId()) : true;
//bool earliestMatch = (earliest != null) ? earliest.isBefore(DateUtils.fromString(attack.GetTimestamp())) : true;
bool earliestMatch = (earliest != null) ? earliest < DateUtils.fromString(attack.GetTimestamp()) : true;
if (userMatch && detectionSystemMatch && detectionPointMatch && earliestMatch)
{
matches.Add(attack);
}
}
return(matches);
}
/**
* {@inheritDoc}
*/
public override Collection <Event> findEvents(SearchCriteria criteria)
{
if (criteria == null)
{
throw new ArgumentException("criteria must be non-null");
}
Collection <Event> matches = new Collection <Event>();
User user = criteria.GetUser();
DetectionPoint detectionPoint = criteria.GetDetectionPoint();
//Collection<string> detectionSystemIds = criteria.getDetectionSystemIds();
HashSet <string> detectionSystemIds = criteria.getDetectionSystemIds();
DateTime? earliest = DateUtils.fromString(criteria.getEarliest());
Collection <Event> events = loadEvents();
foreach (Event Event in events)
{
//check user match if user specified
bool userMatch = (user != null) ? user.Equals(Event.GetUser()) : true;
//check detection system match if detection systems specified
bool detectionSystemMatch = (detectionSystemIds != null && detectionSystemIds.Count > 0) ?
detectionSystemIds.Contains(Event.GetDetectionSystemId()) : true;
//check detection point match if detection point specified
bool detectionPointMatch = (detectionPoint != null) ?
detectionPoint.getId().Equals(Event.GetDetectionPoint().getId()) : true;
bool earliestMatch = (earliest != null) ? earliest < DateUtils.fromString(Event.GetTimestamp()) : true;
if (userMatch && detectionSystemMatch && detectionPointMatch && earliestMatch)
{
matches.Add(Event);
}
}
return(matches);
}
/**
* Find/generate {@link Response} appropriate for specified {@link Attack}.
*
* @param attack {@link Attack} that is being analyzed
* @return {@link Response} to be executed for given {@link Attack}
*/
protected Response findAppropriateResponse(Attack attack)
{
DetectionPoint triggeringDetectionPoint = attack.GetDetectionPoint();
SearchCriteria criteria = new SearchCriteria().
setUser(attack.GetUser()).
setDetectionPoint(triggeringDetectionPoint).
setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(attack.GetDetectionSystemId()));
//grab any existing responses
Collection <Response> existingResponses = appSensorServer.getResponseStore().findResponses(criteria);
string responseAction = null;
Interval interval = null;
Collection <Response> possibleResponses = findPossibleResponses(triggeringDetectionPoint);
//if (existingResponses == null || existingResponses.Size() == 0) {
if (existingResponses == null || existingResponses.Count == 0)
{
//no responses yet, just grab first configured response from detection point
// Response response = possibleResponses.iterator().next();
IEnumerator <Response> enumerator = possibleResponses.GetEnumerator();
enumerator.MoveNext();
Response response = enumerator.Current;
responseAction = response.getAction();
interval = response.getInterval();
}
else
{
foreach (Response configuredResponse in possibleResponses)
{
responseAction = configuredResponse.getAction();
interval = configuredResponse.getInterval();
if (!isPreviousResponse(configuredResponse, existingResponses))
{
//if we find that this response doesn't already exist, use it
break;
}
//if we reach here, we will just use the last configured response (repeat last response)
}
}
if (responseAction == null)
{
//throw new IllegalArgumentException("No appropriate response was configured for this detection point: " + triggeringDetectionPoint.getId());
throw new ArgumentException("No appropriate response was configured for this detection point: " + triggeringDetectionPoint.getId());
}
Response responses = new Response();
responses.setUser(attack.GetUser());
responses.setTimestamp(attack.GetTimestamp());
responses.setAction(responseAction);
responses.setInterval(interval);
responses.setDetectionSystemId(attack.GetDetectionSystemId());
return(responses);
}
/**
* Lookup configured {@link Response} objects for specified {@link DetectionPoint}
*
* @param triggeringDetectionPoint {@link DetectionPoint} that triggered {@link Attack}
* @return collection of {@link Response} objects for given {@link DetectionPoint}
*/
protected Collection<Response> findPossibleResponses(DetectionPoint triggeringDetectionPoint) {
//Collection<Response> possibleResponses = new List<Response>();
Collection<Response> possibleResponses = new Collection<Response>();
foreach (DetectionPoint configuredDetectionPoint in appSensorServer.getConfiguration().getDetectionPoints()) {
if (configuredDetectionPoint.getId().Equals(triggeringDetectionPoint.getId())) {
possibleResponses = configuredDetectionPoint.getResponses();
break;
}
}
return possibleResponses;
}