/** * This method analyzes statistical {@link Event}s that are added to the system and * detects if the configured {@link Threshold} has been crossed. If so, an {@link Attack} is * created and added to the system. * * @param event the {@link Event} that was added to the {@link EventStore} */ //public override void analyze(Event Event) { public void analyze(Event Event) { SearchCriteria criteria = new SearchCriteria(). setUser(Event.GetUser()). setDetectionPoint(Event.GetDetectionPoint()). setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(Event.GetDetectionSystemId())); Collection<Event> existingEvents = appSensorServer.getEventStore().findEvents(criteria); DetectionPoint configuredDetectionPoint = appSensorServer.getConfiguration().findDetectionPoint(Event.GetDetectionPoint()); int eventCount = countEvents(configuredDetectionPoint.getThreshold().getInterval().toMillis(), existingEvents, Event); //4 examples for the below code //1. count is 5, t.count is 10 (5%10 = 5, No Violation) //2. count is 45, t.count is 10 (45%10 = 5, No Violation) //3. count is 10, t.count is 10 (10%10 = 0, Violation Observed) //4. count is 30, t.count is 10 (30%10 = 0, Violation Observed) int thresholdCount = configuredDetectionPoint.getThreshold().getCount(); if (eventCount % thresholdCount == 0) { Logger.Info("Violation Observed for user <" + Event.GetUser().getUsername() + "> - storing attack"); //have determined this event triggers attack appSensorServer.getAttackStore().addAttack(new Attack(Event)); } }
public Attack (Event Event) { setUser(Event.GetUser()); setDetectionPoint(Event.GetDetectionPoint()); setTimestamp(Event.GetTimestamp()); setDetectionSystemId(Event.GetDetectionSystemId()); setResource(Event.getResource()); }
/** * {@inheritDoc} */ public override void addEvent(Event Event) { Logger.Warn("Security event " + Event.GetDetectionPoint().getId() + " triggered by user: " + Event.GetUser().getUsername()); writeEvent(Event); //super.notifyListeners(Event); base.notifyListeners(Event); }
public Attack(Event Event) { setUser(Event.GetUser()); setDetectionPoint(Event.GetDetectionPoint()); setTimestamp(Event.GetTimestamp()); setDetectionSystemId(Event.GetDetectionSystemId()); setResource(Event.getResource()); }
public override bool Equals(object obj) { if (this == obj) { return(true); } if (obj == null) { return(false); } if (GetType() != obj.GetType()) { return(false); } Event other = (Event)obj; /*return new EqualsBuilder(). * Append(user, other.GetUser()). * Append(detectionPoint, other.GetDetectionPoint()). * Append(timestamp, other.GetTimestamp()). * Append(detectionSystemId, other.GetDetectionSystemId()). * Append(resource, other.getResource()). * isEquals();*/ if (user.Equals(other.GetUser()) && detectionPoint.Equals(other.GetDetectionPoint()) && timestamp.Equals(other.GetTimestamp()) && detectionSystemId.Equals(other.GetDetectionSystemId()) && resource.Equals(other.getResource())) { return(true); } else { return(false); } }
/** * {@inheritDoc} */ //public override void onAdd(Event Event) { public void onAdd(Event Event) { notifyWebSocket("event", Event); Logger.Info("Reporter observed event by user [" + Event.GetUser().getUsername() + "]"); }
/** * Find most recent {@link Attack} matching the given {@link Event} ({@link User}, {@link DetectionPoint}, detection system) * and find it's timestamp. * * The {@link Event} should only be counted if they've occurred after the most recent {@link Attack}. * * @param event {@link Event} to use to find matching {@link Attack}s * @return timestamp representing last matching {@link Attack}, or -1L if not found */ protected DateTime? findMostRecentAttackTime(Event Event) { DateTime? newest = DateUtils.epoch(); SearchCriteria criteria = new SearchCriteria(). setUser(Event.GetUser()). setDetectionPoint(Event.GetDetectionPoint()). setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(Event.GetDetectionSystemId())); Collection<Attack> attacks = appSensorServer.getAttackStore().findAttacks(criteria); foreach (Attack attack in attacks) { // if (DateUtils.fromString(attack.GetTimestamp()).isafter(newest)) { if (DateUtils.fromString(attack.GetTimestamp())>newest) { newest = DateUtils.fromString(attack.GetTimestamp()); } } return newest; }
/** * {@inheritDoc} */ //public override void onAdd(Event Event) { public void onAdd(Event Event) { Logger.Info("Reporter observed event by user [" + Event.GetUser().getUsername() + "]"); }