[Esapi-user] IntrusionException and IntrusionDetector
weiping_guo at yahoo.com
Thu Jun 23 11:36:41 EDT 2011
Thanks a lot for your explanation. I will look at the AppSensor project.
From: John Melton <jtmelton at gmail.com>
To: weiping guo <weiping_guo at yahoo.com>
Cc: esapi-user at lists.owasp.org
Sent: Thursday, June 23, 2011 11:18 AM
Subject: Re: [Esapi-user] IntrusionException and IntrusionDetector
Sorry - meant to include the link to those presentations - they can be found at https://www.owasp.org/index.php/OWASP_AppSensor_Project
On Thu, Jun 23, 2011 at 11:00 AM, John Melton <jtmelton at gmail.com> wrote:
Just a quick (hopefully helpful) additional note. When the intrusion detector decides that you have an actual "intrusion", then it can respond in various ways. I think the base intrusion detector can log additional info, and logout or disable a user. The appsensor project has a couple more options, but it does seem to be quite a powerful concept. The appsensor project main page has some helpful presentation decks that explain the application intrusion detection concept well.
>On Thu, Jun 23, 2011 at 10:52 AM, Jeff Williams <jeff.williams at aspectsecurity.com> wrote:
>The IntrusionDetector actually watches all SecurityExceptions (AuthenticationException, ValidationException, EncryptionException, etc…) and looks for patterns. Currently the implementation is pretty simple. You can configure a threshold into SecurityConfiguration for different types of exceptions. For example, if you exceed 5 ValidationExceptions in a 10 second window, it identifies this as an attack and throws an Intrusion Exception.
>>Michael Coates has done a lot of work building on this basic idea in the OWASP AppSensor project.
>>From:esapi-user-bounces at lists.owasp.org [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of weiping guo
>>Sent: Thursday, June 23, 2011 10:35 AM
>>To: esapi-user at lists.owasp.org
>>Subject: [Esapi-user] IntrusionException and IntrusionDetector
>>I need some help on understanding Intrusion detection. The Validator interface throws IntrusionException. The JavaDoc says "input that is clearly an attack will generate a descriptive IntrusionException." My question is how the intrusion is detected? what 'clearly' means in here? Any sceneraio is appreciated.
>>Suppose, an intrusion is detected. I assume the ESAPI.IntrusionDetector (org.owasp.esapi.reference.DefaultIntrusionDetector, for example)defined in the config file will be notified. Can I assume the IntrusionDetector will be invoked automatically whenever IntrusionException is thrown? How it works?
>>Esapi-user mailing list
>>Esapi-user at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-user