[Owasp-appsensor-project] Additional Detection Points - Suspicious User IP Address

John Melton jtmelton at gmail.com
Wed Jun 9 22:04:31 EDT 2010


+1 for this issue, as for your point about reputational issues " could be
used to alter/tune the thresholds and actions of AppSensor rather than
having their own actions? " - I'd be curious to hear that fleshed out a bit
more

On Wed, Jun 9, 2010 at 10:28 AM, Colin Watson <colin.watson at owasp.org>wrote:

> Suggestion to add a new detection point.  Has this already been ruled
> out?  Should it be added?  Is the description/categorization suitable?
>
> Source
> -----------------------------------
> Items 1 & 2 in
> [Owasp-appsensor-project] AppSensor- a few ideas, Fri Sep 18 10:30:31 EDT
> 2009
>
> https://lists.owasp.org/pipermail/owasp-appsensor-project/2009-September/000005.html
>
> Description
> -----------------------------------
> The user is identified as using an IP address associated with a
> blacklist (e.g. internal blacklist, list of Tor nodes e.g.
> https://torstat.xenobite.eu/ and HTTP blacklist e.g.
> http://www.projecthoneypot.org/httpbl.php and Dshield
> http://www.dshield.org and spammers e.g. Spamhaus
> http://www.spamhaus.org/ and known botnets e.g.
> http://www.shadowserver.org/wiki/).  "Suspicious" may also depend upon
> the type of user e.g. users in the "CMS manager" role should be using
> an internal network IP address, public users could be from anywhere,
> customers should only be accessing the application from a particular
> geographical region, search engine robots  should be from a limited
> range of IP addresses.
>
> Suggested categorization
> -----------------------------------
> Create a new category called "Reputation" in Behavioral Based Events
> RP1 Suspicious User IP Address
>
> *** NB this new proposed category has some more detection points (to
> follow) which could be used to alter/tune the thresholds and actions
> of AppSensor rather than having their own actions? ***
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20100609/e5f72ca0/attachment-0001.html 


More information about the Owasp-appsensor-project mailing list