[Owasp-appsensor-project] Change to Detection Points - SE5 Source IP Address Changes During Session

Colin Watson colin.watson at owasp.org
Tue Jun 22 11:12:54 EDT 2010


Ryan's "purpose/goal" is a good point.  I will revist my suggestions.

> Perhaps there should be a parent category for Fraud Detection?

Maybe we could cross-reference the existing and proposed detection
points against categories like "fraud detection", but what should
those categories be?  I thought about the WASC Threat Classification
of attacks and weaknesses, but that doesn't seem to be the right
level.  Any other suggestions?

Colin

On 11 June 2010 21:47, Ryan Barnett <rcbarnett at gmail.com> wrote:
> We need to make sure that it is clear as to what the purpose/goal is for each detection
> point.  There are a number of new detection items that Colin sent (this one, change in
> User-Agent string, etc...) whose real goal is to try and alert when we think that there
> may be an indication of some sort of Session Hijacking attack occurring.  Flagging changes
> to IP (network block) or User-Agent value is easy to do however it also may be prone to
> false positives and negatives.  We actually have just added this type of Session Hijacking
> detection to the latest ModSecurity CRS v2.0.7.
>
> Perhaps there should be a parent category for Fraud Detection?
>
> --
> Ryan C. Barnett
> WASC Web Hacking Incident Database Project Leader
> WASC Distributed Open Proxy Honeypot Project Leader
> OWASP ModSecurity Core Rule Set Project Leader
> Tactical Web Application Security
> http://tacticalwebappsec.blogspot.com


More information about the Owasp-appsensor-project mailing list