[Owasp-appsensor-project] Response Actions
Colin Watson
colin.watson at owasp.org
Tue Sep 21 10:16:43 EDT 2010
Ryan
Thank you.
> I wanted to recommend a new response action - proxy. In ModSecurity, users
> can selectively trigger the proxy action (
> http://www.modsecurity.org/documentation/modsecurity-apache/2.5.12/modsecuri
> ty2-apache-reference.html#N11A5A) which will send the request to a different
> back-end location. This is mostly used to send suspicious requests to a
> honeypot system that closely mimics production but may have a more
> sand-boxed environment for fraud detection.
>
> Not sure if this would be considered SILENT or PASSIVE. As opposed to the
> Redirect action, which sends a 302 and Location header, the proxy action is
> transparent to the user.
I read this last night, and was attracted to the idea, but thought I'd
sleep on it before replying!
A redirect action which sends a 302 and Location header, might fall
into "ASR-G: Process Terminated".
On the alternative proxying, my categorisation of SILENT vs PASSIVE vs
ACTIVE relates to "from the user's perspective" (not the
server/application's perspective). I need to make that clearer on the
wiki. So if the user were unaware of the proxying, I would say
SILENT.
However, your suggestion raises the issue of the "application" scope.
If we said the scope excluded things like network firewalls, the file
system, the operating system, the web server, the application server
and the database i.e. just the application code, then a WAF might be
external to the application. So in an imaginary implementation, where
AppSensor wants to divert the user to a proxy, the action is
undertaken by something else (other than the application).
This might already be included in a combination of the following
response actions:
ASR-D: User Status Change (the user's session is marked as possibly malevolent)
ASR-B: Administrator Notification (an email alert is sent somewhere)
ASR-C: Other Notification (a message is sent to some network device to
proxy future requests from this user to the honeypot)
AppSensor might subsequently receive data from the honeypot in some
way (e.g. detection point RP2: Suspicious External User Behavior)
which could be used for monitoring, or (I'm dreaming here) determine
to signal the WAF to cancel the proxy and allow the user back to the
real system if it was a false alarm.
So my question is, can an application do the proxying, or is that some
other device AppSensor signals? And I suppose, is "ModSecurity" part
of the application or something else?
What do you think?
Colin
More information about the Owasp-appsensor-project
mailing list