[Owasp-appsensor-project] Response Actions

Colin Watson colin.watson at owasp.org
Tue Sep 21 15:33:42 EDT 2010


Ryan

A follow-up... I was thinking about this while in my gym's sauna after
work.... and realised:

1.  an application now or in the future might be able to proxy in this way

2.  a WAF could be considered as an application

3.  some applications are little more than proxies anyway

...so on further reflection I think it should be added as a separate
response action.  I think I was getting hung up on the example of a
WAF which could be considered as an external device.

Regards

Colin




On 21 September 2010 15:16, Colin Watson <colin.watson at owasp.org> wrote:
> Ryan
>
> Thank you.
>
>> I wanted to recommend a new response action - proxy.  In ModSecurity, users
>> can selectively trigger the proxy action (
>> http://www.modsecurity.org/documentation/modsecurity-apache/2.5.12/modsecuri
>> ty2-apache-reference.html#N11A5A) which will send the request to a different
>> back-end location.  This is mostly used to send suspicious requests to a
>> honeypot system that closely mimics production but may have a more
>> sand-boxed environment for fraud detection.
>>
>> Not sure if this would be considered SILENT or PASSIVE.  As opposed to the
>> Redirect action, which sends a 302 and Location header, the proxy action is
>> transparent to the user.
>
> I read this last night, and was attracted to the idea, but thought I'd
> sleep on it before replying!
>
> A redirect action which sends a 302 and Location header, might fall
> into "ASR-G: Process Terminated".
>
> On the alternative proxying, my categorisation of SILENT vs PASSIVE vs
> ACTIVE relates to "from the user's perspective" (not the
> server/application's perspective).  I need to make that clearer on the
> wiki.  So if the user were unaware of the proxying, I would say
> SILENT.
>
> However, your suggestion raises the issue of the "application" scope.
> If we said the scope excluded things like network firewalls, the file
> system, the operating system, the web server, the application server
> and the database i.e. just the application code, then a WAF might be
> external to the application.  So in an imaginary implementation, where
> AppSensor wants to divert the user to a proxy, the action is
> undertaken by something else (other than the application).
>
> This might already be included in a combination of the following
> response actions:
>
> ASR-D: User Status Change (the user's session is marked as possibly malevolent)
> ASR-B: Administrator Notification (an email alert is sent somewhere)
> ASR-C: Other Notification (a message is sent to some network device to
> proxy future requests from this user to the honeypot)
>
> AppSensor might subsequently receive data from the honeypot in some
> way (e.g. detection point RP2: Suspicious External User Behavior)
> which could be used for monitoring, or (I'm dreaming here) determine
> to signal the WAF to cancel the proxy and allow the user back to the
> real system if it was a false alarm.
>
> So my question is, can an application do the proxying, or is that some
> other device AppSensor signals?  And I suppose, is "ModSecurity" part
> of the application or something else?
>
> What do you think?
>
> Colin
>


More information about the Owasp-appsensor-project mailing list