[Owasp-appsensor-project] New Detection Point Candidate: New Parent Category - OutputException (OE)
colin.watson at owasp.org
Mon Oct 3 07:59:57 EDT 2011
You are going in overdrive with fantastic ideas!
I have been reluctant to move/delete any detection points in the past,
but it is certainly true the DPs you mention are a bit different. I
have used 'output/outcome/result-related' previously as a
view/classification of these types of detection points - so a
cross-cutting view instead of having their own specific category. In
the same way we have signature vs. behavior, and attack vs.
suspicious, I would just classify some as 'output' instead of making a
new category. My work on an XML format will hopefully make it easier
to re-order lists of DPs from lots of different views.
Of course as soon as I start thinking of input vs. output, it depends
on viewpoint. A SQL data set could be considered an input to the
But I like response time changes, but feel it maybe fits more
naturally in UT and/or ST?
On 30 September 2011 16:52, Ryan Barnett <ryan.barnett at owasp.org> wrote:
> We currently have InputException (IE) and this would be its counterpart and
> would include all issues related to inspecting the HTTP response.
> There are a number of current detection points that could move here -
> IE7: Detect Abnormal Content Output Structure – could actually move here to
> CIE2: Detect Abnormal Quantity of Returned Records
> There is also a new Detection Point for this category that I recommend -
> - Deviation from normal response time interval – which could detect if an
> application is under a resource DoS attack.
> So the new category could be this -
> OutputException (OE)
> OE1: Detect Abnormal Content Output Structure
> OE2: Detect Abnormal Quantity of Returned Records
> OE3: Deviation from normal response time interval
> Ryan Barnett
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
More information about the Owasp-appsensor-project