[Owasp-appsensor-project] Detection points for IP-address and user agent

Ryan Barnett ryan.barnett at owasp.org
Tue Dec 10 18:45:53 UTC 2013


Yes, we run into similar issues with the ModSecurity CRS.  When implementing
these AppSensor Detection Points ­ we opted to check each one of these
individually and they would raise an alert for "suspicious" behaviour but
only if BOTH IP netblock and UA changing would result in a malicious client
designation (for potential Session Hijacking).

https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/optional_rul
es/modsecurity_crs_16_session_hijacking.conf

-Ryan

From:  Erlend Oftedal <erlend at oftedal.no>
Date:  Tuesday, December 10, 2013 1:40 PM
To:  <owasp-appsensor-project at lists.owasp.org>
Subject:  [Owasp-appsensor-project] Detection points for IP-address and user
agent

> Hi
> 
> I was wondering whether anyone has looked into detection points for IP-address
> and user agent.
> While running this on a test site, I experienced the IP-address changing
> benignly due to the use of clustered outgoing proxies, and user agents
> changing during downloads of PDFs. The user agent changed between IE and
> Chrome Frame, IE also sends "Contype" as user agent when a PDF is downloaded
> from the Adobe Reader plugin. Similar things happen for Safari and other
> browsers. On Windows 8, the word "touch" also sometimes appears in the user
> agent and sometimes not.
> This makes it hard to use these detection points for anything useful without
> maintaining a seemingly fragile set of rules.
> 
> Best regards
> Erlend
> _______________________________________________ Owasp-appsensor-project
> mailing list Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20131210/5f763682/attachment.html>


More information about the Owasp-appsensor-project mailing list