[Owasp-appsensor-project] Detection points for IP-address and user agent
jtmelton at gmail.com
Tue Dec 10 18:51:36 UTC 2013
This is good information we should add as notes to these detection points.
Sometimes the simple rule doesn't work in practice. I will say that in some
of the apps I've worked on, a user-agent or IP changing would have alone
been a good indicator of suspicious activity. These things will obviously
vary depending upon environment.
On Tue, Dec 10, 2013 at 1:45 PM, Ryan Barnett <ryan.barnett at owasp.org>wrote:
> Yes, we run into similar issues with the ModSecurity CRS. When
> implementing these AppSensor Detection Points – we opted to check each one
> of these individually and they would raise an alert for "suspicious"
> behaviour but only if BOTH IP netblock and UA changing would result in a
> malicious client designation (for potential Session Hijacking).
> From: Erlend Oftedal <erlend at oftedal.no>
> Date: Tuesday, December 10, 2013 1:40 PM
> To: <owasp-appsensor-project at lists.owasp.org>
> Subject: [Owasp-appsensor-project] Detection points for IP-address and
> user agent
> I was wondering whether anyone has looked into detection points for
> IP-address and user agent.
> While running this on a test site, I experienced the IP-address changing
> benignly due to the use of clustered outgoing proxies, and user agents
> changing during downloads of PDFs. The user agent changed between IE and
> Chrome Frame, IE also sends "Contype" as user agent when a PDF is
> downloaded from the Adobe Reader plugin. Similar things happen for Safari
> and other browsers. On Windows 8, the word "touch" also sometimes appears
> in the user agent and sometimes not.
> This makes it hard to use these detection points for anything useful
> without maintaining a seemingly fragile set of rules.
> Best regards
> _______________________________________________ Owasp-appsensor-project
> mailing list Owasp-appsensor-project at lists.owasp.org
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-appsensor-project