[Owasp-appsensor-project] Detection points for IP-address and user agent

John Melton jtmelton at gmail.com
Tue Dec 10 18:51:36 UTC 2013


This is good information we should add as notes to these detection points.
Sometimes the simple rule doesn't work in practice. I will say that in some
of the apps I've worked on, a user-agent or IP changing would have alone
been a good indicator of suspicious activity. These things will obviously
vary depending upon environment.


On Tue, Dec 10, 2013 at 1:45 PM, Ryan Barnett <ryan.barnett at owasp.org>wrote:

> Yes, we run into similar issues with the ModSecurity CRS.  When
> implementing these AppSensor Detection Points – we opted to check each one
> of these individually and they would raise an alert for "suspicious"
> behaviour but only if BOTH IP netblock and UA changing would result in a
> malicious client designation (for potential Session Hijacking).
>
>
> https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/optional_rules/modsecurity_crs_16_session_hijacking.conf
>
> *-Ryan*
>
> From: Erlend Oftedal <erlend at oftedal.no>
> Date: Tuesday, December 10, 2013 1:40 PM
> To: <owasp-appsensor-project at lists.owasp.org>
> Subject: [Owasp-appsensor-project] Detection points for IP-address and
> user agent
>
> Hi
>
> I was wondering whether anyone has looked into detection points for
> IP-address and user agent.
> While running this on a test site, I experienced the IP-address changing
> benignly due to the use of clustered outgoing proxies, and user agents
> changing during downloads of PDFs. The user agent changed between IE and
> Chrome Frame, IE also sends "Contype" as user agent when a PDF is
> downloaded from the Adobe Reader plugin. Similar things happen for Safari
> and other browsers. On Windows 8, the word "touch" also sometimes appears
> in the user agent and sometimes not.
> This makes it hard to use these detection points for anything useful
> without maintaining a seemingly fragile set of rules.
>
> Best regards
> Erlend
> _______________________________________________ Owasp-appsensor-project
> mailing list Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>
>
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20131210/0b244db3/attachment.html>


More information about the Owasp-appsensor-project mailing list