[Owasp-appsensor-project] Dashboard

Colin Watson colin.watson at owasp.org
Sat May 16 15:58:56 UTC 2015


Timo

I don't have a suitable sample application, but I have appended below
some fake data I created for my dashboard demos in 2011. The type of
log data will be dependent upon the types of sensors, how carefully
they have been designed, the application functionality, etc. All good
things to think about and discuss.

This data example doesn't reflect how the v2 reference implementation
works. For example every event here has both a detection point type
AND a response action type.

Coming up with some imaginary data for different scenarios would be
helpful. That could be purely descriptive, or fake delimited event
data.

Regards

Colin

===
0,D,"17:00:00","********","RE3","R01","900.14.29.103","GET when expecting POST"
10,T,"17:00:10","item1","STE3","S01","Page impressions","100","0"
10,T,"17:00:10","item2","STE3","S02","Catalogue impressions","100","0"
10,T,"17:00:10","item3","STE3","S03","Baskets created","100","0"
10,T,"17:00:10","item4","STE3","S04","Baskets deleted","100","0"
10,T,"17:00:10","item5","STE3","S05","Not Found Errors","100","0"
21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL parameter"
21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL parameter"
21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL parameter"
21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL parameter"
21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL parameter"
21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL parameter"
21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL parameter"
26,D,"17:00:26","********","IE2","B02","200.91.200.85","String includes HTML"
30,D,"17:00:30","********","ACE3","R05","500.204.52.138","Invalid
script entry point"
31,D,"17:00:31","A11884","-","P01","300.6.153.55","Payment rejected"
31,R,"17:00:31","A11884","ASR-A","Logging increased for user A11884"
35,D,"17:00:35","********","RE1","R01","500.204.52.138","Invalid HTTP verb"
37,D,"17:00:37","********","RE1","R01","500.204.52.138","Unsupported HTTP verb"
39,D,"17:00:39","********","RE1","R01","500.204.52.138","Unsupported HTTP verb"
40,T,"17:00:40","item1","STE3","S01","Page impressions","80","-20"
47,D,"17:00:47","********","RE3","R01","600.49.210.128","GET when
expecting POST"
48,R,"17:00:48","********","ASR-A","Logging increased for IP addresses
600.49.210.*"
50,T,"17:00:50","item2","STE3","S02","Catalogue impressions","60","-40"
53,D,"17:00:53","********","RE3","R01","600.49.210.128","GET when
expecting POST"
60,T,"17:01:00","item3","STE3","S03","Baskets created","105","5"
65,D,"17:01:05","C41885","RE5","R04","400.27.254.180","Additional URL parameter"
70,T,"17:01:10","item4","STE3","S04","Baskets deleted","100","0"
75,D,"17:01:15","L95301","-","P01","200.7.58.141","Payment rejected"
75,R,"17:01:15","L95301","ASR-A","Logging increased for user L95301"
80,T,"17:01:20","item5","STE3","S05","Not Found Errors","130","30"
81,D,"17:01:21","********","RE1","R01","200.162.56.183","Unsupported HTTP verb"
96,D,"17:01:36","********","ACE1","C03","700.147.37.213","URL direct
object access attempt"
99,D,"17:01:39","********","ACE3","R05","500.204.52.138","Invalid
script entry point"
100,T,"17:01:40","item3","STE3","S03","Baskets created","85","-30"
106,D,"17:01:46","C94471","IE2","P03","300.219.56.3","URL parameter
type validation failure"
110,T,"17:01:50","item4","STE3","S04","Baskets deleted","80","-20"
112,D,"17:01:52","C94471","IE2","P03","300.219.56.3","URL parameter
type validation failure"
112,D,"17:01:52","C94471","IE2","P03","300.219.56.3","URL parameter
type validation failure"
120,T,"17:02:00","item5","STE3","S05","Not Found Errors","40","-60"
121,T,"17:02:01","item1","STE3","S01","Page impressions","150","175"
123,T,"17:02:03","item2","STE3","S02","Catalogue impressions","80","-25"
126,D,"17:02:06","********","ACE1","C03","500.10.86.182","URL direct
object access attempt"
129,D,"17:02:09","********","ACE1","C03","500.10.86.182","URL direct
object access attempt"
134,D,"17:02:14","********","ACE1","C03","500.10.86.182","URL direct
object access attempt"
134,R,"17:02:14","********","ASR-G","Page request terminated"
134,R,"17:02:14","********","ASR-E","Error message displayed to user"
134,R,"17:02:14","********","ASR-J","Session terminated"
134,R,"17:02:14","********","ASR-B","C72788 locked Alert sent to AppOp Grp"
142,T,"17:02:22","item3","STE3","S03","Baskets created","45","-40"
142,D,"17:02:22","SYSTEM","STE3","S03","-","Baskets created low warning"
144,T,"17:02:24","item5","STE3","S05","Not Found Errors","60","50"
156,D,"17:02:36","********","ACE3","R05","400.45.78.208","Invalid
script entry point"
160,D,"17:02:40","********","RE3","R01","700.7.214.152","GET when
expecting POST"
167,T,"17:02:47","item1","STE3","S01","Page impressions","130","-15"
170,D,"17:02:50","XX7331","CIE2","D01","900.202.67.191","Product query
returned more than one record"
171,R,"17:02:51","XX7331","ASR-B","Alert sent to AppOp Grp"
172,R,"17:02:52","XX7331","ASR-G","Request blocked"
173,R,"17:02:53","XX7331","ASR-E","Error message displayed to user"
174,U,"17:02:54","XX7331","Customer account XX7331 locked"
180,T,"17:03:00","item4","STE3","S04","Baskets deleted","200","240"
180,D,"17:03:00","SYSTEM","STE3","S04","-","Baskets deleted high warning"
182,T,"17:03:02","item2","STE3","S02","Catalogue impressions","105","30"
187,D,"17:03:07","********","CIE1","R02","300.121.74.148","SQL
injection string detected"
187,R,"17:03:07","********","ASR-A","Logging increased for IP
addresses 300.121.74.*"
192,D,"17:03:12","L95302","-","P01","200.82.158.197","Payment rejected"
192,R,"17:03:12","L95302","ASR-A","Logging increased for user L95302"
204,T,"17:03:24","item3","STE3","S03","Baskets created","65","45"
204,D,"17:03:24","SYSTEM","STE3","S03","-","Baskets created low reset"
215,T,"17:03:35","item5","STE3","S05","Not Found Errors","100","65"
226,D,"17:03:46","********","ACE3","R05","700.12.172.73","Invalid
script entry point"
227,D,"17:03:47","********","ACE3","R05","700.12.172.73","Invalid
script entry point"
228,D,"17:03:48","********","ACE3","R05","700.12.172.73","Invalid
script entry point"
235,D,"17:03:55","********","RE3","R01","700.7.214.152","GET when
expecting POST"
241,T,"17:04:01","item1","STE3","S01","Page impressions","120","-10"
242,T,"17:04:02","item4","STE3","S04","Baskets deleted","410","205"
242,D,"17:04:02","SYSTEM","STE3","S04","-","Baskets deleted high warning"
242,R,"17:04:02","-","ASR-B","Baskets deleted High Alert sent to AppOp Grp"
246,D,"17:04:06","********","CIE1","R02","500.152.183.26","SQL
injection string detected"
246,R,"17:04:06","********","ASR-A","Logging increased for IP
addresses 500.152.183.*"
253,D,"17:04:13","********","CIE1","R02","500.152.183.26","SQL
injection string detected"
256,D,"17:04:06","********","IE1","R03","500.152.183.26","XSS string detected"
256,R,"17:04:06","********","ASR-G","Request blocked"
263,T,"17:04:23","item2","STE3","S02","Catalogue impressions","210","100"
263,D,"17:04:23","SYSTEM","STE3","S02","-","Catalogue impressions high warning"
263,R,"17:04:23","-","ASR-B","Catalogue impressions High Alert sent to
AppOp Grp"
279,D,"17:04:39","********","RE3","R01","700.7.214.152","GET when
expecting POST"
279,R,"17:04:39","********","ASR-A","Logging increased for IP
addresses 700.7.214.*"
285,T,"17:04:45","item1","STE3","S01","Page impressions","110","-10"
290,D,"17:04:50","J49223","-","P01","400.154.140.28","Payment rejected"
290,R,"17:04:50","J49223","ASR-A","Logging increased for user J49223"
294,T,"17:04:54","item3","STE3","S03","Baskets created","75","15"
295,D,"17:04:55","G88433","HT2","C04","300.69.207.129","Honey trap product used"
295,R,"17:04:55","G88433","ASR-G","Page request terminated"
295,R,"17:04:55","G88433","ASR-E","Error message displayed to user"
295,R,"17:04:55","G88433","ASR-J","Session terminated"
295,R,"17:04:55","********","ASR-G","Request blocked"
295,R,"17:04:55","********","ASR-L","IP address 300.69.207.129 blocked"
295,R,"17:04:55","G88433","ASR-B","G88433 locked Alert sent to AppOp Grp"
296,T,"17:04:56","item5","STE3","S05","Not Found Errors","105","5"
298,T,"17:04:58","item4","STE3","S04","Baskets deleted","700","75"
302,T,"17:05:02","item2","STE3","S02","Catalogue impressions","160","-25"
302,D,"17:05:02","SYSTEM","STE3","S02","-","Catalogue impressions high reset"
302,R,"17:05:02","-","ASR-B","Catalogue impressions High Alert reset
sent to AppOp Grp"
306,D,"17:05:06","********","IE1","R03","500.152.183.26","XSS string detected"
306,R,"17:05:06","********","ASR-G","Request blocked"
325,T,"17:05:25","item4","STE3","S04","Baskets deleted","900","30"
325,D,"17:05:25","SYSTEM","STE3","S04","-","Baskets deleted high high warning"
325,R,"17:05:25","-","ASR-B","Baskets deleted High High Alert sent to AppOp Grp"
325,R,"17:05:25","-","ASR-B","Baskets deleted High High Alert sent to
AppMgmt Grp"
331,T,"17:05:31","item2","STE3","S02","Catalogue impressions","140","-15"
348,T,"17:05:48","item1","STE3","S01","Page impressions","150","30"
349,D,"17:05:49","S61042","ACE3","R05","900.39.182.49","Invalid script
entry point"
354,T,"17:05:54","item3","STE3","S03","Baskets created","85","15"
359,D,"17:05:59","********","ACE3","R05","700.12.172.73","Invalid
script entry point"
365,T,"17:06:05","item5","STE3","S05","Not Found Errors","110","5"
366,D,"17:06:06","T49102","-","P01","300.72.138.94","Payment rejected"
366,R,"17:06:06","T49102","ASR-A","Logging increased for user T49102"
370,D,"17:06:10","F01821","SE4","B04","800.67.21.203","Cookie substitution"
370,R,"17:06:10","F01821","ASR-G","Page request terminated"
370,R,"17:06:10","F01821","ASR-E","Error message displayed to user"
370,R,"17:06:10","F01821","ASR-J","Session terminated"
370,R,"17:06:10","F01821","ASR-K","Account locked (20 min)"
370,R,"17:06:10","F01821","ASR-B","F01821 locked Alert sent to AppOp Grp"
375,D,"17:06:15","G21831","IE4","P04","300.189.34.13","Hidden form
field changed"
380,D,"17:06:20","********","RE1","R01","200.162.56.183","Unsupported HTTP verb"
385,T,"17:06:25","item4","STE3","S04","Baskets deleted","800","-15"
386,D,"17:06:26","R43922","ACE3","R05","600.67.182.46","Invalid script
entry point"
390,T,"17:06:30","item2","STE3","S02","Catalogue impressions","130","-15"
395,D,"17:06:35","C72788","RE6","R04","400.27.254.180","Missing form parameter"
395,D,"17:06:35","C72788","RE6","R04","400.27.254.180","Missing form parameter"
395,D,"17:06:35","C72788","RE6","R04","400.27.254.180","Missing form parameter"
395,D,"17:06:35","C72788","RE6","R04","400.27.254.180","Missing form parameter"
395,D,"17:06:35","C72788","RE6","R04","400.27.254.180","Missing form parameter"
395,D,"17:06:35","C72788","RE6","R04","400.27.254.180","Missing form parameter"
395,R,"17:06:35","C72788","ASR-D","Order value limit changed to Level 2"
395,R,"17:06:35","C72788","ASR-A","Logging increased for IP addresses
400.27.254.*"
400,T,"17:06:40","item1","STE3","S01","Page impressions","140","-10"
401,T,"17:06:41","item3","STE3","S03","Baskets created","85","15"
412,D,"17:06:52","P89868","IE2","P03","800.67.89.161","URL parameter
length validation failure"
412,D,"17:06:52","P89868","IE2","P03","800.67.89.161","URL parameter
type validation failure"
417,D,"17:06:57","********","CIE1","R02","600.52.32.105","SQL
injection string detected"
417,R,"17:06:07","********","ASR-A","Logging increased for IP
addresses 600.52.32.*"
417,R,"17:06:07","********","ASR-G","Request blocked"
420,D,"17:07:00","********","CIE1","R02","600.52.32.105","SQL
injection string detected"
420,R,"17:07:00","********","ASR-G","Request blocked"
425,D,"17:07:05","********","CIE1","R02","600.52.32.105","SQL
injection string detected"
425,R,"17:07:05","********","ASR-G","Request blocked"
425,D,"17:07:05","********","CIE1","R02","600.52.32.105","SQL
injection string detected"
425,R,"17:07:05","********","ASR-G","Request blocked"
425,D,"17:07:05","********","CIE1","R02","600.52.32.105","SQL
injection string detected"
425,R,"17:07:05","********","ASR-G","Request blocked"
425,D,"17:07:05","********","CIE1","R02","600.52.32.105","SQL
injection string detected"
425,R,"17:07:05","********","ASR-G","Request blocked"
425,R,"17:07:05","********","ASR-L","IP address 600.52.32.105 blocked"
430,T,"17:07:10","item5","STE3","S05","Not Found Errors","60","-50"
436,D,"17:07:16","C72788","ACE1","C03","400.27.254.180","URL direct
object access attempt"
441,D,"17:07:21","C72788","ACE1","C03","400.27.254.180","URL direct
object access attempt"
448,D,"17:07:28","C72788","ACE1","C03","400.27.254.180","URL direct
object access attempt"
448,R,"17:07:28","C72788","ASR-G","Page request terminated"
448,R,"17:07:28","C72788","ASR-E","Error message displayed to user"
448,R,"17:07:28","C72788","ASR-J","Session terminated"
448,R,"17:07:28","C72788","ASR-K","Account locked (20 min)"
448,R,"17:07:28","C72788","ASR-B","C72788 locked Alert sent to AppOp Grp"
452,D,"17:07:32","********","IE1","R03","900.53.196.146","XSS string detected"
452,R,"17:07:32","G85277","ASR-G","Request blocked"
458,T,"17:07:38","item5","STE3","S05","Not Found Errors","80","35"
358,D,"17:07:38","********","RE1","R01","500.138.148.72","Unsupported HTTP verb"
462,D,"17:07:42","G85277","IE1","R03","900.53.196.146","XSS string detected"
462,R,"17:07:42","G85277","ASR-G","Request blocked"
463,D,"17:07:43","G85277","IE1","R03","900.53.196.146","XSS string detected"
463,R,"17:07:43","G85277","ASR-G","Request blocked"
463,R,"17:07:43","G85277","ASR-L","Customer account G85277 blocked"
471,T,"17:07:51","item2","STE3","S02","Catalogue impressions","150","20"
472,T,"17:07:52","item1","STE3","S01","Page impressions","140","0"
480,T,"17:08:00","item3","STE3","S03","Baskets created","95","10"
486,T,"17:08:06","item4","STE3","S04","Baskets deleted","750","-5"
486,D,"17:08:06","SYSTEM","STE3","S04","-","Baskets deleted high high reset"
486,R,"17:08:06","-","ASR-B","Baskets deleted High High Alert reset
sent to AppOp Grp"
486,R,"17:08:06","-","ASR-B","Baskets deleted High High Alert reset
sent to AppMgmt Grp"
487,D,"17:08:07","C72788","RE5","R04","400.27.254.180","Additional URL
parameter"
487,D,"17:08:07","C72788","RE5","R04","400.27.254.180","Additional URL
parameter"
487,R,"17:08:07","C72788","ASR-G","Page request terminated"
487,R,"17:08:07","C72788","ASR-E","Error message displayed to user"
487,R,"17:08:07","C72788","ASR-J","Session terminated"
494,D,"17:08:14","********","ACE3","R05","700.12.172.73","Invalid
script entry point"
500,D,"17:08:20","********","ACE3","R05","700.12.172.73","Invalid
script entry point"
509,T,"17:08:29","item1","STE3","S01","Page impressions","70","-50"
510,T,"17:08:30","item1","STE3","S01","Page impressions","60","-15"
511,T,"17:08:31","item5","STE3","S05","Not Found Errors","50","-45"
512,D,"17:08:32","W05000","-","P01","400.52.32.1","Payment rejected"
512,R,"17:08:32","W05000","ASR-A","Logging increased for user W05000"
517,D,"17:08:37","W05000","-","P01","400.52.32.1","Payment rejected"
524,D,"17:08:44","W05000","-","P01","400.52.32.1","Payment rejected"
524,R,"17:08:44","W05000","ASR-B","Alert sent to AppOp Grp"
524,R,"17:08:44","W05000","ASR-G","User redirected back to basket"
525,T,"17:08:45","item2","STE3","S02","Catalogue impressions","140","-15"
531,D,"17:08:51","W05000","ACE3","R05","400.52.32.1","Invalid script
entry point"
532,T,"17:08:52","item3","STE3","S03","Baskets created","100","5"
536,D,"17:08:56","W05000","ACE3","R05","400.52.32.1","Invalid script
entry point"
540,T,"17:09:00","item4","STE3","S04","Baskets deleted","600","-20"
542,D,"17:09:02","W05000","ACE3","R05","400.52.32.1","Invalid script
entry point"
543,D,"17:09:03","W05000","ACE3","R05","400.52.32.1","Invalid script
entry point"
546,D,"17:09:06","********","IE4","P04","200.91.200.85","List value
out of range"
556,T,"17:08:16","item3","STE3","S03","Baskets created","90","-10"
558,T,"17:08:18","item4","STE3","S04","Baskets deleted","190","-40"
558,D,"17:08:18","SYSTEM","STE3","S04","-","Baskets deleted low reset"
558,R,"17:08:18","-","ASR-B","Baskets deleted High Alert reset sent to
AppOp Grp"
562,T,"17:08:22","item1","STE3","S01","Page impressions","85","35"
567,D,"17:08:27","********","ACE3","R05","500.7.143.192","Invalid
script entry point"
581,T,"17:08:41","item5","STE3","S05","Not Found Errors","80","60"
595,T,"17:09:55","item2","STE3","S02","Catalogue impressions","110","-35"
========

On 16 May 2015 at 07:43, Timo Goosen <timo.goosen at owasp.org> wrote:
> Hi guys I just want to start preparing a bit for the dashboard workshop at
> the project summit.
> Is there a sample app we can setup without much effort that uses appsensor
> and if possible has anyone set this up and collected some sample log data
> that we can use to come up with a dashboard.
>
> Regards.
> Timo
>
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>


More information about the Owasp-appsensor-project mailing list