[Owasp-appsensor-project] Dashboard

John Melton jtmelton at gmail.com
Sun May 17 03:08:40 UTC 2015


Thanks Colin - helpful data.

Timo, I attached to this email an example of the JSON produced by the
reference implementation. There is 1 example each of [event, attack,
response] that I generated using the unit tests in the codebase. With that,
I generated a JSON schema for each as well. That should give a starting
point for data. I don't have a log of output anywhere.

As for sample apps, there are a couple of simple examples for both REST (
https://github.com/jtmelton/appsensor/tree/master/sample-apps/sample-appsensor-ws-rest-server)
and SOAP (
https://github.com/jtmelton/appsensor/tree/master/sample-apps/sample-appsensor-ws-soap-server).
This readme doc should get you setup if you want to try them out:
https://github.com/jtmelton/appsensor/blob/master/sample-apps/README.md. If
you have issues, let me know.

Thanks,
John

On Sat, May 16, 2015 at 11:58 AM, Colin Watson <colin.watson at owasp.org>
wrote:

> Timo
>
> I don't have a suitable sample application, but I have appended below
> some fake data I created for my dashboard demos in 2011. The type of
> log data will be dependent upon the types of sensors, how carefully
> they have been designed, the application functionality, etc. All good
> things to think about and discuss.
>
> This data example doesn't reflect how the v2 reference implementation
> works. For example every event here has both a detection point type
> AND a response action type.
>
> Coming up with some imaginary data for different scenarios would be
> helpful. That could be purely descriptive, or fake delimited event
> data.
>
> Regards
>
> Colin
>
> ===
> 0,D,"17:00:00","********","RE3","R01","900.14.29.103","GET when expecting
> POST"
> 10,T,"17:00:10","item1","STE3","S01","Page impressions","100","0"
> 10,T,"17:00:10","item2","STE3","S02","Catalogue impressions","100","0"
> 10,T,"17:00:10","item3","STE3","S03","Baskets created","100","0"
> 10,T,"17:00:10","item4","STE3","S04","Baskets deleted","100","0"
> 10,T,"17:00:10","item5","STE3","S05","Not Found Errors","100","0"
> 21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL
> parameter"
> 21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL
> parameter"
> 21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL
> parameter"
> 21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL
> parameter"
> 21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL
> parameter"
> 21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL
> parameter"
> 21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL
> parameter"
> 26,D,"17:00:26","********","IE2","B02","200.91.200.85","String includes
> HTML"
> 30,D,"17:00:30","********","ACE3","R05","500.204.52.138","Invalid
> script entry point"
> 31,D,"17:00:31","A11884","-","P01","300.6.153.55","Payment rejected"
> 31,R,"17:00:31","A11884","ASR-A","Logging increased for user A11884"
> 35,D,"17:00:35","********","RE1","R01","500.204.52.138","Invalid HTTP verb"
> 37,D,"17:00:37","********","RE1","R01","500.204.52.138","Unsupported HTTP
> verb"
> 39,D,"17:00:39","********","RE1","R01","500.204.52.138","Unsupported HTTP
> verb"
> 40,T,"17:00:40","item1","STE3","S01","Page impressions","80","-20"
> 47,D,"17:00:47","********","RE3","R01","600.49.210.128","GET when
> expecting POST"
> 48,R,"17:00:48","********","ASR-A","Logging increased for IP addresses
> 600.49.210.*"
> 50,T,"17:00:50","item2","STE3","S02","Catalogue impressions","60","-40"
> 53,D,"17:00:53","********","RE3","R01","600.49.210.128","GET when
> expecting POST"
> 60,T,"17:01:00","item3","STE3","S03","Baskets created","105","5"
> 65,D,"17:01:05","C41885","RE5","R04","400.27.254.180","Additional URL
> parameter"
> 70,T,"17:01:10","item4","STE3","S04","Baskets deleted","100","0"
> 75,D,"17:01:15","L95301","-","P01","200.7.58.141","Payment rejected"
> 75,R,"17:01:15","L95301","ASR-A","Logging increased for user L95301"
> 80,T,"17:01:20","item5","STE3","S05","Not Found Errors","130","30"
> 81,D,"17:01:21","********","RE1","R01","200.162.56.183","Unsupported HTTP
> verb"
> 96,D,"17:01:36","********","ACE1","C03","700.147.37.213","URL direct
> object access attempt"
> 99,D,"17:01:39","********","ACE3","R05","500.204.52.138","Invalid
> script entry point"
> 100,T,"17:01:40","item3","STE3","S03","Baskets created","85","-30"
> 106,D,"17:01:46","C94471","IE2","P03","300.219.56.3","URL parameter
> type validation failure"
> 110,T,"17:01:50","item4","STE3","S04","Baskets deleted","80","-20"
> 112,D,"17:01:52","C94471","IE2","P03","300.219.56.3","URL parameter
> type validation failure"
> 112,D,"17:01:52","C94471","IE2","P03","300.219.56.3","URL parameter
> type validation failure"
> 120,T,"17:02:00","item5","STE3","S05","Not Found Errors","40","-60"
> 121,T,"17:02:01","item1","STE3","S01","Page impressions","150","175"
> 123,T,"17:02:03","item2","STE3","S02","Catalogue impressions","80","-25"
> 126,D,"17:02:06","********","ACE1","C03","500.10.86.182","URL direct
> object access attempt"
> 129,D,"17:02:09","********","ACE1","C03","500.10.86.182","URL direct
> object access attempt"
> 134,D,"17:02:14","********","ACE1","C03","500.10.86.182","URL direct
> object access attempt"
> 134,R,"17:02:14","********","ASR-G","Page request terminated"
> 134,R,"17:02:14","********","ASR-E","Error message displayed to user"
> 134,R,"17:02:14","********","ASR-J","Session terminated"
> 134,R,"17:02:14","********","ASR-B","C72788 locked Alert sent to AppOp Grp"
> 142,T,"17:02:22","item3","STE3","S03","Baskets created","45","-40"
> 142,D,"17:02:22","SYSTEM","STE3","S03","-","Baskets created low warning"
> 144,T,"17:02:24","item5","STE3","S05","Not Found Errors","60","50"
> 156,D,"17:02:36","********","ACE3","R05","400.45.78.208","Invalid
> script entry point"
> 160,D,"17:02:40","********","RE3","R01","700.7.214.152","GET when
> expecting POST"
> 167,T,"17:02:47","item1","STE3","S01","Page impressions","130","-15"
> 170,D,"17:02:50","XX7331","CIE2","D01","900.202.67.191","Product query
> returned more than one record"
> 171,R,"17:02:51","XX7331","ASR-B","Alert sent to AppOp Grp"
> 172,R,"17:02:52","XX7331","ASR-G","Request blocked"
> 173,R,"17:02:53","XX7331","ASR-E","Error message displayed to user"
> 174,U,"17:02:54","XX7331","Customer account XX7331 locked"
> 180,T,"17:03:00","item4","STE3","S04","Baskets deleted","200","240"
> 180,D,"17:03:00","SYSTEM","STE3","S04","-","Baskets deleted high warning"
> 182,T,"17:03:02","item2","STE3","S02","Catalogue impressions","105","30"
> 187,D,"17:03:07","********","CIE1","R02","300.121.74.148","SQL
> injection string detected"
> 187,R,"17:03:07","********","ASR-A","Logging increased for IP
> addresses 300.121.74.*"
> 192,D,"17:03:12","L95302","-","P01","200.82.158.197","Payment rejected"
> 192,R,"17:03:12","L95302","ASR-A","Logging increased for user L95302"
> 204,T,"17:03:24","item3","STE3","S03","Baskets created","65","45"
> 204,D,"17:03:24","SYSTEM","STE3","S03","-","Baskets created low reset"
> 215,T,"17:03:35","item5","STE3","S05","Not Found Errors","100","65"
> 226,D,"17:03:46","********","ACE3","R05","700.12.172.73","Invalid
> script entry point"
> 227,D,"17:03:47","********","ACE3","R05","700.12.172.73","Invalid
> script entry point"
> 228,D,"17:03:48","********","ACE3","R05","700.12.172.73","Invalid
> script entry point"
> 235,D,"17:03:55","********","RE3","R01","700.7.214.152","GET when
> expecting POST"
> 241,T,"17:04:01","item1","STE3","S01","Page impressions","120","-10"
> 242,T,"17:04:02","item4","STE3","S04","Baskets deleted","410","205"
> 242,D,"17:04:02","SYSTEM","STE3","S04","-","Baskets deleted high warning"
> 242,R,"17:04:02","-","ASR-B","Baskets deleted High Alert sent to AppOp Grp"
> 246,D,"17:04:06","********","CIE1","R02","500.152.183.26","SQL
> injection string detected"
> 246,R,"17:04:06","********","ASR-A","Logging increased for IP
> addresses 500.152.183.*"
> 253,D,"17:04:13","********","CIE1","R02","500.152.183.26","SQL
> injection string detected"
> 256,D,"17:04:06","********","IE1","R03","500.152.183.26","XSS string
> detected"
> 256,R,"17:04:06","********","ASR-G","Request blocked"
> 263,T,"17:04:23","item2","STE3","S02","Catalogue impressions","210","100"
> 263,D,"17:04:23","SYSTEM","STE3","S02","-","Catalogue impressions high
> warning"
> 263,R,"17:04:23","-","ASR-B","Catalogue impressions High Alert sent to
> AppOp Grp"
> 279,D,"17:04:39","********","RE3","R01","700.7.214.152","GET when
> expecting POST"
> 279,R,"17:04:39","********","ASR-A","Logging increased for IP
> addresses 700.7.214.*"
> 285,T,"17:04:45","item1","STE3","S01","Page impressions","110","-10"
> 290,D,"17:04:50","J49223","-","P01","400.154.140.28","Payment rejected"
> 290,R,"17:04:50","J49223","ASR-A","Logging increased for user J49223"
> 294,T,"17:04:54","item3","STE3","S03","Baskets created","75","15"
> 295,D,"17:04:55","G88433","HT2","C04","300.69.207.129","Honey trap product
> used"
> 295,R,"17:04:55","G88433","ASR-G","Page request terminated"
> 295,R,"17:04:55","G88433","ASR-E","Error message displayed to user"
> 295,R,"17:04:55","G88433","ASR-J","Session terminated"
> 295,R,"17:04:55","********","ASR-G","Request blocked"
> 295,R,"17:04:55","********","ASR-L","IP address 300.69.207.129 blocked"
> 295,R,"17:04:55","G88433","ASR-B","G88433 locked Alert sent to AppOp Grp"
> 296,T,"17:04:56","item5","STE3","S05","Not Found Errors","105","5"
> 298,T,"17:04:58","item4","STE3","S04","Baskets deleted","700","75"
> 302,T,"17:05:02","item2","STE3","S02","Catalogue impressions","160","-25"
> 302,D,"17:05:02","SYSTEM","STE3","S02","-","Catalogue impressions high
> reset"
> 302,R,"17:05:02","-","ASR-B","Catalogue impressions High Alert reset
> sent to AppOp Grp"
> 306,D,"17:05:06","********","IE1","R03","500.152.183.26","XSS string
> detected"
> 306,R,"17:05:06","********","ASR-G","Request blocked"
> 325,T,"17:05:25","item4","STE3","S04","Baskets deleted","900","30"
> 325,D,"17:05:25","SYSTEM","STE3","S04","-","Baskets deleted high high
> warning"
> 325,R,"17:05:25","-","ASR-B","Baskets deleted High High Alert sent to
> AppOp Grp"
> 325,R,"17:05:25","-","ASR-B","Baskets deleted High High Alert sent to
> AppMgmt Grp"
> 331,T,"17:05:31","item2","STE3","S02","Catalogue impressions","140","-15"
> 348,T,"17:05:48","item1","STE3","S01","Page impressions","150","30"
> 349,D,"17:05:49","S61042","ACE3","R05","900.39.182.49","Invalid script
> entry point"
> 354,T,"17:05:54","item3","STE3","S03","Baskets created","85","15"
> 359,D,"17:05:59","********","ACE3","R05","700.12.172.73","Invalid
> script entry point"
> 365,T,"17:06:05","item5","STE3","S05","Not Found Errors","110","5"
> 366,D,"17:06:06","T49102","-","P01","300.72.138.94","Payment rejected"
> 366,R,"17:06:06","T49102","ASR-A","Logging increased for user T49102"
> 370,D,"17:06:10","F01821","SE4","B04","800.67.21.203","Cookie substitution"
> 370,R,"17:06:10","F01821","ASR-G","Page request terminated"
> 370,R,"17:06:10","F01821","ASR-E","Error message displayed to user"
> 370,R,"17:06:10","F01821","ASR-J","Session terminated"
> 370,R,"17:06:10","F01821","ASR-K","Account locked (20 min)"
> 370,R,"17:06:10","F01821","ASR-B","F01821 locked Alert sent to AppOp Grp"
> 375,D,"17:06:15","G21831","IE4","P04","300.189.34.13","Hidden form
> field changed"
> 380,D,"17:06:20","********","RE1","R01","200.162.56.183","Unsupported HTTP
> verb"
> 385,T,"17:06:25","item4","STE3","S04","Baskets deleted","800","-15"
> 386,D,"17:06:26","R43922","ACE3","R05","600.67.182.46","Invalid script
> entry point"
> 390,T,"17:06:30","item2","STE3","S02","Catalogue impressions","130","-15"
> 395,D,"17:06:35","C72788","RE6","R04","400.27.254.180","Missing form
> parameter"
> 395,D,"17:06:35","C72788","RE6","R04","400.27.254.180","Missing form
> parameter"
> 395,D,"17:06:35","C72788","RE6","R04","400.27.254.180","Missing form
> parameter"
> 395,D,"17:06:35","C72788","RE6","R04","400.27.254.180","Missing form
> parameter"
> 395,D,"17:06:35","C72788","RE6","R04","400.27.254.180","Missing form
> parameter"
> 395,D,"17:06:35","C72788","RE6","R04","400.27.254.180","Missing form
> parameter"
> 395,R,"17:06:35","C72788","ASR-D","Order value limit changed to Level 2"
> 395,R,"17:06:35","C72788","ASR-A","Logging increased for IP addresses
> 400.27.254.*"
> 400,T,"17:06:40","item1","STE3","S01","Page impressions","140","-10"
> 401,T,"17:06:41","item3","STE3","S03","Baskets created","85","15"
> 412,D,"17:06:52","P89868","IE2","P03","800.67.89.161","URL parameter
> length validation failure"
> 412,D,"17:06:52","P89868","IE2","P03","800.67.89.161","URL parameter
> type validation failure"
> 417,D,"17:06:57","********","CIE1","R02","600.52.32.105","SQL
> injection string detected"
> 417,R,"17:06:07","********","ASR-A","Logging increased for IP
> addresses 600.52.32.*"
> 417,R,"17:06:07","********","ASR-G","Request blocked"
> 420,D,"17:07:00","********","CIE1","R02","600.52.32.105","SQL
> injection string detected"
> 420,R,"17:07:00","********","ASR-G","Request blocked"
> 425,D,"17:07:05","********","CIE1","R02","600.52.32.105","SQL
> injection string detected"
> 425,R,"17:07:05","********","ASR-G","Request blocked"
> 425,D,"17:07:05","********","CIE1","R02","600.52.32.105","SQL
> injection string detected"
> 425,R,"17:07:05","********","ASR-G","Request blocked"
> 425,D,"17:07:05","********","CIE1","R02","600.52.32.105","SQL
> injection string detected"
> 425,R,"17:07:05","********","ASR-G","Request blocked"
> 425,D,"17:07:05","********","CIE1","R02","600.52.32.105","SQL
> injection string detected"
> 425,R,"17:07:05","********","ASR-G","Request blocked"
> 425,R,"17:07:05","********","ASR-L","IP address 600.52.32.105 blocked"
> 430,T,"17:07:10","item5","STE3","S05","Not Found Errors","60","-50"
> 436,D,"17:07:16","C72788","ACE1","C03","400.27.254.180","URL direct
> object access attempt"
> 441,D,"17:07:21","C72788","ACE1","C03","400.27.254.180","URL direct
> object access attempt"
> 448,D,"17:07:28","C72788","ACE1","C03","400.27.254.180","URL direct
> object access attempt"
> 448,R,"17:07:28","C72788","ASR-G","Page request terminated"
> 448,R,"17:07:28","C72788","ASR-E","Error message displayed to user"
> 448,R,"17:07:28","C72788","ASR-J","Session terminated"
> 448,R,"17:07:28","C72788","ASR-K","Account locked (20 min)"
> 448,R,"17:07:28","C72788","ASR-B","C72788 locked Alert sent to AppOp Grp"
> 452,D,"17:07:32","********","IE1","R03","900.53.196.146","XSS string
> detected"
> 452,R,"17:07:32","G85277","ASR-G","Request blocked"
> 458,T,"17:07:38","item5","STE3","S05","Not Found Errors","80","35"
> 358,D,"17:07:38","********","RE1","R01","500.138.148.72","Unsupported HTTP
> verb"
> 462,D,"17:07:42","G85277","IE1","R03","900.53.196.146","XSS string
> detected"
> 462,R,"17:07:42","G85277","ASR-G","Request blocked"
> 463,D,"17:07:43","G85277","IE1","R03","900.53.196.146","XSS string
> detected"
> 463,R,"17:07:43","G85277","ASR-G","Request blocked"
> 463,R,"17:07:43","G85277","ASR-L","Customer account G85277 blocked"
> 471,T,"17:07:51","item2","STE3","S02","Catalogue impressions","150","20"
> 472,T,"17:07:52","item1","STE3","S01","Page impressions","140","0"
> 480,T,"17:08:00","item3","STE3","S03","Baskets created","95","10"
> 486,T,"17:08:06","item4","STE3","S04","Baskets deleted","750","-5"
> 486,D,"17:08:06","SYSTEM","STE3","S04","-","Baskets deleted high high
> reset"
> 486,R,"17:08:06","-","ASR-B","Baskets deleted High High Alert reset
> sent to AppOp Grp"
> 486,R,"17:08:06","-","ASR-B","Baskets deleted High High Alert reset
> sent to AppMgmt Grp"
> 487,D,"17:08:07","C72788","RE5","R04","400.27.254.180","Additional URL
> parameter"
> 487,D,"17:08:07","C72788","RE5","R04","400.27.254.180","Additional URL
> parameter"
> 487,R,"17:08:07","C72788","ASR-G","Page request terminated"
> 487,R,"17:08:07","C72788","ASR-E","Error message displayed to user"
> 487,R,"17:08:07","C72788","ASR-J","Session terminated"
> 494,D,"17:08:14","********","ACE3","R05","700.12.172.73","Invalid
> script entry point"
> 500,D,"17:08:20","********","ACE3","R05","700.12.172.73","Invalid
> script entry point"
> 509,T,"17:08:29","item1","STE3","S01","Page impressions","70","-50"
> 510,T,"17:08:30","item1","STE3","S01","Page impressions","60","-15"
> 511,T,"17:08:31","item5","STE3","S05","Not Found Errors","50","-45"
> 512,D,"17:08:32","W05000","-","P01","400.52.32.1","Payment rejected"
> 512,R,"17:08:32","W05000","ASR-A","Logging increased for user W05000"
> 517,D,"17:08:37","W05000","-","P01","400.52.32.1","Payment rejected"
> 524,D,"17:08:44","W05000","-","P01","400.52.32.1","Payment rejected"
> 524,R,"17:08:44","W05000","ASR-B","Alert sent to AppOp Grp"
> 524,R,"17:08:44","W05000","ASR-G","User redirected back to basket"
> 525,T,"17:08:45","item2","STE3","S02","Catalogue impressions","140","-15"
> 531,D,"17:08:51","W05000","ACE3","R05","400.52.32.1","Invalid script
> entry point"
> 532,T,"17:08:52","item3","STE3","S03","Baskets created","100","5"
> 536,D,"17:08:56","W05000","ACE3","R05","400.52.32.1","Invalid script
> entry point"
> 540,T,"17:09:00","item4","STE3","S04","Baskets deleted","600","-20"
> 542,D,"17:09:02","W05000","ACE3","R05","400.52.32.1","Invalid script
> entry point"
> 543,D,"17:09:03","W05000","ACE3","R05","400.52.32.1","Invalid script
> entry point"
> 546,D,"17:09:06","********","IE4","P04","200.91.200.85","List value
> out of range"
> 556,T,"17:08:16","item3","STE3","S03","Baskets created","90","-10"
> 558,T,"17:08:18","item4","STE3","S04","Baskets deleted","190","-40"
> 558,D,"17:08:18","SYSTEM","STE3","S04","-","Baskets deleted low reset"
> 558,R,"17:08:18","-","ASR-B","Baskets deleted High Alert reset sent to
> AppOp Grp"
> 562,T,"17:08:22","item1","STE3","S01","Page impressions","85","35"
> 567,D,"17:08:27","********","ACE3","R05","500.7.143.192","Invalid
> script entry point"
> 581,T,"17:08:41","item5","STE3","S05","Not Found Errors","80","60"
> 595,T,"17:09:55","item2","STE3","S02","Catalogue impressions","110","-35"
> ========
>
> On 16 May 2015 at 07:43, Timo Goosen <timo.goosen at owasp.org> wrote:
> > Hi guys I just want to start preparing a bit for the dashboard workshop
> at
> > the project summit.
> > Is there a sample app we can setup without much effort that uses
> appsensor
> > and if possible has anyone set this up and collected some sample log data
> > that we can use to come up with a dashboard.
> >
> > Regards.
> > Timo
> >
> > _______________________________________________
> > Owasp-appsensor-project mailing list
> > Owasp-appsensor-project at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
> >
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20150516/3b8694e9/attachment-0001.html>
-------------- next part --------------
Very simple json data/schema pairs for [event,attack,response] in appsensor. Schema's generated using http://jsonschema.net/

EVENT JSON
---------------

{
  "user": {
    "username": "bob"
  },
  "detectionPoint": {
    "category": "Input Validation",
    "label": "IE1",
    "responses": []
  },
  "timestamp": "2015-05-17T02:40:28.891Z",
  "detectionSystem": {
    "detectionSystemId": "localhostme"
  },
  "metadata": []
}

EVENT SCHEMA
---------------

{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "id": "/",
  "type": "object",
  "properties": {
    "user": {
      "id": "user",
      "type": "object",
      "properties": {
        "username": {
          "id": "username",
          "type": "string"
        }
      },
      "required": [
        "username"
      ]
    },
    "detectionPoint": {
      "id": "detectionPoint",
      "type": "object",
      "properties": {
        "category": {
          "id": "category",
          "type": "string"
        },
        "label": {
          "id": "label",
          "type": "string"
        },
        "responses": {
          "id": "responses",
          "type": "array",
          "items": []
        }
      }
    },
    "timestamp": {
      "id": "timestamp",
      "type": "string"
    },
    "detectionSystem": {
      "id": "detectionSystem",
      "type": "object",
      "properties": {
        "detectionSystemId": {
          "id": "detectionSystemId",
          "type": "string"
        }
      }
    },
    "metadata": {
      "id": "metadata",
      "type": "array",
      "items": []
    }
  },
  "required": [
    "user",
    "detectionPoint",
    "timestamp",
    "detectionSystem"
  ]
}

ATTACK JSON
---------------

{
  "user": {
    "username": "bob"
  },
  "detectionPoint": {
    "category": "Input Validation",
    "label": "IE1",
    "threshold": {
      "count": 3,
      "interval": {
        "duration": 5,
        "unit": "minutes"
      }
    },
    "responses": [
      {
        "action": "log",
        "metadata": []
      },
      {
        "action": "logout",
        "metadata": []
      },
      {
        "action": "disableUser",
        "metadata": []
      },
      {
        "action": "disableComponentForSpecificUser",
        "interval": {
          "duration": 31,
          "unit": "minutes"
        },
        "metadata": []
      },
      {
        "action": "disableComponentForAllUsers",
        "interval": {
          "duration": 11,
          "unit": "minutes"
        },
        "metadata": []
      }
    ]
  },
  "timestamp": "2015-05-17T02:55:47.993Z",
  "detectionSystem": {
    "detectionSystemId": "my-sample-client"
  },
  "metadata": []
}

ATTACK SCHEMA
---------------

{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "id": "/",
  "type": "object",
  "properties": {
    "user": {
      "id": "user",
      "type": "object",
      "properties": {
        "username": {
          "id": "username",
          "type": "string"
        }
      },
      "required": [
        "username"
      ]
    },
    "detectionPoint": {
      "id": "detectionPoint",
      "type": "object",
      "properties": {
        "category": {
          "id": "category",
          "type": "string"
        },
        "label": {
          "id": "label",
          "type": "string"
        },
        "threshold": {
          "id": "threshold",
          "type": "object",
          "properties": {
            "count": {
              "id": "count",
              "type": "integer"
            },
            "interval": {
              "id": "interval",
              "type": "object",
              "properties": {
                "duration": {
                  "id": "duration",
                  "type": "integer"
                },
                "unit": {
                  "id": "unit",
                  "type": "string"
                }
              }
            }
          }
        },
        "responses": {
          "id": "responses",
          "type": "array",
          "items": [
            {
              "id": "0",
              "type": "object",
              "properties": {
                "action": {
                  "id": "action",
                  "type": "string"
                },
                "metadata": {
                  "id": "metadata",
                  "type": "array",
                  "items": []
                }
              }
            },
            {
              "id": "1",
              "type": "object",
              "properties": {
                "action": {
                  "id": "action",
                  "type": "string"
                },
                "metadata": {
                  "id": "metadata",
                  "type": "array",
                  "items": []
                }
              }
            },
            {
              "id": "2",
              "type": "object",
              "properties": {
                "action": {
                  "id": "action",
                  "type": "string"
                },
                "metadata": {
                  "id": "metadata",
                  "type": "array",
                  "items": []
                }
              }
            },
            {
              "id": "3",
              "type": "object",
              "properties": {
                "action": {
                  "id": "action",
                  "type": "string"
                },
                "interval": {
                  "id": "interval",
                  "type": "object",
                  "properties": {
                    "duration": {
                      "id": "duration",
                      "type": "integer"
                    },
                    "unit": {
                      "id": "unit",
                      "type": "string"
                    }
                  }
                },
                "metadata": {
                  "id": "metadata",
                  "type": "array",
                  "items": []
                }
              }
            },
            {
              "id": "4",
              "type": "object",
              "properties": {
                "action": {
                  "id": "action",
                  "type": "string"
                },
                "interval": {
                  "id": "interval",
                  "type": "object",
                  "properties": {
                    "duration": {
                      "id": "duration",
                      "type": "integer"
                    },
                    "unit": {
                      "id": "unit",
                      "type": "string"
                    }
                  }
                },
                "metadata": {
                  "id": "metadata",
                  "type": "array",
                  "items": []
                }
              }
            }
          ]
        }
      }
    },
    "timestamp": {
      "id": "timestamp",
      "type": "string"
    },
    "detectionSystem": {
      "id": "detectionSystem",
      "type": "object",
      "properties": {
        "detectionSystemId": {
          "id": "detectionSystemId",
          "type": "string"
        }
      }
    },
    "metadata": {
      "id": "metadata",
      "type": "array",
      "items": []
    }
  },
  "required": [
    "user",
    "detectionPoint",
    "timestamp",
    "detectionSystem"
  ]
}

RESPONSE JSON
---------------

{
  "user": {
    "username": "bob"
  },
  "timestamp": "2015-05-17T02:55:47.993Z",
  "action": "log",
  "detectionSystem": {
    "detectionSystemId": "my-sample-client"
  },
  "metadata": []
}

RESPONSE SCHEMA
---------------

{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "id": "/",
  "type": "object",
  "properties": {
    "user": {
      "id": "user",
      "type": "object",
      "properties": {
        "username": {
          "id": "username",
          "type": "string"
        }
      },
      "required": [
        "username"
      ]
    },
    "timestamp": {
      "id": "timestamp",
      "type": "string"
    },
    "action": {
      "id": "action",
      "type": "string"
    },
    "detectionSystem": {
      "id": "detectionSystem",
      "type": "object",
      "properties": {
        "detectionSystemId": {
          "id": "detectionSystemId",
          "type": "string"
        }
      }
    },
    "metadata": {
      "id": "metadata",
      "type": "array",
      "items": []
    }
  },
  "required": [
    "user",
    "timestamp",
    "action",
    "detectionSystem"
  ]
}


More information about the Owasp-appsensor-project mailing list