[Owasp-appsensor-project] Dashboard

Colin Watson colin.watson at owasp.org
Wed May 20 07:10:54 UTC 2015


The dashboard workshop is happening in room E103 at AppSec EU 2015,
today at 13:30 hrs central european time (UTC+2). We are trying Google
Hangouts on Air for remote participation:

   https://plus.google.com/events/c1r1qajo8f9g5gdt6359c88sai4

Regards

Colin




On 17 May 2015 at 09:40, Jim Manico <jim.manico at owasp.org> wrote:
> +1 publishing a JSON schema
>
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> On May 17, 2015, at 5:08 AM, John Melton <jtmelton at gmail.com> wrote:
>
> Thanks Colin - helpful data.
>
> Timo, I attached to this email an example of the JSON produced by the
> reference implementation. There is 1 example each of [event, attack,
> response] that I generated using the unit tests in the codebase. With that,
> I generated a JSON schema for each as well. That should give a starting
> point for data. I don't have a log of output anywhere.
>
> As for sample apps, there are a couple of simple examples for both REST
> (https://github.com/jtmelton/appsensor/tree/master/sample-apps/sample-appsensor-ws-rest-server)
> and SOAP
> (https://github.com/jtmelton/appsensor/tree/master/sample-apps/sample-appsensor-ws-soap-server).
> This readme doc should get you setup if you want to try them out:
> https://github.com/jtmelton/appsensor/blob/master/sample-apps/README.md. If
> you have issues, let me know.
>
> Thanks,
> John
>
> On Sat, May 16, 2015 at 11:58 AM, Colin Watson <colin.watson at owasp.org>
> wrote:
>>
>> Timo
>>
>> I don't have a suitable sample application, but I have appended below
>> some fake data I created for my dashboard demos in 2011. The type of
>> log data will be dependent upon the types of sensors, how carefully
>> they have been designed, the application functionality, etc. All good
>> things to think about and discuss.
>>
>> This data example doesn't reflect how the v2 reference implementation
>> works. For example every event here has both a detection point type
>> AND a response action type.
>>
>> Coming up with some imaginary data for different scenarios would be
>> helpful. That could be purely descriptive, or fake delimited event
>> data.
>>
>> Regards
>>
>> Colin
>>
>> ===
>> 0,D,"17:00:00","********","RE3","R01","900.14.29.103","GET when expecting
>> POST"
>> 10,T,"17:00:10","item1","STE3","S01","Page impressions","100","0"
>> 10,T,"17:00:10","item2","STE3","S02","Catalogue impressions","100","0"
>> 10,T,"17:00:10","item3","STE3","S03","Baskets created","100","0"
>> 10,T,"17:00:10","item4","STE3","S04","Baskets deleted","100","0"
>> 10,T,"17:00:10","item5","STE3","S05","Not Found Errors","100","0"
>> 21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL
>> parameter"
>> 21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL
>> parameter"
>> 21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL
>> parameter"
>> 21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL
>> parameter"
>> 21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL
>> parameter"
>> 21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL
>> parameter"
>> 21,D,"17:00:21","C72788","RE5","R04","400.27.254.180","Additional URL
>> parameter"
>> 26,D,"17:00:26","********","IE2","B02","200.91.200.85","String includes
>> HTML"
>> 30,D,"17:00:30","********","ACE3","R05","500.204.52.138","Invalid
>> script entry point"
>> 31,D,"17:00:31","A11884","-","P01","300.6.153.55","Payment rejected"
>> 31,R,"17:00:31","A11884","ASR-A","Logging increased for user A11884"
>> 35,D,"17:00:35","********","RE1","R01","500.204.52.138","Invalid HTTP
>> verb"
>> 37,D,"17:00:37","********","RE1","R01","500.204.52.138","Unsupported HTTP
>> verb"
>> 39,D,"17:00:39","********","RE1","R01","500.204.52.138","Unsupported HTTP
>> verb"
>> 40,T,"17:00:40","item1","STE3","S01","Page impressions","80","-20"
>> 47,D,"17:00:47","********","RE3","R01","600.49.210.128","GET when
>> expecting POST"
>> 48,R,"17:00:48","********","ASR-A","Logging increased for IP addresses
>> 600.49.210.*"
>> 50,T,"17:00:50","item2","STE3","S02","Catalogue impressions","60","-40"
>> 53,D,"17:00:53","********","RE3","R01","600.49.210.128","GET when
>> expecting POST"
>> 60,T,"17:01:00","item3","STE3","S03","Baskets created","105","5"
>> 65,D,"17:01:05","C41885","RE5","R04","400.27.254.180","Additional URL
>> parameter"
>> 70,T,"17:01:10","item4","STE3","S04","Baskets deleted","100","0"
>> 75,D,"17:01:15","L95301","-","P01","200.7.58.141","Payment rejected"
>> 75,R,"17:01:15","L95301","ASR-A","Logging increased for user L95301"
>> 80,T,"17:01:20","item5","STE3","S05","Not Found Errors","130","30"
>> 81,D,"17:01:21","********","RE1","R01","200.162.56.183","Unsupported HTTP
>> verb"
>> 96,D,"17:01:36","********","ACE1","C03","700.147.37.213","URL direct
>> object access attempt"
>> 99,D,"17:01:39","********","ACE3","R05","500.204.52.138","Invalid
>> script entry point"
>> 100,T,"17:01:40","item3","STE3","S03","Baskets created","85","-30"
>> 106,D,"17:01:46","C94471","IE2","P03","300.219.56.3","URL parameter
>> type validation failure"
>> 110,T,"17:01:50","item4","STE3","S04","Baskets deleted","80","-20"
>> 112,D,"17:01:52","C94471","IE2","P03","300.219.56.3","URL parameter
>> type validation failure"
>> 112,D,"17:01:52","C94471","IE2","P03","300.219.56.3","URL parameter
>> type validation failure"
>> 120,T,"17:02:00","item5","STE3","S05","Not Found Errors","40","-60"
>> 121,T,"17:02:01","item1","STE3","S01","Page impressions","150","175"
>> 123,T,"17:02:03","item2","STE3","S02","Catalogue impressions","80","-25"
>> 126,D,"17:02:06","********","ACE1","C03","500.10.86.182","URL direct
>> object access attempt"
>> 129,D,"17:02:09","********","ACE1","C03","500.10.86.182","URL direct
>> object access attempt"
>> 134,D,"17:02:14","********","ACE1","C03","500.10.86.182","URL direct
>> object access attempt"
>> 134,R,"17:02:14","********","ASR-G","Page request terminated"
>> 134,R,"17:02:14","********","ASR-E","Error message displayed to user"
>> 134,R,"17:02:14","********","ASR-J","Session terminated"
>> 134,R,"17:02:14","********","ASR-B","C72788 locked Alert sent to AppOp
>> Grp"
>> 142,T,"17:02:22","item3","STE3","S03","Baskets created","45","-40"
>> 142,D,"17:02:22","SYSTEM","STE3","S03","-","Baskets created low warning"
>> 144,T,"17:02:24","item5","STE3","S05","Not Found Errors","60","50"
>> 156,D,"17:02:36","********","ACE3","R05","400.45.78.208","Invalid
>> script entry point"
>> 160,D,"17:02:40","********","RE3","R01","700.7.214.152","GET when
>> expecting POST"
>> 167,T,"17:02:47","item1","STE3","S01","Page impressions","130","-15"
>> 170,D,"17:02:50","XX7331","CIE2","D01","900.202.67.191","Product query
>> returned more than one record"
>> 171,R,"17:02:51","XX7331","ASR-B","Alert sent to AppOp Grp"
>> 172,R,"17:02:52","XX7331","ASR-G","Request blocked"
>> 173,R,"17:02:53","XX7331","ASR-E","Error message displayed to user"
>> 174,U,"17:02:54","XX7331","Customer account XX7331 locked"
>> 180,T,"17:03:00","item4","STE3","S04","Baskets deleted","200","240"
>> 180,D,"17:03:00","SYSTEM","STE3","S04","-","Baskets deleted high warning"
>> 182,T,"17:03:02","item2","STE3","S02","Catalogue impressions","105","30"
>> 187,D,"17:03:07","********","CIE1","R02","300.121.74.148","SQL
>> injection string detected"
>> 187,R,"17:03:07","********","ASR-A","Logging increased for IP
>> addresses 300.121.74.*"
>> 192,D,"17:03:12","L95302","-","P01","200.82.158.197","Payment rejected"
>> 192,R,"17:03:12","L95302","ASR-A","Logging increased for user L95302"
>> 204,T,"17:03:24","item3","STE3","S03","Baskets created","65","45"
>> 204,D,"17:03:24","SYSTEM","STE3","S03","-","Baskets created low reset"
>> 215,T,"17:03:35","item5","STE3","S05","Not Found Errors","100","65"
>> 226,D,"17:03:46","********","ACE3","R05","700.12.172.73","Invalid
>> script entry point"
>> 227,D,"17:03:47","********","ACE3","R05","700.12.172.73","Invalid
>> script entry point"
>> 228,D,"17:03:48","********","ACE3","R05","700.12.172.73","Invalid
>> script entry point"
>> 235,D,"17:03:55","********","RE3","R01","700.7.214.152","GET when
>> expecting POST"
>> 241,T,"17:04:01","item1","STE3","S01","Page impressions","120","-10"
>> 242,T,"17:04:02","item4","STE3","S04","Baskets deleted","410","205"
>> 242,D,"17:04:02","SYSTEM","STE3","S04","-","Baskets deleted high warning"
>> 242,R,"17:04:02","-","ASR-B","Baskets deleted High Alert sent to AppOp
>> Grp"
>> 246,D,"17:04:06","********","CIE1","R02","500.152.183.26","SQL
>> injection string detected"
>> 246,R,"17:04:06","********","ASR-A","Logging increased for IP
>> addresses 500.152.183.*"
>> 253,D,"17:04:13","********","CIE1","R02","500.152.183.26","SQL
>> injection string detected"
>> 256,D,"17:04:06","********","IE1","R03","500.152.183.26","XSS string
>> detected"
>> 256,R,"17:04:06","********","ASR-G","Request blocked"
>> 263,T,"17:04:23","item2","STE3","S02","Catalogue impressions","210","100"
>> 263,D,"17:04:23","SYSTEM","STE3","S02","-","Catalogue impressions high
>> warning"
>> 263,R,"17:04:23","-","ASR-B","Catalogue impressions High Alert sent to
>> AppOp Grp"
>> 279,D,"17:04:39","********","RE3","R01","700.7.214.152","GET when
>> expecting POST"
>> 279,R,"17:04:39","********","ASR-A","Logging increased for IP
>> addresses 700.7.214.*"
>> 285,T,"17:04:45","item1","STE3","S01","Page impressions","110","-10"
>> 290,D,"17:04:50","J49223","-","P01","400.154.140.28","Payment rejected"
>> 290,R,"17:04:50","J49223","ASR-A","Logging increased for user J49223"
>> 294,T,"17:04:54","item3","STE3","S03","Baskets created","75","15"
>> 295,D,"17:04:55","G88433","HT2","C04","300.69.207.129","Honey trap product
>> used"
>> 295,R,"17:04:55","G88433","ASR-G","Page request terminated"
>> 295,R,"17:04:55","G88433","ASR-E","Error message displayed to user"
>> 295,R,"17:04:55","G88433","ASR-J","Session terminated"
>> 295,R,"17:04:55","********","ASR-G","Request blocked"
>> 295,R,"17:04:55","********","ASR-L","IP address 300.69.207.129 blocked"
>> 295,R,"17:04:55","G88433","ASR-B","G88433 locked Alert sent to AppOp Grp"
>> 296,T,"17:04:56","item5","STE3","S05","Not Found Errors","105","5"
>> 298,T,"17:04:58","item4","STE3","S04","Baskets deleted","700","75"
>> 302,T,"17:05:02","item2","STE3","S02","Catalogue impressions","160","-25"
>> 302,D,"17:05:02","SYSTEM","STE3","S02","-","Catalogue impressions high
>> reset"
>> 302,R,"17:05:02","-","ASR-B","Catalogue impressions High Alert reset
>> sent to AppOp Grp"
>> 306,D,"17:05:06","********","IE1","R03","500.152.183.26","XSS string
>> detected"
>> 306,R,"17:05:06","********","ASR-G","Request blocked"
>> 325,T,"17:05:25","item4","STE3","S04","Baskets deleted","900","30"
>> 325,D,"17:05:25","SYSTEM","STE3","S04","-","Baskets deleted high high
>> warning"
>> 325,R,"17:05:25","-","ASR-B","Baskets deleted High High Alert sent to
>> AppOp Grp"
>> 325,R,"17:05:25","-","ASR-B","Baskets deleted High High Alert sent to
>> AppMgmt Grp"
>> 331,T,"17:05:31","item2","STE3","S02","Catalogue impressions","140","-15"
>> 348,T,"17:05:48","item1","STE3","S01","Page impressions","150","30"
>> 349,D,"17:05:49","S61042","ACE3","R05","900.39.182.49","Invalid script
>> entry point"
>> 354,T,"17:05:54","item3","STE3","S03","Baskets created","85","15"
>> 359,D,"17:05:59","********","ACE3","R05","700.12.172.73","Invalid
>> script entry point"
>> 365,T,"17:06:05","item5","STE3","S05","Not Found Errors","110","5"
>> 366,D,"17:06:06","T49102","-","P01","300.72.138.94","Payment rejected"
>> 366,R,"17:06:06","T49102","ASR-A","Logging increased for user T49102"
>> 370,D,"17:06:10","F01821","SE4","B04","800.67.21.203","Cookie
>> substitution"
>> 370,R,"17:06:10","F01821","ASR-G","Page request terminated"
>> 370,R,"17:06:10","F01821","ASR-E","Error message displayed to user"
>> 370,R,"17:06:10","F01821","ASR-J","Session terminated"
>> 370,R,"17:06:10","F01821","ASR-K","Account locked (20 min)"
>> 370,R,"17:06:10","F01821","ASR-B","F01821 locked Alert sent to AppOp Grp"
>> 375,D,"17:06:15","G21831","IE4","P04","300.189.34.13","Hidden form
>> field changed"
>> 380,D,"17:06:20","********","RE1","R01","200.162.56.183","Unsupported HTTP
>> verb"
>> 385,T,"17:06:25","item4","STE3","S04","Baskets deleted","800","-15"
>> 386,D,"17:06:26","R43922","ACE3","R05","600.67.182.46","Invalid script
>> entry point"
>> 390,T,"17:06:30","item2","STE3","S02","Catalogue impressions","130","-15"
>> 395,D,"17:06:35","C72788","RE6","R04","400.27.254.180","Missing form
>> parameter"
>> 395,D,"17:06:35","C72788","RE6","R04","400.27.254.180","Missing form
>> parameter"
>> 395,D,"17:06:35","C72788","RE6","R04","400.27.254.180","Missing form
>> parameter"
>> 395,D,"17:06:35","C72788","RE6","R04","400.27.254.180","Missing form
>> parameter"
>> 395,D,"17:06:35","C72788","RE6","R04","400.27.254.180","Missing form
>> parameter"
>> 395,D,"17:06:35","C72788","RE6","R04","400.27.254.180","Missing form
>> parameter"
>> 395,R,"17:06:35","C72788","ASR-D","Order value limit changed to Level 2"
>> 395,R,"17:06:35","C72788","ASR-A","Logging increased for IP addresses
>> 400.27.254.*"
>> 400,T,"17:06:40","item1","STE3","S01","Page impressions","140","-10"
>> 401,T,"17:06:41","item3","STE3","S03","Baskets created","85","15"
>> 412,D,"17:06:52","P89868","IE2","P03","800.67.89.161","URL parameter
>> length validation failure"
>> 412,D,"17:06:52","P89868","IE2","P03","800.67.89.161","URL parameter
>> type validation failure"
>> 417,D,"17:06:57","********","CIE1","R02","600.52.32.105","SQL
>> injection string detected"
>> 417,R,"17:06:07","********","ASR-A","Logging increased for IP
>> addresses 600.52.32.*"
>> 417,R,"17:06:07","********","ASR-G","Request blocked"
>> 420,D,"17:07:00","********","CIE1","R02","600.52.32.105","SQL
>> injection string detected"
>> 420,R,"17:07:00","********","ASR-G","Request blocked"
>> 425,D,"17:07:05","********","CIE1","R02","600.52.32.105","SQL
>> injection string detected"
>> 425,R,"17:07:05","********","ASR-G","Request blocked"
>> 425,D,"17:07:05","********","CIE1","R02","600.52.32.105","SQL
>> injection string detected"
>> 425,R,"17:07:05","********","ASR-G","Request blocked"
>> 425,D,"17:07:05","********","CIE1","R02","600.52.32.105","SQL
>> injection string detected"
>> 425,R,"17:07:05","********","ASR-G","Request blocked"
>> 425,D,"17:07:05","********","CIE1","R02","600.52.32.105","SQL
>> injection string detected"
>> 425,R,"17:07:05","********","ASR-G","Request blocked"
>> 425,R,"17:07:05","********","ASR-L","IP address 600.52.32.105 blocked"
>> 430,T,"17:07:10","item5","STE3","S05","Not Found Errors","60","-50"
>> 436,D,"17:07:16","C72788","ACE1","C03","400.27.254.180","URL direct
>> object access attempt"
>> 441,D,"17:07:21","C72788","ACE1","C03","400.27.254.180","URL direct
>> object access attempt"
>> 448,D,"17:07:28","C72788","ACE1","C03","400.27.254.180","URL direct
>> object access attempt"
>> 448,R,"17:07:28","C72788","ASR-G","Page request terminated"
>> 448,R,"17:07:28","C72788","ASR-E","Error message displayed to user"
>> 448,R,"17:07:28","C72788","ASR-J","Session terminated"
>> 448,R,"17:07:28","C72788","ASR-K","Account locked (20 min)"
>> 448,R,"17:07:28","C72788","ASR-B","C72788 locked Alert sent to AppOp Grp"
>> 452,D,"17:07:32","********","IE1","R03","900.53.196.146","XSS string
>> detected"
>> 452,R,"17:07:32","G85277","ASR-G","Request blocked"
>> 458,T,"17:07:38","item5","STE3","S05","Not Found Errors","80","35"
>> 358,D,"17:07:38","********","RE1","R01","500.138.148.72","Unsupported HTTP
>> verb"
>> 462,D,"17:07:42","G85277","IE1","R03","900.53.196.146","XSS string
>> detected"
>> 462,R,"17:07:42","G85277","ASR-G","Request blocked"
>> 463,D,"17:07:43","G85277","IE1","R03","900.53.196.146","XSS string
>> detected"
>> 463,R,"17:07:43","G85277","ASR-G","Request blocked"
>> 463,R,"17:07:43","G85277","ASR-L","Customer account G85277 blocked"
>> 471,T,"17:07:51","item2","STE3","S02","Catalogue impressions","150","20"
>> 472,T,"17:07:52","item1","STE3","S01","Page impressions","140","0"
>> 480,T,"17:08:00","item3","STE3","S03","Baskets created","95","10"
>> 486,T,"17:08:06","item4","STE3","S04","Baskets deleted","750","-5"
>> 486,D,"17:08:06","SYSTEM","STE3","S04","-","Baskets deleted high high
>> reset"
>> 486,R,"17:08:06","-","ASR-B","Baskets deleted High High Alert reset
>> sent to AppOp Grp"
>> 486,R,"17:08:06","-","ASR-B","Baskets deleted High High Alert reset
>> sent to AppMgmt Grp"
>> 487,D,"17:08:07","C72788","RE5","R04","400.27.254.180","Additional URL
>> parameter"
>> 487,D,"17:08:07","C72788","RE5","R04","400.27.254.180","Additional URL
>> parameter"
>> 487,R,"17:08:07","C72788","ASR-G","Page request terminated"
>> 487,R,"17:08:07","C72788","ASR-E","Error message displayed to user"
>> 487,R,"17:08:07","C72788","ASR-J","Session terminated"
>> 494,D,"17:08:14","********","ACE3","R05","700.12.172.73","Invalid
>> script entry point"
>> 500,D,"17:08:20","********","ACE3","R05","700.12.172.73","Invalid
>> script entry point"
>> 509,T,"17:08:29","item1","STE3","S01","Page impressions","70","-50"
>> 510,T,"17:08:30","item1","STE3","S01","Page impressions","60","-15"
>> 511,T,"17:08:31","item5","STE3","S05","Not Found Errors","50","-45"
>> 512,D,"17:08:32","W05000","-","P01","400.52.32.1","Payment rejected"
>> 512,R,"17:08:32","W05000","ASR-A","Logging increased for user W05000"
>> 517,D,"17:08:37","W05000","-","P01","400.52.32.1","Payment rejected"
>> 524,D,"17:08:44","W05000","-","P01","400.52.32.1","Payment rejected"
>> 524,R,"17:08:44","W05000","ASR-B","Alert sent to AppOp Grp"
>> 524,R,"17:08:44","W05000","ASR-G","User redirected back to basket"
>> 525,T,"17:08:45","item2","STE3","S02","Catalogue impressions","140","-15"
>> 531,D,"17:08:51","W05000","ACE3","R05","400.52.32.1","Invalid script
>> entry point"
>> 532,T,"17:08:52","item3","STE3","S03","Baskets created","100","5"
>> 536,D,"17:08:56","W05000","ACE3","R05","400.52.32.1","Invalid script
>> entry point"
>> 540,T,"17:09:00","item4","STE3","S04","Baskets deleted","600","-20"
>> 542,D,"17:09:02","W05000","ACE3","R05","400.52.32.1","Invalid script
>> entry point"
>> 543,D,"17:09:03","W05000","ACE3","R05","400.52.32.1","Invalid script
>> entry point"
>> 546,D,"17:09:06","********","IE4","P04","200.91.200.85","List value
>> out of range"
>> 556,T,"17:08:16","item3","STE3","S03","Baskets created","90","-10"
>> 558,T,"17:08:18","item4","STE3","S04","Baskets deleted","190","-40"
>> 558,D,"17:08:18","SYSTEM","STE3","S04","-","Baskets deleted low reset"
>> 558,R,"17:08:18","-","ASR-B","Baskets deleted High Alert reset sent to
>> AppOp Grp"
>> 562,T,"17:08:22","item1","STE3","S01","Page impressions","85","35"
>> 567,D,"17:08:27","********","ACE3","R05","500.7.143.192","Invalid
>> script entry point"
>> 581,T,"17:08:41","item5","STE3","S05","Not Found Errors","80","60"
>> 595,T,"17:09:55","item2","STE3","S02","Catalogue impressions","110","-35"
>> ========
>>
>> On 16 May 2015 at 07:43, Timo Goosen <timo.goosen at owasp.org> wrote:
>> > Hi guys I just want to start preparing a bit for the dashboard workshop
>> > at
>> > the project summit.
>> > Is there a sample app we can setup without much effort that uses
>> > appsensor
>> > and if possible has anyone set this up and collected some sample log
>> > data
>> > that we can use to come up with a dashboard.
>> >
>> > Regards.
>> > Timo
>> >
>> > _______________________________________________
>> > Owasp-appsensor-project mailing list
>> > Owasp-appsensor-project at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>> >
>> _______________________________________________
>> Owasp-appsensor-project mailing list
>> Owasp-appsensor-project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>
>
> <appsensor_json_examples.txt>
>
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project


More information about the Owasp-appsensor-project mailing list