[Esapi-user] IntrusionException and IntrusionDetector

John Melton jtmelton at gmail.com
Thu Jun 23 11:00:09 EDT 2011


Just a quick (hopefully helpful) additional note. When the intrusion
detector decides that you have an actual "intrusion", then it can respond in
various ways. I think the base intrusion detector can log additional info,
and logout or disable a user.  The appsensor project has a couple more
options, but it does seem to be quite a powerful concept.  The appsensor
project main page has some helpful presentation decks that explain the
application intrusion detection concept well.
Thanks,
John

On Thu, Jun 23, 2011 at 10:52 AM, Jeff Williams <
jeff.williams at aspectsecurity.com> wrote:

> The IntrusionDetector actually watches all SecurityExceptions
> (AuthenticationException, ValidationException, EncryptionException, etc…)
> and looks for patterns.  Currently the implementation is pretty simple.  You
> can configure a threshold into SecurityConfiguration for different types of
> exceptions.  For example, if you exceed 5 ValidationExceptions in a 10
> second window, it identifies this as an attack and throws an Intrusion
> Exception.****
>
> ** **
>
> Michael Coates has done a lot of work building on this basic idea in the
> OWASP AppSensor project.****
>
> ** **
>
> --Jeff****
>
> ** **
>
> ** **
>
> *From:* esapi-user-bounces at lists.owasp.org [mailto:
> esapi-user-bounces at lists.owasp.org] *On Behalf Of *weiping guo
> *Sent:* Thursday, June 23, 2011 10:35 AM
> *To:* esapi-user at lists.owasp.org
> *Subject:* [Esapi-user] IntrusionException and IntrusionDetector****
>
> ** **
>
> Hi,****
>
>  ****
>
> I need some help on understanding Intrusion detection. The Validator
> interface throws IntrusionException. The JavaDoc says "input that is clearly
> an attack will generate a descriptive IntrusionException." My question is
> how the intrusion is detected? what 'clearly' means in here? Any sceneraio
> is appreciated.****
>
>  ****
>
> Suppose, an intrusion is detected. I assume the ESAPI.IntrusionDetector
> (org.owasp.esapi.reference.DefaultIntrusionDetector, for example)defined in
> the config file will be notified. Can I assume the IntrusionDetector will be
> invoked automatically whenever IntrusionException is thrown? How it works?
> ****
>
>  ****
>
> Thank you.****
>
>  ****
>
> Jim ****
>
> ** **
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110623/19cf7b3b/attachment.html 


More information about the Esapi-user mailing list