[Esapi-user] IntrusionException and IntrusionDetector

John Melton jtmelton at gmail.com
Thu Jun 23 11:18:44 EDT 2011


Sorry - meant to include the link to those presentations - they can be found
at https://www.owasp.org/index.php/OWASP_AppSensor_Project

On Thu, Jun 23, 2011 at 11:00 AM, John Melton <jtmelton at gmail.com> wrote:

> Just a quick (hopefully helpful) additional note. When the intrusion
> detector decides that you have an actual "intrusion", then it can respond in
> various ways. I think the base intrusion detector can log additional info,
> and logout or disable a user.  The appsensor project has a couple more
> options, but it does seem to be quite a powerful concept.  The appsensor
> project main page has some helpful presentation decks that explain the
> application intrusion detection concept well.
> Thanks,
> John
>
> On Thu, Jun 23, 2011 at 10:52 AM, Jeff Williams <
> jeff.williams at aspectsecurity.com> wrote:
>
>> The IntrusionDetector actually watches all SecurityExceptions
>> (AuthenticationException, ValidationException, EncryptionException, etc…)
>> and looks for patterns.  Currently the implementation is pretty simple.  You
>> can configure a threshold into SecurityConfiguration for different types of
>> exceptions.  For example, if you exceed 5 ValidationExceptions in a 10
>> second window, it identifies this as an attack and throws an Intrusion
>> Exception.****
>>
>> ** **
>>
>> Michael Coates has done a lot of work building on this basic idea in the
>> OWASP AppSensor project.****
>>
>> ** **
>>
>> --Jeff****
>>
>> ** **
>>
>> ** **
>>
>> *From:* esapi-user-bounces at lists.owasp.org [mailto:
>> esapi-user-bounces at lists.owasp.org] *On Behalf Of *weiping guo
>> *Sent:* Thursday, June 23, 2011 10:35 AM
>> *To:* esapi-user at lists.owasp.org
>> *Subject:* [Esapi-user] IntrusionException and IntrusionDetector****
>>
>> ** **
>>
>> Hi,****
>>
>>  ****
>>
>> I need some help on understanding Intrusion detection. The Validator
>> interface throws IntrusionException. The JavaDoc says "input that is clearly
>> an attack will generate a descriptive IntrusionException." My question is
>> how the intrusion is detected? what 'clearly' means in here? Any sceneraio
>> is appreciated.****
>>
>>  ****
>>
>> Suppose, an intrusion is detected. I assume the ESAPI.IntrusionDetector
>> (org.owasp.esapi.reference.DefaultIntrusionDetector, for example)defined in
>> the config file will be notified. Can I assume the IntrusionDetector will be
>> invoked automatically whenever IntrusionException is thrown? How it works?
>> ****
>>
>>  ****
>>
>> Thank you.****
>>
>>  ****
>>
>> Jim ****
>>
>> ** **
>>
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110623/379b35db/attachment.html 


More information about the Esapi-user mailing list