[Esapi-user] IntrusionException and IntrusionDetector

weiping guo weiping_guo at yahoo.com
Thu Jun 23 11:36:41 EDT 2011


John, Jeff,
 
Thanks a lot for your explanation. I will look at the AppSensor project.
Jim 
From: John Melton <jtmelton at gmail.com>
To: weiping guo <weiping_guo at yahoo.com>
Cc: esapi-user at lists.owasp.org
Sent: Thursday, June 23, 2011 11:18 AM
Subject: Re: [Esapi-user] IntrusionException and IntrusionDetector



Sorry - meant to include the link to those presentations - they can be found at https://www.owasp.org/index.php/OWASP_AppSensor_Project


On Thu, Jun 23, 2011 at 11:00 AM, John Melton <jtmelton at gmail.com> wrote:

Just a quick (hopefully helpful) additional note. When the intrusion detector decides that you have an actual "intrusion", then it can respond in various ways. I think the base intrusion detector can log additional info, and logout or disable a user.  The appsensor project has a couple more options, but it does seem to be quite a powerful concept.  The appsensor project main page has some helpful presentation decks that explain the application intrusion detection concept well.
>Thanks,
>John
>
>
>On Thu, Jun 23, 2011 at 10:52 AM, Jeff Williams <jeff.williams at aspectsecurity.com> wrote:
>
>The IntrusionDetector actually watches all SecurityExceptions (AuthenticationException, ValidationException, EncryptionException, etc…) and looks for patterns.  Currently the implementation is pretty simple.  You can configure a threshold into SecurityConfiguration for different types of exceptions.  For example, if you exceed 5 ValidationExceptions in a 10 second window, it identifies this as an attack and throws an Intrusion Exception. 
>> 
>>Michael Coates has done a lot of work building on this basic idea in the OWASP AppSensor project. 
>> 
>>--Jeff 
>> 
>> 
>>From:esapi-user-bounces at lists.owasp.org [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of weiping guo
>>Sent: Thursday, June 23, 2011 10:35 AM
>>To: esapi-user at lists.owasp.org
>>Subject: [Esapi-user] IntrusionException and IntrusionDetector 
>> 
>>Hi, 
>> 
>>I need some help on understanding Intrusion detection. The Validator interface throws IntrusionException. The JavaDoc says "input that is clearly an attack will generate a descriptive IntrusionException." My question is how the intrusion is detected? what 'clearly' means in here? Any sceneraio is appreciated. 
>> 
>>Suppose, an intrusion is detected. I assume the ESAPI.IntrusionDetector (org.owasp.esapi.reference.DefaultIntrusionDetector, for example)defined in the config file will be notified. Can I assume the IntrusionDetector will be invoked automatically whenever IntrusionException is thrown? How it works? 
>> 
>>Thank you.
>>  
>>Jim 
>> 
>>_______________________________________________
>>Esapi-user mailing list
>>Esapi-user at lists.owasp.org
>>https://lists.owasp.org/mailman/listinfo/esapi-user
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110623/b45eefea/attachment.html 


More information about the Esapi-user mailing list