[Owasp-appsensor-project] Additional Detection Points - Suspicious User IP Address

Colin Watson colin.watson at owasp.org
Wed Jun 9 10:28:34 EDT 2010

Suggestion to add a new detection point.  Has this already been ruled
out?  Should it be added?  Is the description/categorization suitable?

Items 1 & 2 in
[Owasp-appsensor-project] AppSensor- a few ideas, Fri Sep 18 10:30:31 EDT 2009

The user is identified as using an IP address associated with a
blacklist (e.g. internal blacklist, list of Tor nodes e.g.
https://torstat.xenobite.eu/ and HTTP blacklist e.g.
http://www.projecthoneypot.org/httpbl.php and Dshield
http://www.dshield.org and spammers e.g. Spamhaus
http://www.spamhaus.org/ and known botnets e.g.
http://www.shadowserver.org/wiki/).  "Suspicious" may also depend upon
the type of user e.g. users in the "CMS manager" role should be using
an internal network IP address, public users could be from anywhere,
customers should only be accessing the application from a particular
geographical region, search engine robots  should be from a limited
range of IP addresses.

Suggested categorization
Create a new category called "Reputation" in Behavioral Based Events
RP1 Suspicious User IP Address

*** NB this new proposed category has some more detection points (to
follow) which could be used to alter/tune the thresholds and actions
of AppSensor rather than having their own actions? ***

More information about the Owasp-appsensor-project mailing list