[Owasp-appsensor-project] Additional Detection Points - Suspicious External User Behavior

Colin Watson colin.watson at owasp.org
Thu Jun 10 04:53:17 EDT 2010

John and Kevin

I like "navel gazing" as a description!  I was thinking these were
external sensory feeds rather than the application itself doing the
sensing, and that would be rather different to the existing detection
points as you say.  But we do configure applications to run in each
environment, and therefore I wondered if there might be useful data
elsewhere that would help the application determine its response (e.g.
affect the thresholds).

I tried to make this detection point's description as broad as
possible, but that may not have helped.    It might be that some of
the existing sensors are more efficient if the data is collected
elsewhere (e.g. HTTP protocol analysis), or in some cases the data may
not be available directly to the application (e.g. missing static
content requests, but which the web server knows about).

But my first use-case would be to get data from a WAF.  For example,
ModSecurity can add an HTTP header with its transaction anomaly score
(X-WAF-Score).  This type of data is available from other WAFs too.
The response can then be determined by the application based on trends
and its other sensor data rather than the relatively crude WAF
response options.

The idea of more self-checks is interesting though.  I have previously
added code to ensure that dev/test/live applications settings couldn't
conflict with whether the site was on the public domain vs an internal
IP.  Code integrity... that would be interesting.

I wonder if we need an Appendix with experimental sensor ideas?  These
are good suggestions, and it would be a pity to lose the information.


On 10 June 2010 05:45, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
> While it is possible for an application to do its own sort of self-detection /
> navel gazing (e.g., monitor its memory usage, # of threads, # of socket
> connections, etc.) or monitor its own integrity (e.g., a static initializer
> in a signed jar verifies the signature [not too hard to do] to see if the
> jar has been tampered with since being signed), I agree with John that
> typically these things are done by *external* monitoring rather than by
> the application themselves.
> I suppose the benefit of doing it in some reusable code components (e.g., a jar,
> a web service, etc.) is that is doesn't require any external set up. For
> instance, if ESAPI for Java were to deliver a signed jar, how many developers
> would actually take the time to verify the jar using 'jarsigner -verify' as
> simple as this is. My bet...not too many. So in some cases, it might be useful
> to have the "application" (or one of its components) do this sort of built-in
> detection. (Disclaimer: I was planning something like this for a future version
> of ESAPI.)
> Just my $.02,
> -kevin
> John Melton wrote:
>> Not sure I'm on board with this one ... someone else can correct me if I'm
>> wrong, but this actually doesn't fit in the "application" doing detection.
>> By definition, something outside the app is doing the detection and is
>> feeding that info to the app.  I think these are worthwhile sensors that can
>> produce data that an application could use to make decisions, but as for it
>> being considered app detection, I don't generally see these as falling into
>> that category.  I may be convinced otherwise however :>.
>> On Wed, Jun 9, 2010 at 10:29 AM, Colin Watson <colin.watson at owasp.org>wrote:
>>> Suggestion to add a new detection point.  Has this already been ruled
>>> out?  Should it be added?  Is the description/categorization suitable?
>>> Source
>>> -----------------------------------
>>> [Owasp-appsensor-project] AppSensor Feedback/Ideas, Sat Nov 21 13:32:39 EST
>>> 2009
>>> https://lists.owasp.org/pipermail/owasp-appsensor-project
>>> On Wed, Jun 9, 2010 at 10:29 AM, Colin Watson <colin.watson at owasp.org>wrote:
>>> Suggestion to add a new detection point.  Has this already been ruled
>>> out?  Should it be added?  Is the description/categorization suitable?
>>> /2009-November/000008.html<https://lists.owasp.org/pipermail/owasp-appsensor-project/2009-November/000008.html>
>>> Description
>>> -----------------------------------
>>> External (to the application) devices and systems (e.g. host and
>>> network IDS, file integrity monitoring, disk usage monitoring,
>>> anti-malware service, IPS, network firewall, web application firewall,
>>> web server logging, XML gateway, database firewall, SIEM) have
>>> detected anomalous behavior by the user (e.g. session or IP address).
>>> Suggested categorization
>>> -----------------------------------
>>> In the suggested new category "Reputation" (see RP1 Suspicious User IP
>>> Address)
>>> RP2 Suspicious External User Behavior
> --
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Owasp-appsensor-project mailing list