[Owasp-appsensor-project] Detection points for IP-address and user agent
ryan.barnett at owasp.org
Tue Dec 10 18:45:53 UTC 2013
Yes, we run into similar issues with the ModSecurity CRS. When implementing
these AppSensor Detection Points we opted to check each one of these
individually and they would raise an alert for "suspicious" behaviour but
only if BOTH IP netblock and UA changing would result in a malicious client
designation (for potential Session Hijacking).
From: Erlend Oftedal <erlend at oftedal.no>
Date: Tuesday, December 10, 2013 1:40 PM
To: <owasp-appsensor-project at lists.owasp.org>
Subject: [Owasp-appsensor-project] Detection points for IP-address and user
> I was wondering whether anyone has looked into detection points for IP-address
> and user agent.
> While running this on a test site, I experienced the IP-address changing
> benignly due to the use of clustered outgoing proxies, and user agents
> changing during downloads of PDFs. The user agent changed between IE and
> Chrome Frame, IE also sends "Contype" as user agent when a PDF is downloaded
> from the Adobe Reader plugin. Similar things happen for Safari and other
> browsers. On Windows 8, the word "touch" also sometimes appears in the user
> agent and sometimes not.
> This makes it hard to use these detection points for anything useful without
> maintaining a seemingly fragile set of rules.
> Best regards
> _______________________________________________ Owasp-appsensor-project
> mailing list Owasp-appsensor-project at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-appsensor-project