AppSensor ResponseActions

From OWASP
Revision as of 08:48, 20 September 2010 by Clerkendweller (Talk | contribs)

Jump to: navigation, search

About This Document

These response actions are part of the OWASP AppSensor project which advocates bringing intelligent intrusion detection inside the application. These responses can be used to counter a malicious user that has been detected probing for vulnerabilities or weaknesses within your application.

THIS PAGE IS STILL IN PROGRESS

Contents


Overview

The following table lists possible AppSensor Responses (ASRs). The application response actions are categorized here by:

  • Silent: User(s) unaware of any application change
  • Passive: Process altered, but user(s) may still continue to process completion
  • Active: Functionality reduced or disabled

A text version of the table, with examples and alternative classifications, is described in AppSensor - Response Actions (64 KB PDF).

Appsensor response actions table 1.png


Detailed Listing

Classifications are:

  • Purposes: Logging, Notifying, Disrupting and Blocking
  • Target: One, Some or All users
  • Response duration: Instantaneous (e.g. just for the request), Period (e.g. time period or session duration), Permanent


Silent

ASR-A: Logging Change

id

ASR-A

title

Logging Change

classifications

Logging | One, some or all users | Instantaneous (request) or for a period

category

Silent

description

The granularity of logging is changed (typically more logging).

consideration
examples

Example 1: Capture sanitised request headers and response bodies

Example 2: Full stack trace of error messages logged

Example 3: Record DNS data on user's IP address

Example 4: Security logging level changed to include 'informational' messages

code

-

ASR-B: Administrator Notification

id

ASR-B

title

Administrator Notification

classifications

Logging and notifying | One, some or all users | Instantaneous

category

Silent

description

A notification message is sent to the application administrator(s)

consideration
examples

Example 1: Email alert sent to everyone in the administration team

Example 2: SMS alert sent to the on-call administrator

Example 3: Visual indicator displayed on an application monitoring dashboard

Example 4: Audible alarm in the control room

code

-

ASR-C: Other Notification

id

ASR-C

title

Other Notification

classifications

Logging and notifying | One user | Instantaneous

category

Silent

description
consideration
examples

Example 1:

Example 2:

Example 3:

Example 4:

code

-

ASR-D: User Status Change

id

ASR-D

title

User Status Change

classifications

Logging | One user | For a period

category

Passive

description
consideration
examples

Example 1:

Example 2:

Example 3:

Example 4:

code

-

ASR-E: User Notification

id

ASR-E

title

User Notification

classifications

Logging, notifying and disrupting | One user | Instantaneous

category

Passive

description
consideration
examples

Example 1:

Example 2:

Example 3:

Example 4:

code

-

ASR-F: Timing Change

id

ASR-F

title

Timing Change

classifications

Logging and disrupting | One, some or all users | Instantaneous (request) or for a period

category

Passive

description
consideration
examples

Example 1:

Example 2:

Example 3:

Example 4:

code

-

ASR-G: Process Terminated

id

ASR-G

title

Process Terminated

classifications

Logging, notifying (sometimes) and disrupting | One user | Instantaneous

category

Active

description
consideration
examples

Example 1:

Example 2:

Example 3:

Example 4:

code

-

ASR-H: Function Amended

id

ASR-H

title

Function Amended

classifications

Logging, notifying (sometimes), disrupting and blocking | One, some or all users | For a period or permanent

category

Active

description
consideration
examples

Example 1:

Example 2:

Example 3:

Example 4:

code

-


ASR-I: Function Disabled

id

ASR-I

title

Function Disabled

classifications

Logging, notifying (sometimes), disrupting and blocking | One, some or all users | For a period or permanent

category

Active

description
consideration
examples

Example 1:

Example 2:

Example 3:

Example 4:

code

-

ASR-J: Account Logout

id

ASR-J

title

Account Logout

classifications

Logging, notifying (sometimes), disrupting and blocking | One user | Instantaneous

category

Active

description
consideration
examples

Example 1:

Example 2:

Example 3:

Example 4:

code

-

ASR-K: Account Lockout

id

ASR-K

title

Account Lockout

classifications

Logging, notifying (sometimes), disrupting and blocking | One user | For a period or permanent

category

Active

description
consideration
examples

Example 1:

Example 2:

Example 3:

Example 4:

code

-

ASR-L: Application Disabled

id

ASR-L

title

Application Disabled

classifications

Logging, notifying (sometimes), disrupting and blocking | All users | Permanent

category

Active

description
consideration
examples

Example 1:

Example 2:

Example 3:

Example 4:

code

-

ASR-M: Collect Data from User

id

ASR-M

title

Collect Data from User

classifications

Logging | One user | For a period

category

Intrusive

description
consideration
examples

Example 1:

Example 2:

Example 3:

Example 4:

code

-

Passive

Active