For creating client specific detection points

analysis-engines/appsensor-analysis-reference/src/main/java/org/owasp/appsensor/analysis/ReferenceEventAnalysisEngine.java

@@ -1,7 +1,7 @@
 package org.owasp.appsensor.analysis;
 
 import java.util.Collection;
-
+import java.util.ArrayList;
 import javax.inject.Inject;
 import javax.inject.Named;
 
@@ -52,57 +52,76 @@ public class ReferenceEventAnalysisEngine extends EventAnalysisEngine {
 	@Override
 	public void analyze(Event event) {
 
-		SearchCriteria criteria = new SearchCriteria().
-				setUser(event.getUser()).
-				setDetectionPoint(event.getDetectionPoint()).
-				setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(event.getDetectionSystem()));
-
-		// find all events matching this event for this user 
-		Collection<Event> existingEvents = appSensorServer.getEventStore().findEvents(criteria);
-
-		Collection<DetectionPoint> configuredDetectionPoints = appSensorServer.getConfiguration().findDetectionPoints(event.getDetectionPoint());
-
-		if (configuredDetectionPoints.size() > 0) {
-
-			for(DetectionPoint configuredDetectionPoint : configuredDetectionPoints) {
-
-				// filter and count events that match this detection point (filtering by threshold) 
-				// and that are after the most recent attack (filter by timestamp)
-				int eventCount = countEvents(existingEvents, event, configuredDetectionPoint);
-
-				// if the event count is 0, reset to 1 -> we know at least 1 event has occurred (the one we're considering)
-				// this can occur sometimes when testing with dates out of the given range or due to clock drift
-				if (eventCount == 0) {
-					eventCount = 1;
-				}
-
-				// examples for the below code
-				// 1. count is 5, t.count is 10 (5%10 = 5, No Violation)
-				// 2. count is 45, t.count is 10 (45%10 = 5, No Violation) 
-				// 3. count is 10, t.count is 10 (10%10 = 0, Violation Observed)
-				// 4. count is 30, t.count is 10 (30%10 = 0, Violation Observed)
 
-				int thresholdCount = configuredDetectionPoint.getThreshold().getCount();
+		Collection<DetectionPoint> configuredDetectionPoints = null;
 
-				if (eventCount % thresholdCount == 0) {
-					logger.info("Violation Observed for user <" + event.getUser().getUsername() + "> - storing attack");
+		//check if the client has custom detection points
+		if(appSensorServer.getConfiguration().findCustomDectectionClientName(event.getDetectionSystem().getDetectionSystemId())){
+			configuredDetectionPoints = appSensorServer.getConfiguration().findDetectionPoints(event.getDetectionPoint(),event.getDetectionSystem().getDetectionSystemId());
+			if (configuredDetectionPoints.size() > 0) {
+				addDetectedEvents(configuredDetectionPoints,event);
+			}else{
+				logger.error("Could not find detection point configured for this type: " + event.getDetectionPoint().getLabel());
+			}
+		}else{
+			configuredDetectionPoints = appSensorServer.getConfiguration().findDetectionPoints(event.getDetectionPoint());
+			System.out.println("here in false");
+			if(configuredDetectionPoints.size() > 0){
+				addDetectedEvents(configuredDetectionPoints,event);
+			}else{
+				logger.error("Could not find detection point configured for this type: " + event.getDetectionPoint().getLabel());
+			}
+		}
+	}
+
+	private void addDetectedEvents(Collection<DetectionPoint> detectionPoints,Event event){
+
+	SearchCriteria criteria = new SearchCriteria().
+					setUser(event.getUser()).
+					setDetectionPoint(event.getDetectionPoint()).
+					setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(event.getDetectionSystem()));
+
+				// find all events matching this event for this user 
+				Collection<Event> existingEvents = appSensorServer.getEventStore().findEvents(criteria);
+
+		ArrayList<DetectionPoint> points = (ArrayList)detectionPoints;
+		for(DetectionPoint configuredDetectionPoint : points) {
+
+					// filter and count events that match this detection point (filtering by threshold) 
+					// and that are after the most recent attack (filter by timestamp)
+					int eventCount = countEvents(existingEvents, event, configuredDetectionPoint);
 
-					//have determined this event triggers attack
-					//ensure appropriate detection point is being used (associated responses, etc.)
-					Attack attack = new Attack(
-							event.getUser(),
-							configuredDetectionPoint,
-							event.getTimestamp(),
-							event.getDetectionSystem(),
-							event.getResource()
-							);
+					// if the event count is 0, reset to 1 -> we know at least 1 event has occurred (the one we're considering)
+					// this can occur sometimes when testing with dates out of the given range or due to clock drift
+					if (eventCount == 0) {
+						eventCount = 1;
+					}
 
-					appSensorServer.getAttackStore().addAttack(attack);
+					// examples for the below code
+					// 1. count is 5, t.count is 10 (5%10 = 5, No Violation)
+					// 2. count is 45, t.count is 10 (45%10 = 5, No Violation) 
+					// 3. count is 10, t.count is 10 (10%10 = 0, Violation Observed)
+					// 4. count is 30, t.count is 10 (30%10 = 0, Violation Observed)
+
+					int thresholdCount = configuredDetectionPoint.getThreshold().getCount();
+
+					if (eventCount % thresholdCount == 0) {
+						logger.info("Violation Observed for user <" + event.getUser().getUsername() + "> - storing attack");
+
+						//have determined this event triggers attack
+						//ensure appropriate detection point is being used (associated responses, etc.)
+						Attack attack = new Attack(
+								event.getUser(),
+								configuredDetectionPoint,
+								event.getTimestamp(),
+								event.getDetectionSystem(),
+								event.getResource()
+								);
+
+						appSensorServer.getAttackStore().addAttack(attack);
+					}
 				}
-			}
-		} else {
-			logger.error("Could not find detection point configured for this type: " + event.getDetectionPoint().getLabel());
-		}
+
 	}
 
 	/**

appsensor-core/src/main/java/org/owasp/appsensor/core/configuration/server/ServerConfiguration.java

@@ -1,12 +1,14 @@
 package org.owasp.appsensor.core.configuration.server;
 
 import java.io.File;
+import java.util.List;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
+import java.util.Map.Entry;
 
 import javax.persistence.Transient;
 
@@ -48,8 +50,21 @@ public abstract class ServerConfiguration {
 
 	private String geolocationDatabasePath;
 
+	//Change for adding new custom client specific detection points
+	private HashMap<String,List<DetectionPoint>> customDetectionPoints = new HashMap<String, List<DetectionPoint>>();
+
 	private static transient Map<String, ClientApplication> clientApplicationCache = Collections.synchronizedMap(new HashMap<String, ClientApplication>());
 
+
+	public HashMap<String,List<DetectionPoint>> getCustomDetectionPoints() {
+		return customDetectionPoints;
+	}
+
+	public ServerConfiguration setCustomDetectionPoints(HashMap<String,List<DetectionPoint>> customPoints) {
+		this.customDetectionPoints = customPoints;
+		return this;
+	}
+
 	public File getConfigurationFile() {
 		return configurationFile;
 	}
@@ -179,7 +194,7 @@ public Collection<String> getRelatedDetectionSystems(DetectionSystem detectionSy
 	 * @return DetectionPoint populated with configuration information from server-side config
 	 */
 	public Collection<DetectionPoint> findDetectionPoints(DetectionPoint search) {
-		Collection<DetectionPoint> matches = new ArrayList<>();
+		Collection<DetectionPoint> matches = new ArrayList<DetectionPoint>();
 
 		for (DetectionPoint configuredDetectionPoint : getDetectionPoints()) {
 			if (configuredDetectionPoint.typeMatches(search)) {
@@ -190,6 +205,47 @@ public Collection<DetectionPoint> findDetectionPoints(DetectionPoint search) {
 		return matches;
 	}
 
+	/**
+	 * Locate matching client name in custom configuration from server-side config file. 
+	 * 
+	 * @param clientApplicationName the client name for which the detection point exists
+	 */
+	public Boolean findCustomDectectionClientName(String clientName){
+	if(getCustomDetectionPoints().size() != 0){
+			return getCustomDetectionPoints().containsKey(clientName);
+		}
+		return false;
+
+	}
+
+	/**
+	 * Locate matching detection points configuration from server-side config file. 
+	 * 
+	 * @param search detection point that has been added to the system
+	 * @param clientApplicationName the client name for which the detection point exists
+	 * @return DetectionPoint populated with configuration information from server-side config
+	 */
+
+	public Collection<DetectionPoint> findDetectionPoints(DetectionPoint search, String clientApplicationName) {
+			Collection<DetectionPoint> matches = new ArrayList<DetectionPoint>();
+
+			for (Entry customDetectionPoint : getCustomDetectionPoints().entrySet()) {
+			String clientName = customDetectionPoint.getKey().toString();			
+			if(clientApplicationName.equals(clientName)){
+			   List<DetectionPoint> customList = (List<DetectionPoint>)customDetectionPoint.getValue();
+			   for(DetectionPoint customPoint: customList)
+			   {
+					if (customPoint.typeMatches(search)) {
+						matches.add(customPoint);
+					}
+				}
+			}
+
+
+		}
+		return matches;
+	}
+
 	public ClientApplication findClientApplication(String clientApplicationName) {
 		ClientApplication clientApplication = null;
 

appsensor-core/src/main/resources/appsensor_server_config_2.0.xsd

@@ -47,11 +47,38 @@
 		</xsd:sequence>
 	</xsd:complexType>
 
+
+
+
+
+
+
 	<xsd:complexType name="detection-points">
 		<xsd:sequence>
+		<xsd:element name="clients" type="asconfig:clients" minOccurs="0" maxOccurs="1" />
 			<xsd:element name="detection-point" type="asconfig:detection-point" minOccurs="0" maxOccurs="unbounded" />
 		</xsd:sequence>
 	</xsd:complexType>
+
+	<xsd:complexType name="clients">
+		<xsd:sequence>
+		<xsd:element name="client" type="asconfig:client" minOccurs="1" maxOccurs="unbounded" />
+		</xsd:sequence>
+	</xsd:complexType>
+
+	<xsd:complexType name="client">
+		<xsd:sequence>
+		<xsd:element name="client-name" type="xsd:string" minOccurs="1" maxOccurs="unbounded" />
+			<xsd:element name="custom-detection-point" type="asconfig:custom-detection-point" minOccurs="1" maxOccurs="unbounded" />
+		</xsd:sequence>
+	</xsd:complexType>
+
+	<xsd:complexType name="custom-detection-point">
+		<xsd:sequence>
+		<xsd:element name="detection-point" type="asconfig:detection-point" minOccurs="1" maxOccurs="unbounded" />
+		</xsd:sequence>
+	</xsd:complexType>
+
 
 	<xsd:complexType name="interval">
 		<xsd:simpleContent>

configuration-modes/appsensor-configuration-stax/src/main/java/org/owasp/appsensor/configuration/stax/server/StaxServerConfigurationReader.java

@@ -11,6 +11,7 @@
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.List;
 
 import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLResolver;
@@ -173,6 +174,8 @@ private ServerConfiguration readServerConfiguration(XMLStreamReader xmlReader) t
 						configuration.getCorrelationSets().addAll(readCorrelationSets(xmlReader));
 					} else if("config:detection-point".equals(name)) {
 						configuration.getDetectionPoints().add(readDetectionPoint(xmlReader));
+					} else if("config:clients".equals(name)) {
+						configuration.getCustomDetectionPoints().putAll(readCustomDetectionPoints(xmlReader));
 					} else {
 						/** unexpected start element **/
 					}
@@ -316,6 +319,51 @@ private DetectionPoint readDetectionPoint(XMLStreamReader xmlReader) throws XMLS
 		return detectionPoint;
 	}
 
+	private HashMap<String,List<DetectionPoint>> readCustomDetectionPoints(XMLStreamReader xmlReader) throws XMLStreamException {
+		DetectionPoint detectionPoint = new DetectionPoint();
+		HashMap<String,List<DetectionPoint>> customPoints = new HashMap<String,List<DetectionPoint>>();
+		String clientName = "";
+		boolean finished = false;
+
+		while(!finished && xmlReader.hasNext()) {
+			int event = xmlReader.next();
+			String name = XmlUtils.getElementQualifiedName(xmlReader, namespaces);
+			List<DetectionPoint> customList = new ArrayList<DetectionPoint>();
+
+
+			switch(event) {
+				case XMLStreamConstants.START_ELEMENT:
+				if("config:client-name".equals(name)) {
+						clientName = xmlReader.getElementText().trim();
+					}else if("config:detection-point".equals(name)) {
+						customList.add(readDetectionPoint(xmlReader));
+
+					}else {
+						/** unexpected start element **/
+					}
+					break;
+				case XMLStreamConstants.END_ELEMENT:
+					if("config:clients".equals(name)) {
+						finished = true;
+					}else if("config:client".equals(name)) {	
+						customPoints.put(clientName,customList);
+						customList = new ArrayList<DetectionPoint>();
+					}else {
+
+						/** unexpected end element **/
+					}
+					break;
+				default:
+					/** unused xml element - nothing to do **/
+					break;
+			}
+
+			//clientName = "";
+		}
+
+		return customPoints;
+	}
+
 	private Threshold readThreshold(XMLStreamReader xmlReader) throws XMLStreamException {
 		Threshold threshold = new Threshold();
 		boolean finished = false;

configuration-modes/appsensor-configuration-stax/src/test/java/org/owasp/appsensor/configuration/stax/server/StaxServerConfigurationReaderTest.java

@@ -22,6 +22,9 @@ public void testConfigLoad() throws Exception {
 		assertEquals(3, configuration.getCorrelationSets().size());
 		assertEquals("server1", configuration.getCorrelationSets().iterator().next().getClientApplications().iterator().next());
 
+		assertEquals(1, configuration.getCustomDetectionPoints().size());
+		//assertEquals("server1", configuration.getCorrelationSets().iterator().next().getClientApplications().iterator().next());
+
 		assertEquals(5, configuration.getDetectionPoints().size());
 		assertEquals("IE1", configuration.getDetectionPoints().iterator().next().getLabel());
 		assertEquals(4, configuration.getDetectionPoints().iterator().next().getThreshold().getInterval().getDuration());