Hi Sachith, On Thu, Feb 18, 2016 at 12:17 PM, Sachith Withana <[email protected]> wrote:
> Hi all, > > I'm working on Request source IP change alerting for APIM analytics - If > the source IP is different from the usual IP range of a access token > bearer, we should send an alert out. This possibly means that the access > token is in the hands of someone else. > > There will be couple of triggers that would generate the alerts for > unusual request ip changes ( where the ip would lie outside the users > 'usual' ip range) > > > 1. Time difference between the last access time and the current access > time > This means if a certain ip has not been used for a x amount of time ( > x is configurable) > and gets a request from that ip, an alert would be generated. ( much > like Gmail requesting you to login when you access it from a different > continent) > > 2. The request count for the ip is low > ( ex: couple of accesses for a whole month) and gets a request from > that IP > an alert would be generated ( again the count is configurable) > > > Both of above criteria are more like abnormal request patterns. Not unusual ip changes AFAIU. Isn't it? Shall we have some rules such as ip changes between different regions within short time period? Thanks Tishan > 1. > > This would be implemented maintaining an event table for each consumerID > with IPs accessed along with the count for that specific consumerID,IP pair > and the last accessed time for that pair and comparing the incoming > requests against it. > > > WDYT? > > Thanks, > Sachith > -- > Sachith Withana > Software Engineer; WSO2 Inc.; http://wso2.com > E-mail: sachith AT wso2.com > M: +94715518127 > Linked-In: <http://goog_416592669> > https://lk.linkedin.com/in/sachithwithana > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Tishan Dahanayakage Software Engineer WSO2, Inc. Mobile:+94 716481328 Disclaimer: This communication may contain privileged or other confidential information and is intended exclusively for the addressee/s. If you are not the intended recipient/s, or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received and in addition, you should not print, copy, re-transmit, disseminate, or otherwise use the information contained in this communication. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions.
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
