Hi Sachith, I think what we can do is something like below; I'd say we keep it simple for the first version.
- We do not send any alerts for the very first IP, but if there's any change of the IP, we would send an alert. - We would keep the whitelisted IP list in a DB table and all the new IPs will get added there. Things to be decided: - We might need a batch job to track the IPs which are not used for Y days and remove them from the whitelisted IP list. Wdyt? On Thu, Feb 18, 2016 at 2:08 PM, Tishan Dahanayakage <[email protected]> wrote: > > > On Thu, Feb 18, 2016 at 1:11 PM, Sachith Withana <[email protected]> wrote: > >> Hi Tishan, >> >> Couple of questions, >> 1. How would you "define" the regions? >> > OK. Then Let's say different countries. > > >> 2. wouldn't a user use an app across regions ? (basically requests coming >> from different regions) >> > User will use across regions/countries. But not within per say 1 hour. > Also at the end of the day this is an alert. Not a command to block the > user. > > What I wanted to convey is, when we state "Unusual Request IP Detenction" > the rules should be about unusual ip patterns, not unusual access counts or > time. > > Thanks > Tishan > > >> >> Thanks, >> Sachith >> >> On Thu, Feb 18, 2016 at 12:55 PM, Tishan Dahanayakage <[email protected]> >> wrote: >> >>> Hi Sachith, >>> >>> On Thu, Feb 18, 2016 at 12:17 PM, Sachith Withana <[email protected]> >>> wrote: >>> >>>> Hi all, >>>> >>>> I'm working on Request source IP change alerting for APIM analytics - >>>> If the source IP is different from the usual IP range of a access token >>>> bearer, we should send an alert out. This possibly means that the access >>>> token is in the hands of someone else. >>>> >>>> There will be couple of triggers that would generate the alerts for >>>> unusual request ip changes ( where the ip would lie outside the users >>>> 'usual' ip range) >>>> >>>> >>>> 1. Time difference between the last access time and the current >>>> access time >>>> This means if a certain ip has not been used for a x amount of time >>>> ( x is configurable) >>>> and gets a request from that ip, an alert would be generated. ( >>>> much like Gmail requesting you to login when you access it from a >>>> different >>>> continent) >>>> >>>> 2. The request count for the ip is low >>>> ( ex: couple of accesses for a whole month) and gets a request from >>>> that IP >>>> an alert would be generated ( again the count is configurable) >>>> >>>> >>>> Both of above criteria are more like abnormal request patterns. Not >>> unusual ip changes AFAIU. Isn't it? Shall we have some rules such as ip >>> changes between different regions within short time period? >>> >>> >>> Thanks >>> Tishan >>> >>> >>>> 1. >>>> >>>> This would be implemented maintaining an event table for each >>>> consumerID with IPs accessed along with the count for that specific >>>> consumerID,IP pair and the last accessed time for that pair and comparing >>>> the incoming requests against it. >>>> >>>> >>>> WDYT? >>>> >>>> Thanks, >>>> Sachith >>>> -- >>>> Sachith Withana >>>> Software Engineer; WSO2 Inc.; http://wso2.com >>>> E-mail: sachith AT wso2.com >>>> M: +94715518127 >>>> Linked-In: <http://goog_416592669> >>>> https://lk.linkedin.com/in/sachithwithana >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Tishan Dahanayakage >>> Software Engineer >>> WSO2, Inc. >>> Mobile:+94 716481328 >>> >>> Disclaimer: This communication may contain privileged or other >>> confidential information and is intended exclusively for the addressee/s. >>> If you are not the intended recipient/s, or believe that you may have >>> received this communication in error, please reply to the sender indicating >>> that fact and delete the copy you received and in addition, you should not >>> print, copy, re-transmit, disseminate, or otherwise use the information >>> contained in this communication. Internet communications cannot be >>> guaranteed to be timely, secure, error or virus-free. The sender does not >>> accept liability for any errors or omissions. >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Sachith Withana >> Software Engineer; WSO2 Inc.; http://wso2.com >> E-mail: sachith AT wso2.com >> M: +94715518127 >> Linked-In: <http://goog_416592669> >> https://lk.linkedin.com/in/sachithwithana >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Tishan Dahanayakage > Software Engineer > WSO2, Inc. > Mobile:+94 716481328 > > Disclaimer: This communication may contain privileged or other > confidential information and is intended exclusively for the addressee/s. > If you are not the intended recipient/s, or believe that you may have > received this communication in error, please reply to the sender indicating > that fact and delete the copy you received and in addition, you should not > print, copy, re-transmit, disseminate, or otherwise use the information > contained in this communication. Internet communications cannot be > guaranteed to be timely, secure, error or virus-free. The sender does not > accept liability for any errors or omissions. > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Thanks & regards, Nirmal Team Lead - WSO2 Machine Learner Associate Technical Lead - Data Technologies Team, WSO2 Inc. Mobile: +94715779733 Blog: http://nirmalfdo.blogspot.com/
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
