Merge pull request jtmelton#76 from dscrobonia/bug-earliest-attack

Fixed bug to find proper earliest time for collecting events
ibrito · Apr 25, 2017 · 8ada927 · 8ada927
2 parents 888d9e2 + a6762ae
commit 8ada927
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 1 deletion.
diff --git a/...alysis-rules/src/main/java/org/owasp/appsensor/analysis/AggregateEventAnalysisEngine.java b/...alysis-rules/src/main/java/org/owasp/appsensor/analysis/AggregateEventAnalysisEngine.java
@@ -274,9 +274,13 @@ public void generateAttack(Event triggerEvent, Rule rule) {
 	protected ArrayList<Event> getApplicableEvents(Event triggerEvent, Rule rule) {
 		ArrayList<Event> events = new ArrayList<Event>();
 
+		DateTime ruleStartTime = DateUtils.fromString(triggerEvent.getTimestamp()).minus(rule.getWindow().toMillis());
+		DateTime lastAttackTime = findMostRecentAttackTime(triggerEvent, rule);
+		DateTime earliest = ruleStartTime.isAfter(lastAttackTime) ? ruleStartTime : lastAttackTime;
+
 		SearchCriteria criteria = new SearchCriteria().
 				setUser(triggerEvent.getUser()).
-				setEarliest(findMostRecentAttackTime(triggerEvent, rule).plus(1).toString()).
+				setEarliest(earliest.plus(1).toString()).
 				setRule(rule).
 				setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(triggerEvent.getDetectionSystem()));
 

diff --git a/.../java/org/owasp/appsensor/local/analysis/AggregateEventAnalysisEngineIntegrationTest.java b/.../java/org/owasp/appsensor/local/analysis/AggregateEventAnalysisEngineIntegrationTest.java
@@ -510,6 +510,40 @@ public void test7_DP1andDP4orDP1andDP3thenDP1() throws Exception {
 		assertEquals(2, appSensorServer.getAttackStore().findAttacks(ruleCriteria).size());
 	}
 
+	// test the earliest attack bug
+		@Test
+		public void test8_DP1() throws Exception {
+			DateTime time = DateUtils.epoch().plusHours(100);
+			SearchCriteria ruleCriteria = new SearchCriteria().
+				setUser(bob).
+				setRule(rules.get(0)).
+				setDetectionSystemIds(detectionSystems1);
+
+			setRule(appSensorServer, rules.get(0));
+
+			addEvent(detectionPoint1, time);
+			addEvent(detectionPoint1, time.plusMinutes(1));
+			addEvent(detectionPoint1, time.plusMinutes(2));
+
+			assertEquals(1, appSensorServer.getAttackStore().findAttacks(ruleCriteria).size());
+
+			addEvent(detectionPoint1, time.plusMinutes(3));
+			addEvent(detectionPoint1, time.plusMinutes(4));
+
+			assertEquals(1, appSensorServer.getAttackStore().findAttacks(ruleCriteria).size());
+
+			time = time.plusHours(1);
+
+			addEvent(detectionPoint1, time);
+
+			assertEquals(1, appSensorServer.getAttackStore().findAttacks(ruleCriteria).size());
+
+			addEvent(detectionPoint1, time.plusMinutes(1));
+			addEvent(detectionPoint1, time.plusMinutes(2));
+
+			assertEquals(2, appSensorServer.getAttackStore().findAttacks(ruleCriteria).size());
+		}
+
 	// this method doesn't actually wait, it just adds events with a predetermined time
 	// does not check anything
 	private void addEvent(DetectionPoint detectionPoint, DateTime time) {