Real-time Detected attacks for inline ASE
API Security Enforcer supports real time attack detection and blocking for:
-
API Pattern Enforcement – validate traffic to ensure it is consistent with the API definition
-
API Deception – blocks hackers probing a Decoy API
Enable ASE detected attacks
Enable real-time ASE detected attacks by running the following command on the ASE command line:
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin enable_ase_detected_attack ASE Detected Attack is now enabled
Disable ASE detected attacks
Disable real-time ASE detected attacks by running the following command on the ASE command line:
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin disable_ase_detected_attack ASE Detected Attack is now disabled
When you disable ASE detected attacks, the attacks are deleted from the blacklist. |
In real-time, ASE blocks hackers which violate pattern enforcement or probe decoy APIs. Hacker information is reported to ABS which generates ASE detected attack reports (type ID 101). Use the following ABS REST API to view the report:
Real-time ASE detected attack based on OAuth2 token activity
{
"company": "ping identity",
"attack_type": "Invalid API Activity",
"name": "api_attack_type",
"description": "Clients using invalid method/protocol/content-type",
"earlier_date": "Thu Jan 25 18:00:00:000 2018",
"later_date": "Fri Dec 28 18:00:00:000 2018",
"api_name": "atm_app_oauth",
"ips": [],
"cookies": [],
"access_tokens": [
{
"access_token": "token_protocol",
"details": [
{
"access_time": "Fri Jan 26 20:58:04:770 2018",
"attack_code": "protocol"
},
{
"access_time": "Fri Jan 26 21:16:17:851 2018",
"attack_code": "protocol"
}
]
},
{
"access_token": "token_method",
"details": [
{
"access_time": "Fri Jan 26 20:58:04:819 2018",
"attack_code": "method"
},
{
"access_time": "Fri Jan 26 21:16:17:903 2018",
"attack_code": "method"
}
]
},
{
"access_token": "token_contenttype",
"details": [
{
"access_time": "Fri Jan 26 20:58:04:819 2018",
"attack_code": "content_type"
},
{
"access_time": "Fri Jan 26 21:16:17:903 2018",
"attack_code": "content_type"
}
]
}
]
}
Real-time ASE detected attack based on pattern enforcement violation
{
"company": "ping identity",
"attack_type": "Invalid API Activity",
"cookie": "JSESSIONID",
"name": "api_attack_type",
"description": "Clients using invalid method/protocol/content-type",
"earlier_date": "Thu Jan 25 18:00:00:000 2018",
"later_date": "Fri Dec 28 18:00:00:000 2018",
"api_name": "atm_app_public",
"ips": [],
"cookies": [
{
"cookie": "session_contenttype1",
"details": [
{
"access_time": "Fri Jan 26 21:17:10:662 2018",
"attack_code": "content_type"
}
]
},
{
"cookie": "session_method",
"details": [
{
"access_time": "Fri Jan 26 20:58:06:656 2018",
"attack_code": "method"
},
{
"access_time": "Fri Jan 26 21:17:10:662 2018",
"attack_code": "method"
}
]
},
{
"cookie": "session_contenttype",
"details": [
{
"access_time": "Fri Jan 26 20:58:06:656 2018",
"attack_code": "content_type"
},
{
"access_time": "Fri Jan 26 21:17:10:662 2018",
"attack_code": "content_type"
}
]
},
{
"cookie": "session_protocol",
"details": [
{
"access_time": "Fri Jan 26 20:58:04:873 2018",
"attack_code": "protocol"
},
{
"access_time": "Fri Jan 26 21:16:47:314 2018",
"attack_code": "protocol"
}
]
},
{
"cookie": "session_method1",
"details": [
{
"access_time": "Fri Jan 26 21:17:10:662 2018",
"attack_code": "method"
}
]
},
{
"cookie": "session_protocol1",
"details": [
{
"access_time": "Fri Jan 26 21:16:47:314 2018",
"attack_code": "protocol"
}
]
}
],
"access_tokens": []
}