TECHTALK

DEMONSTRATION OFENSNARE GEM

About

Rails engine that allows Configure Deploy a basic malicious behavior

detection Send responses uses a combination of traps to attract

malicious users, and a configurable suite of Trap Responses to confuse, delay, or stop an attacker

How does it work?

1. Identify if request is malicious depending on the traps configured(parameter, cookies etc.). Violation is logged, if the request triggers a trap.

2. Determine threshold using combination of IP, session_id and user_id

3. Reponses are chosen only if the user enters the threshold group (it based on the weight configured)

4. Honey traps are inserted in the response

5. Depending on which response is selected in the Threshold Group, the response is rendered for the attacker

Traps supported

Cookies Parameters Routing Error Regular expressions custom

Sample trap configuration

[ { :type=>:parameter,

:options=>{ :parameter_names=> {:coupon_code => "84763949", :exp_csrf_token => config.randomizer},

:predefined_parameters=>[:uid, :admin, :debug, :random],

:violation_weight=>2

}

},

{ :type=>:routing_error,

:options=>{ :bad_paths=>["/admin", "/debug", "/robots", "/destroy"],

:violation_weight=>10

}

} ]

Threshold group configuration

Any number of threshold groups can be configured but has to be ordered by trap_count

For example:

config.thresholds << {

:timer=> 60, :trap_count=>10,

:traps=>[ {:trap=>"flash_error",:weight=>45,:max_delay=>5, :content=>"Stop messing with me! - From threshold2"},

{:trap=>"redirect",:weight=>20, :url => '/404'}, {:trap=>"throttle",:weight=>5, :min_delay=>10, :max_delay=>20},

{:trap=>"none", :weight=>30},

]

}

Response types available

None

Message (display flash error message)

Redirect

redirect_loop (redirect to Ensnare_root path in a loop)

Throttle (delay the request with specified time span)

Captcha (render captcha, to the user)

not_found (raise routing exception)

server_error (render 500 error page)

random_content (render random text string)

Block (render a view from the plugin with a message)

Reference

https://github.com/ahoernecke/ensnare/wiki

Reference

https://github.com/ahoernecke/ensnare/wiki