Upload
8raystech
View
534
Download
0
Embed Size (px)
Citation preview
TECHTALK
DEMONSTRATION OFENSNARE GEM
About
Rails engine that allows Configure Deploy a basic malicious behavior
detection Send responses uses a combination of traps to attract
malicious users, and a configurable suite of Trap Responses to confuse, delay, or stop an attacker
How does it work?
1. Identify if request is malicious depending on the traps configured(parameter, cookies etc.). Violation is logged, if the request triggers a trap.
2. Determine threshold using combination of IP, session_id and user_id
3. Reponses are chosen only if the user enters the threshold group (it based on the weight configured)
4. Honey traps are inserted in the response
5. Depending on which response is selected in the Threshold Group, the response is rendered for the attacker
Traps supported
Cookies Parameters Routing Error Regular expressions custom
Sample trap configuration
[ { :type=>:parameter,
:options=>{ :parameter_names=> {:coupon_code => "84763949", :exp_csrf_token => config.randomizer},
:predefined_parameters=>[:uid, :admin, :debug, :random],
:violation_weight=>2
}
},
{ :type=>:routing_error,
:options=>{ :bad_paths=>["/admin", "/debug", "/robots", "/destroy"],
:violation_weight=>10
}
} ]
Threshold group configuration
Any number of threshold groups can be configured but has to be ordered by trap_count
For example:
config.thresholds << {
:timer=> 60, :trap_count=>10,
:traps=>[ {:trap=>"flash_error",:weight=>45,:max_delay=>5, :content=>"Stop messing with me! - From threshold2"},
{:trap=>"redirect",:weight=>20, :url => '/404'}, {:trap=>"throttle",:weight=>5, :min_delay=>10, :max_delay=>20},
{:trap=>"none", :weight=>30},
]
}
Response types available
None
Message (display flash error message)
Redirect
redirect_loop (redirect to Ensnare_root path in a loop)
Throttle (delay the request with specified time span)
Captcha (render captcha, to the user)
not_found (raise routing exception)
server_error (render 500 error page)
random_content (render random text string)
Block (render a view from the plugin with a message)