Ensnare is a Ruby on Rails (~> 3.2.14) engine. It enables the application to detect users' or bots' malicious activity.
It is possible to configure traps through a config file. Whenever a intruder enters the system and tries to manipulate the system by either capturing the cookies, session_id or POST parameters, Ensnare identifies the activity and logs it in the system.
Based upon the frequency and type of the activity, the responses configured in the threshold groups will be rendered to the intruder. Responses can be redirecting the user to a path, slowing down the response time (throttling), display a flash message or a captcha etc.
This gem can reduce malicious traffic and also reduce unnecessary generation of false exception mails. On the flip side, each request will be slowed down a little (few milliseconds) as it is checked for malicious activity.
2. About
Rails engine that allows
Configure
Deploy a basic malicious behavior
detection
Send responses
uses a combination of traps to attract
malicious users, and a configurable suite
of Trap Responses to confuse, delay, or
stop an attacker
3. How does it work?
1. Identify if request is malicious depending on the
traps configured(parameter, cookies etc.). Violation
is logged, if the request triggers a trap.
2. Determine threshold using combination of IP,
session_id and user_id
3. Reponses are chosen only if the user enters the
threshold group (it based on the weight configured)
4. Honey traps are inserted in the response
5. Depending on which response is selected in the
Threshold Group, the response is rendered for the
attacker
6. Threshold group configuration
Any number of threshold groups can be
configured but has to be ordered by trap_count
For example:
config.thresholds << {
:timer=> 60, :trap_count=>10,
:traps=>[ {:trap=>"flash_error",:weight=>45,:max_delay=>5,
:content=>"Stop messing with me! - From threshold2"},
{:trap=>"redirect",:weight=>20, :url => '/404'},
{:trap=>"throttle",:weight=>5, :min_delay=>10,
:max_delay=>20},
{:trap=>"none", :weight=>30},
]
}
7. Response types available
None
Message (display flash error message)
Redirect
redirect_loop (redirect to Ensnare_root path in a loop)
Throttle (delay the request with specified time span)
Captcha (render captcha, to the user)
not_found (raise routing exception)
server_error (render 500 error page)
random_content (render random text string)
Block (render a view from the plugin with a message)