Ensnare is a Ruby on Rails (~> 3.2.14) engine. It enables the application to detect users' or bots' malicious activity. It is possible to configure traps through a config file. Whenever a intruder enters the system and tries to manipulate the system by either capturing the cookies, session_id or POST parameters, Ensnare identifies the activity and logs it in the system. Based upon the frequency and type of the activity, the responses configured in the threshold groups will be rendered to the intruder. Responses can be redirecting the user to a path, slowing down the response time (throttling), display a flash message or a captcha etc. This gem can reduce malicious traffic and also reduce unnecessary generation of false exception mails. On the flip side, each request will be slowed down a little (few milliseconds) as it is checked for malicious activity.

1. TECHTALK
DEMONSTRATION OF
ENSNARE GEM

2. About
Rails engine that allows

Configure

Deploy a basic malicious behavior
detection

Send responses

uses a combination of traps to attract
malicious users, and a configurable suite
of Trap Responses to confuse, delay, or
stop an attacker

3. How does it work?
1. Identify if request is malicious depending on the
traps configured(parameter, cookies etc.). Violation
is logged, if the request triggers a trap.
2. Determine threshold using combination of IP,
session_id and user_id
3. Reponses are chosen only if the user enters the
threshold group (it based on the weight configured)
4. Honey traps are inserted in the response
5. Depending on which response is selected in the
Threshold Group, the response is rendered for the
attacker

4. Traps supported

Cookies

Parameters

Routing Error

Regular expressions

custom

5. Sample trap configuration
[ { :type=>:parameter,
:options=>{ :parameter_names=> {:coupon_code =>
"84763949", :exp_csrf_token => config.randomizer},
:predefined_parameters=>[:uid, :admin, :debug, :random],
:violation_weight=>2
}
},
{ :type=>:routing_error,
:options=>{ :bad_paths=>["/admin", "/debug", "/robots", "/destroy"],
:violation_weight=>10
}
} ]

6. Threshold group configuration

Any number of threshold groups can be
configured but has to be ordered by trap_count
For example:
config.thresholds << {
:timer=> 60, :trap_count=>10,
:traps=>[ {:trap=>"flash_error",:weight=>45,:max_delay=>5,
:content=>"Stop messing with me! - From threshold2"},
{:trap=>"redirect",:weight=>20, :url => '/404'},
{:trap=>"throttle",:weight=>5, :min_delay=>10,
:max_delay=>20},
{:trap=>"none", :weight=>30},
]
}

7. Response types available

None

Message (display flash error message)

Redirect

redirect_loop (redirect to Ensnare_root path in a loop)

Throttle (delay the request with specified time span)

Captcha (render captcha, to the user)

not_found (raise routing exception)

server_error (render 500 error page)

random_content (render random text string)

Block (render a view from the plugin with a message)

9. Reference
https://github.com/ahoernecke/ensnare/wiki

10. Reference
https://github.com/ahoernecke/ensnare/wiki