Introduction
Ensnare is a gem plugin for Ruby on Rails developed to allow the rapid configuration and deploying a basic malicious behavior detection and response scheme.
It was created by Andy Hoernecke and Scott Behrens and uses a combination of honey traps to entice malicious users, and a configurable suite of responses to confuse, allude, delay, or stop an attacker. The documentation states Ensnare was partially inspired by Ryan Barnett's blog posts about honey traps118,119.
This production implementation does not form part of the core development efforts within the OWASP AppSensor Project.
Description
Ensnare uses honey trap type of detection points referred to as “traps” which can be benign cookies, parameters, bad paths, or even regular expressions of known attack signature such as from a scanner. When a trap is triggered, the event (“violation”) is logged. When predefined threshold of violations is reached for a user, based on username, session or IP address, the predetermined response is deployed into the response.
Custom traps can also be created in the application, and Ensnare allows violation logging from anywhere in the application.
AppSensor scope
The following detection points are available as standard:
List of Detection Point Categories Implemented in Ensnare
Category
|
Detection Point
|
Description
|
ID
|
Title
|
Honey Trap
|
HT1
|
Alteration to Honey Trap Data
|
|
HT2
|
Honey Trap Resource Requested
|
|
HT3
|
Honey Trap Data Used
|
However custom detection points can be created, and for example the project’s documentation mentions violations of the application's authorization controls.
The following response action categories are defined:
List of Response Categories Implemented in Ensnare
Category
|
Response
|
Type
|
Description
|
ID
|
Titles
|
None
|
No response
|
ASR-P
|
No Response
|
Passive
|
Changes to user experience but nothing denied
|
ASR-E
|
User Notification
|
ASR-F
|
Timing Change
|
Active
|
Application functionality reduced for user(s)
|
ASR-G
|
Process Terminated
|
ASR-H
|
Function Amended
|
ASR-I
|
Function Disabled
|
Source code
Ensnare’s source code is located at:
https://github.com/ahoernecke/ensnare
Implementation
Documentation for Ensnare can be found at:
https://github.com/ahoernecke/ensnare/wiki
Considerations
This implementation is currently under development and is subject to change.
Related implementations
None.
Chapter 24 : Invocation of AppSensor Code Using Jni4Net Introduction
Dinis Cruz has used the OWASP O2 Platform120 C# REPL scripting environment to invoke Java AppSensor and ESAPI methods from an existing .NET application using Jni4Net121. Like the application described in Chapter 22 : Light Touch Retrofit,, it is another example of retrofitting AppSensor to an existing project. However it does utilize the AppSensor Project’s library code.
This demonstration implementation does not form part of the core development efforts within the OWASP AppSensor Project. The O2 Platform has its own mailing list122.
Description
The core development efforts in Java are consumed within a .Net application which exposes all the same capabilities.
Schematic Arrangement of Example AppSensor Code Invocation Using Jni4Net
AppSensor scope
The detection points and response actions are identical to those described for AppSensor Core above.
Source code
The source code for the pilot demonstration can be found at:
http://github.com:DinisCruz/TeamMentor_3_3_AppSensor
This is proof of concept code and is neither optimized nor production-ready.
Implementation
The method of implementation is described at:
http://blog.diniscruz.com/2013/06/another-step-in-use-of-esapi-and.html
A video of Denis Cruz’s presentation of the concept is available at:
http://www.youtube.com/watch?v=dzj3llZ9G6I
Considerations
This is purely demonstration code that illustrates an alternative method of implementation.
Related implementations
There is a .Net port of the Java AppSensor Core implementation - see Chapter 21 : Fully Integrated (AppSensor Core).
Share with your friends: |