AppSensor Guide Application-Specific Real-Time Attack Detection & Response Version 48 (Draft)



Download 11.95 Mb.
Page8/13
Date28.05.2018
Size11.95 Mb.
#51990
1   ...   5   6   7   8   9   10   11   12   13

Chapter 23 : Ensnare for Ruby

Introduction


Ensnare is a gem plugin for Ruby on Rails developed to allow the rapid configuration and deploying a basic malicious behavior detection and response scheme.

It was created by Andy Hoernecke and Scott Behrens and uses a combination of honey traps to entice malicious users, and a configurable suite of responses to confuse, allude, delay, or stop an attacker. The documentation states Ensnare was partially inspired by Ryan Barnett's blog posts about honey traps118,119.

This production implementation does not form part of the core development efforts within the OWASP AppSensor Project.

Description


Ensnare uses honey trap type of detection points referred to as “traps” which can be benign cookies, parameters, bad paths, or even regular expressions of known attack signature such as from a scanner. When a trap is triggered, the event (“violation”) is logged. When predefined threshold of violations is reached for a user, based on username, session or IP address, the predetermined response is deployed into the response.

Custom traps can also be created in the application, and Ensnare allows violation logging from anywhere in the application.


AppSensor scope


The following detection points are available as standard:

  1. List of Detection Point Categories Implemented in Ensnare

Category

Detection Point

Description

ID

Title

Honey Trap

HT1

Alteration to Honey Trap Data




HT2

Honey Trap Resource Requested




HT3

Honey Trap Data Used

However custom detection points can be created, and for example the project’s documentation mentions violations of the application's authorization controls.

The following response action categories are defined:



  1. List of Response Categories Implemented in Ensnare

Category

Response

Type

Description

ID

Titles

None

No response

ASR-P

No Response

Passive

Changes to user experience but nothing denied

ASR-E

User Notification

ASR-F

Timing Change

Active

Application functionality reduced for user(s)

ASR-G

Process Terminated

ASR-H

Function Amended

ASR-I

Function Disabled


Source code


Ensnare’s source code is located at:

https://github.com/ahoernecke/ensnare


Implementation


Documentation for Ensnare can be found at:

https://github.com/ahoernecke/ensnare/wiki


Considerations


This implementation is currently under development and is subject to change.

Related implementations


None.

Chapter 24 : Invocation of AppSensor Code Using Jni4Net

Introduction


Dinis Cruz has used the OWASP O2 Platform120 C# REPL scripting environment to invoke Java AppSensor and ESAPI methods from an existing .NET application using Jni4Net121. Like the application described in Chapter 22 : Light Touch Retrofit,, it is another example of retrofitting AppSensor to an existing project. However it does utilize the AppSensor Project’s library code.

This demonstration implementation does not form part of the core development efforts within the OWASP AppSensor Project. The O2 Platform has its own mailing list122.


Description


The core development efforts in Java are consumed within a .Net application which exposes all the same capabilities.

  1. Schematic Arrangement of Example AppSensor Code Invocation Using Jni4Net


AppSensor scope


The detection points and response actions are identical to those described for AppSensor Core above.

Source code


The source code for the pilot demonstration can be found at:

http://github.com:DinisCruz/TeamMentor_3_3_AppSensor

This is proof of concept code and is neither optimized nor production-ready.

Implementation


The method of implementation is described at:

http://blog.diniscruz.com/2013/06/another-step-in-use-of-esapi-and.html

A video of Denis Cruz’s presentation of the concept is available at:

http://www.youtube.com/watch?v=dzj3llZ9G6I


Considerations


This is purely demonstration code that illustrates an alternative method of implementation.

Related implementations


There is a .Net port of the Java AppSensor Core implementation - see Chapter 21 : Fully Integrated (AppSensor Core).



Download 11.95 Mb.

Share with your friends:
1   ...   5   6   7   8   9   10   11   12   13




The database is protected by copyright ©ininet.org 2024
send message

    Main page