Skip to content

Home

Jump to bottom
Cedric HEBERT edited this page Jun 28, 2024 · 8 revisions

User Guides

This wiki is work in progress, parts may still be under construction

Main Configuration guide

This section covers the content of the 'config' JSON file. Unless a specific configuration file is found for the target application, the proxy will use the content of the config-default.json file located at /cloudactivedefense/configmanager/. See the Developer Guide for more details.

This 'config' file is used to provide metadata to the proxy, namely used in alert messages. It is easier to introduce the content of this file prior to explaining how decoys are configured, but feel free to ignore this section if you're just learning about how decoys work, it will always be time to come back to this section later.

  • Session: How to retrieve the protected application's session token
  • Username: How to retrieve the username of the currently connected user
  • Server: What is the server name of the protected application
  • Respond: Which default response behavior to adopt when an attack is detected. Superseded by decoy's respond parameters.
  • BlocklistReload: How often to reload the current blocklist

Decoy Configuration guide

Cloud active defense is about blending deceptive decoys into web applications, and about detecting decoy interaction. Decoys are defined in the 'cad' (Cloud Active Defense) JSON file read and applied every few minutes. Unless a specific configuration file is found for the target application, the proxy will use the content of the cad-default.json file located at /cloudactivedefense/configmanager/. See the Developer Guide for more details.

This 'cad' file is the core of the solution, as it is used to configure the shape and behavior of decoys.

Decoys are powerful but can also break the UI if used without care. The following sections detail how to properly create them.

  • General structure: The main flow of decoys: inject, detect, alert.
  • Decoy management
    • Decoy: What makes a decoy
    • Inject: How injection (url, headers, cookies, body) of decoys works
    • Detect: How detection works
    • Alert: When should an alert be sent
    • Respond: How should the application behave against attackers
  • Alert management: Management and configuration of sent alerts
  • Dos and don'ts: What makes a good decoy, what makes a bad decoy, what can break
  • Summary: All configuration options at a glance
  • Examples: A methodology to design your own decoys, exemplified.
    • Catalog: Collection of decoys and detection rules to get you inspired

Developer Guide

Cloud active defense is primarily a WASM plugin for Envoy. All the source code is provided so that you can rebuild the plugin by yourself and create enhancements. The following sections will cover the main logic of the code and what it can and cannot do.

  • General structure: The main activity flow: request headers, request body, response headers, response body
  • Build: How to (re)build the WASM plugin from source
  • Fluentbit: How to fetch and forward alerts
  • Limitations: Limitations of WASM and of Envoy
Clone this wiki locally