Google Summer of Code 2016 Work Product Submission

Evgeniya edited this page Aug 22, 2016 · 4 revisions


SNARE is a web application honeypot sensor attracting all sort of maliciousness from the Internet. The web page is generated by cloning a real web application and injecting known vulnerabilities. SNARE connects to TANNER, a remote data analysis and classification service, to evaluate HTTP requests and composing the response then served by SNARE.


RFI Emulation

RFI (remote file inclusion) emulator extracts the remote file link from the requested path and downloads the file. All downloaded files are stored in /opt/tanner/scripts directory. Filename is created with md5 hash function. After downloading, the script body is sent to a PHP Sandox (, which is running on the TANNER host. PHP Sandbox executes this script and returns the result as a json that contains file hashsum and stdout of the execution.

LFI Emulation

LFI (local file inclusion) emulation allows us to create a static virtual file system (virtualdocs folder), which contains certain system files (for example passwd, shadow, etc.) which are commonly of interest for an adversary. To create the virtualdocs structure, TANNER uses a definition in vdocs.json, where the structure and content of the files are described. On each LFI request, the LFI emulator gets the available files in virtualdocs folder. If the requested file is present, TANNER returns its content to SNARE.

XSS Emulation

XSS (Cross-site scripting) data can come from HTTP POST and GET requests.

  • If the XSS injected data comes from a POST request, we get the data from the request body.
  • If the XSS injected data comes from a GET request, we extract the data from the request parameters.

After that, we choose a page into which we will inject the script. For this purpose we get the session paths and get the last path with type ‘text/html’. The script is injected in SNARE’s response body.

Sessions and session tracking

This module creates sessions with information coming from SNARE and tracks session paths. Info from SNARE is validated before used.

Every session contains:

  • Peer ip and port
  • Peer user agent
  • UUID of the SNARE sensor
  • Requested paths: path, timestamp and SNARE response status
  • Session UUID
  • Start timestamp
  • Current Timestamp
  • Count of requests

Uniqueness of the session is determined by the session ip and user agent. Every session has an expiration time, by default this time equals 75s. After expiration, the session is deleted from an active session and analyzed.

Session evaluating

Evaluate session info after the session becomes inactive. Session evaluation mechanism analyzes session info and can suggest possible owners. The result of the analysis contains:

  • Session attributes
    • UUID
    • Peer ip and port
    • User agent
    • Sensor_uuid
  • Start time
  • End time - last session timestamp
  • Requests per second
  • Approximate time between requests
  • Accepted paths - number of accepted paths
  • Errors - counts of errors in SNARE responses
  • Hidden links - count of accepted dorks
  • Attack types - list of attack types
  • Paths - list of all paths
  • Possible owners - list of possible owners. May be user, attacker, tool and crawler

Dorks Managing

Managing manually added dorks and extract user dorks from requested paths. Extracting dorks from the requested paths allows us to make SNARE more attractive for an attacker by adding unknown vulnerable paths and permanently expand the dork database. When SNARE requests the dorks, TANNER returns a random number of manually added dorks and extracted dorks.

SQL Injection emulation

Implementation of the SQLi emulator was the most tricky part of my work. There are a lot of improvements that can be done in the future, but basic work was done.

SQLi emulation process:

  • Setup main db
  • Detect sqli with libinjection
  • Create attacker’s db
  • Map the sqli requests to the db table
  • Execute query on attacker’s db
  • Return the result

Basic Api.

Basic api allows get information about snare sensors, which communicate with TANNER and get sessions info from certain SNARE sensor.



We add logging system instead of print messages.


Cloning process

Cloning process was improved. Before that only the main page was cloned correctly. Now the site is cloned recursively. During a cloning process all links are being replaced. It allows to navigate across the cloned site.

Webmaster tools

SNARE supports Google and Bing webmaster tools.


Auto-update system allows to update SNARE without stopping it. User can configure update timeout. Possible timeouts is: D - day, H - hours, M- minutes. SNARE use gitpython for checking updates. If updates are available, gitpython downloads the updates and SNARE restarts.


You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.