General decoy structure

Decoys are made of five different parts: decoy, inject, detect, alert and respond.

• When the proxy receives a request, it tries to detect the decoy. If the decoy is detected, it triggers the related alert and response.
• When the proxy receives a response, it checks if it needs to inject the decoy. Prior to that it also tries to detect the decoy.

Injection and detection are both optional. A decoy without detection is just an element which is added to the page. Such a decoy can be used to mislead an attacker, for example by returning a fake server version. A decoy without injection is what we call a 'detection rule'. It can be used to detect malicious behavior performed directly on the application itself, such as trying to login as 'admin/admin'. Responding is also optional. Response will be applied to subsequent requests.

The typical usage flow is as follows:

1. a user sends a request
2. upon response, a decoy is injected
3. on a follow-up request, tampering with the decoy is detected. An alert is raised as well as possible response(s).
4. on further request(s), if the request matches with an applied response, then that response is triggered prior to further processing.

The main decoy structure is the following one. Notice how 'alert' and 'respond' are embedded into 'detect'.

    {
      "decoy": {
      },
      "inject": {
      },
      "detect": {
        "alert": {
        },
        "respond": {
        }
      }
    }

In the controlpanel you can import a decoy file to add one or many decoys. You can have as many decoys as you'd like in a single import file. Just put them after one another inside the array:

[!NOTE] Don't forget to deploy them in the list

[
  {
    "decoy": {
    },
    ...
  },
  {
    "decoy": {
    },
    ...
  },
  {
    "decoy": {
    },
    ...
  }
]

!