Rails gem or code to flag malicious user behavior in real-time?

Question

Is there an existing gem or code that will flag malicious user behavior in real-time? i.e. not something where I manually comb the log files for 404s or suspicious accesses (e.g. sql injection attempts, js inserted into text fields, etc.?)

For instance, today I noticed requests like this in the log.

ActionController::RoutingError (No route matches "///scripts/setup.php" with {:method=>:get}):

I'd love to know real-time via alerts or emails if someone is scanning the site for vulnerabilities - i.e. to differentiate innocuous 404s from malicious 404s, to flag sql injection or js injections, etc.

Are there existing gems or code to do this or must I roll my own?

Thanks for thoughts.

Answer 1

If there was such a system and your site was even moderately populate you would get a lot of real time updates.

The reality is that you're likely going to get people trying to put js in their profiles, submitting weird stuff to your site out of both curiosity and malice. You could scan your log files for this stuff regularly to make sure your actions and views are protected against such attacks, but that really isn't manageable in the long run.

The problem is, how do you know if your input is malicious? Depending on your site the input you just mentioned could be perfectly valid.

If you're worried about sql injection you should document and thoroughly test your find_by_sql statements.

If you're worried about un-escaped user input you could consider moving to erubis and enabling escaping by default.

A more pressing problem for most sites is misuse of the functionality you provide, for example sending too many messages, posting too many questions, voting too often, scraping your content etc... for this you can configure your webserver to stop a user making too many requests (you can set this up with nginx really easily) and impose rate limiting in your application code.