OpenCanary Documentation

Similar documents
PIM SOFTWARE TR50. Configuring the Syslog Feature TECHNICAL REFERENCE page 1

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

RSA Authentication Manager

Implementation of escan Live Events with SYSLOG (CACTI)

NAS 272 Using Your NAS as a Syslog Server

enetworks TM Using the Syslog Feature C.1 Configuring the Syslog Feature

Network Management & Monitoring

MultiSite Manager. User Guide

Training module 2 Installing VMware View

Laboration 3 - Administration

USER GUIDE WEB HOSTING SERVICE

Vantage Report. Quick Start Guide

Manage a Firewall Using your Plesk Control Panel Contents

Syslog Monitoring Feature Pack

Installation Instructions

Lets Get Started In this tutorial, I will be migrating a Drupal CMS using FTP. The steps should be relatively similar for any other website.

CYAN SECURE WEB HOWTO. NTLM Authentication

IIS, FTP Server and Windows

Pandora FMS 3.0 Quick User's Guide: Network Monitoring. Pandora FMS 3.0 Quick User's Guide

Presented by Henry Ng

Kaseya 2. Quick Start Guide. for Network Monitor 4.1

Enterprise Manager. Version 6.2. Installation Guide

Dragonframe License Manager User Guide Version 1.2.2

Installing an open source version of MateCat

How To Configure Syslog over VPN

Application Note: FTP Server Setup on computers running Windows-7 For use with 2500P-ACP1

Syslog & xinetd. Stephen Pilon

VoipSwitch Security Audit

SERVER HARDENING. Presented by: Daniel Waymel and Corrin Thompson at TexSAW 2014 at the University of Texas at Dallas

HowTo. Planning table online

Novar Database Mail Setup Guidelines

MySQL Quick Start Guide

Monitoring Clearswift Gateways with SCOM

Server Manager Help 10/6/2014 1

Parallels Plesk Panel

MySQL quick start guide

Integrate ExtraHop with Splunk

Application Monitoring using SNMPc 7.0

Chapter 9 Monitoring System Performance

Red Condor Syslog Server Configurations

phpservermon Documentation

WhatsUp Gold v11 Features Overview

An Introduction To The Web File Manager

How to setup FTP and Secure FTP for XD Series

Alert Logic Log Manager

Collax Active Directory

E- SPIN's IPSwitch WhatsUp Gold Network Management System System Administration Advanced Training (5 Day)

FTP Server Configuration

Configuring Microsoft Dynamics AX 2012 Alerts and Notifications Using an SMTP Relay Server with Office 365

Device Integration: Checkpoint Firewall-1

Quick Scan Features Setup Guide. Scan to Setup. See also: System Administration Guide: Contains details about setup.

Tutorial Details Product Demonstrated: X-301 Estimated Completion Time: 15 minutes

Kaseya 2. User Guide. for Network Monitor 4.1

Manual Password Depot Server 8

Creating a DUO MFA Service in AWS

JusticeConnect AVL for Windows SETUP GUIDE

Version 1.7. Inbound Integration (POP3 and IMAP) Installation, Configuration and User Guide. Last updated October 2011

orrelog SNMP Trap Monitor Software Users Manual

Device Log Export ENGLISH

SysPatrol - Server Security Monitor

Using Debug Commands

WinTask x64 Scheduler for Windows 7 64 bit, Windows 8/ bit and Windows 2008 R2 64 bit. Scheduler Quick Start Guide

Premium Server Client Software

System Admin Module User Guide. Schmooze Com Inc.

App Central: Developer's Guide. For APKG 2.0

Linux Development Environment Description Based on VirtualBox Structure

Chapter 8 Monitoring and Logging

Quick Setup Guide. FaxGwise Version 6.0. SKyPRO AG, Gewerbestrasse 7, 6330 Cham Switzerland, SKyPRO USA,

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

1 Thunderbird v3 and IMAP/SMTP Configuration

Linux Squid Proxy Server

Lab Configure Syslog on AP

Spectrum Technology Platform. Version 9.0. Spectrum Spatial Administration Guide

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

How to set up the HotSpot module with SmartConnect. Panda GateDefender 5.0

Network Monitoring & Management Log Management

Immotec Systems, Inc. SQL Server 2005 Installation Document

Using Debug Commands

A Prevention & Notification System By Using Firewall. Log Data. Pilan Lin

Troubleshooting problems with the PDMWorks Enterprise database server

Getting Started With Halo for Windows For CloudPassage Halo

Quick Connect. Overview. Client Instructions. LabTech

Getting Started With Halo for Windows

MicroStrategy Intelligence Server Configuration Table of contents

Using WebLOAD to Monitor Your Production Environment

Lab 5.5 Configuring Logging

Copyright 2013 Trend Micro Incorporated. All rights reserved.

Setting Up Specify to use a Shared Workstation as a Database Server

IceWarp to IceWarp Server Migration

tibbr Now, the Information Finds You.

Ciphermail for BlackBerry Quick Start Guide

NetCrunch 6. AdRem. Network Monitoring Server. Document. Monitor. Manage

GFI LANguard 9.0 ReportPack. Manual. By GFI Software Ltd.

Integrating cloud services with Polaris. Presented by: Wes Osborn

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts

Transcription:

OpenCanary Documentation Release 0.1 Thinkst Applied Research May 09, 2016

Contents 1 Getting Started 3 2 Services 7 3 Alerting 9 4 Indices and tables 11 i

ii

OpenCanary Documentation, Release 0.1 Welcome to the OpenCanary guide. OpenCanary is a daemon that runs canary services, which trigger alerts when (ab)used. The alerts can be sent to a variety of sources, including syslog, emails and a companion daemon opencanary-correlator. The Correlator coalesces multiple related events (eg. individual brute-force login attempts) into a single alert sent via email or SMS. Contents 1

OpenCanary Documentation, Release 0.1 2 Contents

CHAPTER 1 Getting Started The first section will get you quickly up and running with canary services sending alerts. 1.1 OpenCanary 1.1.1 Getting Started To get started create a virtual environment to play in: $ virtualenv env $. env/bin/activate Inside the virtualenv, install OpenCanary following the instructions in the README. OpenCanary ships with a default config, which we ll copy and edit to get started. The config is a single JSON dictionary. $ opencanaryd --copyconfig $ $EDITOR ~/.opencanary.conf In the config file we ll change device.node_id which must be unique for each instance of opencanaryd, and we ll configure logger to log alerts to a file. "device.node_id": "Your-very-own-unique-name", [...] "logger": "class" : "PyLogger", "kwargs" : "handlers": "file": "class": "logging.filehandler", "filename": "/var/tmp/opencanary.log" [...] With that in place, we can run the daemon, and test that it logs a failed FTP login attempt to the log file. 3

OpenCanary Documentation, Release 0.1 $ opencanaryd --start [...] $ ftp localhost [...] $ cat /var/tmp/opencanary.log [...] "dst_host": "127.0.0.1", "dst_port": 21, "local_time": "2015-07-20 13:38:21.281259", "logdata": "PA 1.1.2 Troubleshooting The tool JQ can be used to check that the config file is well-formed JSON. $ jq. ~/.opencanary.conf Run opencanaryd in the foreground to see more error messages. $ sudo env/bin/twistd -noy env/bin/opencanary.tac 1.2 Correlator 1.2.1 Getting Started To get started create a virtual environment to play in: $ virtualenv env $. env/bin/activate Inside the virtualenv, install OpenCanary Correlator following the instructions in the README. The correlator runs with a default config, which we ll copy and edit to get started. $ opencanary-correlator Warning: no config file specified. Using the template config: /[...]/opencanary_correlator.conf $ cp /[...]/opencanary_correlator.conf opencanary-correlator.conf In the config file, fill the twilio or mandrill details (or both), and the notification addresses for both. "console.sms_notification_enable": true, "console.sms_notification_numbers": ["+336522334455"], "console.email_notification_enable": true, "console.email_notification_address": ["notifications@opencanary.org"], "twilio.auth_token": "fae9206628714fb2ce00f72e94f2258f", "twilio.from_number": ""+1201253234"", "twilio.sid": "BD742385c0810b431fe2ddb9fc327c85ad", "console.mandrill_key": "9HCjwugWjibxww7kPFej", "scans.network_portscan_horizon": 1000, With that in place, ensure that redis is running and then run the correlator daemon. $ pgrep redis-server echo 'Redis is not running!' $ opencanary-correlator --config=./opencanary-correlator.conf 4 Chapter 1. Getting Started

OpenCanary Documentation, Release 0.1 To configure OpenCanary daemons to send their events to correlator, edit the logger field in its config and restart the daemon to reload the config. "logger": "class" : "PyLogger", "kwargs" : "handlers": "json-tcp": "class": "opencanary.logger.socketjsonhandler", "host": "127.0.0.1", # change to correlator IP "port": 1514 1.2.2 Troubleshooting You can test that the Correlator alerts are working be sending an event direclty to it (without using OpenCanary). echo '"dst_host": "9.9.9.9", "dst_port": 21, "local_time": "2015-07-20 13:38:21.281259", "logdata": The tool JQ can be used to check that the config file is well-formed JSON. $ jq../opencanary-correlator.conf 1.2. Correlator 5

OpenCanary Documentation, Release 0.1 6 Chapter 1. Getting Started

CHAPTER 2 Services Try these out in the OpenCanary configs for more typical server personalities. 2.1 Linux Web Server Inside ~/.opencanary.conf: "ftp.banner": "FTP server ready", "ftp.enabled": true, "ftp.port":21, "http.banner": "Apache/2.2.22 (Ubuntu)", "http.enabled": true, "http.port": 80, "http.skin": "naslogin", "http.skin.list": [ "desc": "Plain HTML Login", "name": "basiclogin", "desc": "Synology NAS Login", "name": "naslogin" ], "ssh.enabled": true, "ssh.port": 8022, "ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4", [..] # logging configuration 2.2 Windows Server The Samba and RDP modules require an extra installation steps. It s a good idea to consult the README before trying this out. Inside ~/.opencanary.conf: 7

OpenCanary Documentation, Release 0.1 "smb.auditfile": "/var/log/samba-audit.log", "smb.configfile": "/etc/samba/smb.conf", "smb.domain": "corp.thinkst.com", "smb.enabled": true, "smb.filelist": [ "name": "2016-Tender-Summary.pdf", "type": "PDF", "name": "passwords.docx", "type": "DOCX" ], "smb.mode": "workgroup", "smb.netbiosname": "FILESERVER", "smb.serverstring": "Windows 2003 File Server", "smb.sharecomment": "Office documents", "smb.sharename": "Documents", "smb.sharepath": "/changeme", "smb.workgroup": "OFFICE", "rdp.enabled": true, "rdp.port", 3389, [..] # logging configuration 2.3 MySQL Server Inside ~/.opencanary.conf: "mysql.banner": "5.5.43-0ubuntu0.14.04.1", "mysql.enabled": true, "mysql.port": 3306, "ssh.enabled": true, "ssh.port": 22, "ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4", [..] # logging configuration 2.4 MSSQL Server Inside ~/.opencanary.conf: "mssql.enabled": true, "mssql.port": 1433, "mssql.version": "2012", "rdp.enabled": true, "rdp.port", 3389, [..] # logging configuration 8 Chapter 2. Services

CHAPTER 3 Alerting Getting Started walks through two different ways to configure alerting: logging directly to a file, and sending alerts to the Correlator for email and SMS alerts. Other possibilities are below: 3.1 Email Alerts To have an OpenCanary daemon directly send email alerts edit the logger section of the ~/.opencanary.conf. The file format is JSON. In the configurations below, set these configuration variables: mailhost - The SMTP mailhost and port. fromaddr - The from address. Usually does not have to exist. toaddres - An array of addresses that will receive the alert. Keep it short. subject - The email s subject. credentials - Optional parameter, if the SMTP server requires authentication. More information can be found on the PyLogger page. 3.1.1 Send to a GMail address [..] # Services configuration "logger": "class" : "PyLogger", "kwargs" : "handlers": "SMTP": "class": "logging.handlers.smtphandler", "mailhost": ["smtp.gmail.com", 25], "fromaddr": "noreply@yourdomain.com", "toaddrs" : ["youraddress@gmail.com"], "subject" : "OpenCanary Alert" 9

OpenCanary Documentation, Release 0.1 3.1.2 Send with SMTP authentication [..] # Services configuration "logger": "class" : "PyLogger", "kwargs" : "handlers": "SMTP": "class": "logging.handlers.smtphandler", "mailhost": ["authenticated.mail.server", 25], "fromaddr": "canary@yourdomain.com", "toaddrs" : ["youraddress@yourdomain.com"], "subject" : "OpenCanary Alert", "credentials" : ["myusername", "password1"] 3.2 HPFeeds OpenCanary can be used directly (without the Correlator) with daemons supporting the hpfeeds protocol. To enable hpfeeds add the following to the logging section of settings.json: "hpfeeds": "class": "opencanary.logger.hpfeedshandler", "host": "127.0.0.1", "port": 10000, "ident": "test", "secret":"12345", "channels":["test.events"] 10 Chapter 3. Alerting

CHAPTER 4 Indices and tables genindex modindex search 11