SlideShare a Scribd company logo

OpenCanary daemon alerts on canary service activity

Mats Karlsson
Mats Karlsson

OpenCanary is a daemon that runs simulated network services called canaries to trigger alerts when they are accessed. It supports various protocols including SSH, FTP, HTTP, and databases. The alerts can be sent to syslog, email, or a correlator daemon. Canary Tokens generates unique identifiers that can be embedded in files, databases, processes, and transactions to detect unauthorized access like web bugs track email opens. It allows implanting traps in production systems rather than using separate honeypots.

Internet
1 of 11
Download to read offline
OpenCanary Mats Karlsson 2019-02-27
OpenCanary and tokensOpenCanary and tokens By Mats Karlsson 2019-02-27
OpenCanary OpenCanary is a daemon that runs canary services, which trigger alerts when used. The alerts can be sent to a variety of sources, including syslog, emails and a companion daemon opencanary- correlator.
OpenCanary supports faking ssh Secure Shell server which alerts on login attempts ftp File Transfer Protocol server which on login attempts git Git protocol which alerts on repo cloning http HTTP web server that alerts on login attempts httpproxy HTTP web proxy that alerts when there is an attempt to proxy to another page mssql MS SQL server that alerts on login attempts mysql MYSQL server that alerts on login attempts telnet Telnet server that alerts on login attempts snmp SNMP server which alerts on oid requests sip SIP server which alerts on sip requests vnc VNC server which alerts on login attempts redis Redis server which alerts on actions tftp tftp server which alerts on requests ntp NTP server which alerts on ntp requests. tcpbanner TCPbanner service which alerts on connection and subsequent data recieved events.
System design Canary Canary Canary Correlator
Easy to install https://github.com/thinkst/opencanary apt install python-dev python-pip python-virtualenv virtualenv env/ env/bin/activate pip install opencanary pip install opencanary-correlator opencanaryd –copyconfig $EDITOR ~/.opencanary.conf opencanaryd --start
topic
Canary Tokens You'll be familiar with web bugs, the transparent images which track when someone opens an email. They work by embedding a unique URL in a page's image tag, and monitoring incoming GET requests. Imagine doing that, but for file reads, database queries, process executions, patterns in log files, Bitcoin transactions or even Linkedin Profile views. Canarytokens does all this and more. Implant traps in your production systems rather than setting up separate honeypots.
Canary Tokens - generate https://canarytokens.org/generate
Mats Karlsson Linux, Infrastructure and Nerd. And a passionate maker with Arduino and electronics. https://www.linkedin.com/in/matsk/ mats.o.karlsson@gmail.com

Recommended

Big ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsBig ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsUtpal Sinha
 
OpenNMS introduction
OpenNMS introductionOpenNMS introduction
OpenNMS introductionGuider Lee
 
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk""Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"Rinaldi Rampen
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
LTM essentials
LTM essentialsLTM essentials
LTM essentialsbharadwajv
 
Barracuda company and product presentation
Barracuda company and product presentationBarracuda company and product presentation
Barracuda company and product presentationSoftechms
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 

More Related Content

What's hot

Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancerxKinAnx
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementResolver Inc.
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackFatima Qayyum
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overviewMostafa El Lathy
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration TestingMohammed Adam
 
Révolution eBPF - un noyau dynamique
Révolution eBPF - un noyau dynamiqueRévolution eBPF - un noyau dynamique
Révolution eBPF - un noyau dynamiqueRaphaël PINSON
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageNetsparker
 
Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...
Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...
Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...Becky Burwell
 
一個 agilist 的獨白
一個 agilist 的獨白一個 agilist 的獨白
一個 agilist 的獨白Terry Wang
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
When and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterWhen and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterKomand
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh clevernetsystemsgeneva
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Introduction to SDN
Introduction to SDNIntroduction to SDN
Introduction to SDNNetCraftsmen
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Alphorm.com Formation Veeam Backup & Replication 9.5
Alphorm.com Formation Veeam Backup & Replication 9.5Alphorm.com Formation Veeam Backup & Replication 9.5
Alphorm.com Formation Veeam Backup & Replication 9.5Alphorm
 

What's hot (20)

Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancer
 
5 reasons why you need a network monitoring tool
5 reasons why you need a network monitoring tool5 reasons why you need a network monitoring tool
5 reasons why you need a network monitoring tool
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability Management
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning Attack
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration Testing
 
Révolution eBPF - un noyau dynamique
Révolution eBPF - un noyau dynamiqueRévolution eBPF - un noyau dynamique
Révolution eBPF - un noyau dynamique
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering Stage
 
Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...
Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...
Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...
 
IBM Security QFlow & Vflow
IBM Security QFlow & VflowIBM Security QFlow & Vflow
IBM Security QFlow & Vflow
 
一個 agilist 的獨白
一個 agilist 的獨白一個 agilist 的獨白
一個 agilist 的獨白
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
When and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterWhen and How to Set up a Security Operations Center
When and How to Set up a Security Operations Center
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
 
Introduction to SDN
Introduction to SDNIntroduction to SDN
Introduction to SDN
 
4 palo alto licenses
4 palo alto licenses4 palo alto licenses
4 palo alto licenses
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Alphorm.com Formation Veeam Backup & Replication 9.5
Alphorm.com Formation Veeam Backup & Replication 9.5Alphorm.com Formation Veeam Backup & Replication 9.5
Alphorm.com Formation Veeam Backup & Replication 9.5
 

Similar to OpenCanary daemon alerts on canary service activity

Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - FalconerTony Godfrey
 
Assessment itemManaging Services and SecurityValue 15Due D.docx
Assessment itemManaging Services and SecurityValue 15Due D.docxAssessment itemManaging Services and SecurityValue 15Due D.docx
Assessment itemManaging Services and SecurityValue 15Due D.docxgalerussel59292
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilionAkihiro Suda
 
Codeless pipelines with pulsar and flink
Codeless pipelines with pulsar and flinkCodeless pipelines with pulsar and flink
Codeless pipelines with pulsar and flinkTimothy Spann
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanningleminhvuong
 
Cisco Router Security
Cisco Router SecurityCisco Router Security
Cisco Router Securitykktamang
 
Module 5 Sniffers
Module 5 SniffersModule 5 Sniffers
Module 5 Sniffersleminhvuong
 
Introduction enovy
Introduction enovyIntroduction enovy
Introduction enovy岩 夏
 
Inside Architecture of Neutron
Inside Architecture of NeutronInside Architecture of Neutron
Inside Architecture of Neutronmarkmcclain
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassGeorgia Weidman
 
Inside Sqale's Backend at RubyConf Taiwan 2012
Inside Sqale's Backend at RubyConf Taiwan 2012Inside Sqale's Backend at RubyConf Taiwan 2012
Inside Sqale's Backend at RubyConf Taiwan 2012Gosuke Miyashita
 
Ch 22: Web Hosting and Internet Servers
Ch 22: Web Hosting and Internet ServersCh 22: Web Hosting and Internet Servers
Ch 22: Web Hosting and Internet Serverswebhostingguy
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigationsMukesh Chaudhari
 
Curso: Redes y telecomunicaciones: 07 Protoclos TCP/IP
Curso: Redes y telecomunicaciones: 07 Protoclos TCP/IPCurso: Redes y telecomunicaciones: 07 Protoclos TCP/IP
Curso: Redes y telecomunicaciones: 07 Protoclos TCP/IPJack Daniel Cáceres Meza
 
Solar windsportrequirements
Solar windsportrequirementsSolar windsportrequirements
Solar windsportrequirementsnasac
 
Python Hashlib & A True Story of One Bug
Python Hashlib & A True Story of One BugPython Hashlib & A True Story of One Bug
Python Hashlib & A True Story of One Bugdelimitry
 
Inside Sqale's Backend at YAPC::Asia Tokyo 2012
Inside Sqale's Backend at YAPC::Asia Tokyo 2012Inside Sqale's Backend at YAPC::Asia Tokyo 2012
Inside Sqale's Backend at YAPC::Asia Tokyo 2012Gosuke Miyashita
 

Similar to OpenCanary daemon alerts on canary service activity (20)

Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - Falconer
 
Assessment itemManaging Services and SecurityValue 15Due D.docx
Assessment itemManaging Services and SecurityValue 15Due D.docxAssessment itemManaging Services and SecurityValue 15Due D.docx
Assessment itemManaging Services and SecurityValue 15Due D.docx
 
Jetty TLS troubleshooting
Jetty TLS troubleshootingJetty TLS troubleshooting
Jetty TLS troubleshooting
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion
 
Codeless pipelines with pulsar and flink
Codeless pipelines with pulsar and flinkCodeless pipelines with pulsar and flink
Codeless pipelines with pulsar and flink
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
 
Cisco Router Security
Cisco Router SecurityCisco Router Security
Cisco Router Security
 
Module 5 Sniffers
Module 5 SniffersModule 5 Sniffers
Module 5 Sniffers
 
Introduction enovy
Introduction enovyIntroduction enovy
Introduction enovy
 
Inside Architecture of Neutron
Inside Architecture of NeutronInside Architecture of Neutron
Inside Architecture of Neutron
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
 
server_ppt
server_pptserver_ppt
server_ppt
 
Inside Sqale's Backend at RubyConf Taiwan 2012
Inside Sqale's Backend at RubyConf Taiwan 2012Inside Sqale's Backend at RubyConf Taiwan 2012
Inside Sqale's Backend at RubyConf Taiwan 2012
 
Ch 22: Web Hosting and Internet Servers
Ch 22: Web Hosting and Internet ServersCh 22: Web Hosting and Internet Servers
Ch 22: Web Hosting and Internet Servers
 
XML-RPC and SOAP (April 2003)
XML-RPC and SOAP (April 2003)XML-RPC and SOAP (April 2003)
XML-RPC and SOAP (April 2003)
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigations
 
Curso: Redes y telecomunicaciones: 07 Protoclos TCP/IP
Curso: Redes y telecomunicaciones: 07 Protoclos TCP/IPCurso: Redes y telecomunicaciones: 07 Protoclos TCP/IP
Curso: Redes y telecomunicaciones: 07 Protoclos TCP/IP
 
Solar windsportrequirements
Solar windsportrequirementsSolar windsportrequirements
Solar windsportrequirements
 
Python Hashlib & A True Story of One Bug
Python Hashlib & A True Story of One BugPython Hashlib & A True Story of One Bug
Python Hashlib & A True Story of One Bug
 
Inside Sqale's Backend at YAPC::Asia Tokyo 2012
Inside Sqale's Backend at YAPC::Asia Tokyo 2012Inside Sqale's Backend at YAPC::Asia Tokyo 2012
Inside Sqale's Backend at YAPC::Asia Tokyo 2012
 

OpenCanary daemon alerts on canary service activity

  • 2. OpenCanary and tokensOpenCanary and tokens By Mats Karlsson 2019-02-27
  • 3. OpenCanary OpenCanary is a daemon that runs canary services, which trigger alerts when used. The alerts can be sent to a variety of sources, including syslog, emails and a companion daemon opencanary- correlator.
  • 4. OpenCanary supports faking ssh Secure Shell server which alerts on login attempts ftp File Transfer Protocol server which on login attempts git Git protocol which alerts on repo cloning http HTTP web server that alerts on login attempts httpproxy HTTP web proxy that alerts when there is an attempt to proxy to another page mssql MS SQL server that alerts on login attempts mysql MYSQL server that alerts on login attempts telnet Telnet server that alerts on login attempts snmp SNMP server which alerts on oid requests sip SIP server which alerts on sip requests vnc VNC server which alerts on login attempts redis Redis server which alerts on actions tftp tftp server which alerts on requests ntp NTP server which alerts on ntp requests. tcpbanner TCPbanner service which alerts on connection and subsequent data recieved events.
  • 6. Easy to install https://github.com/thinkst/opencanary apt install python-dev python-pip python-virtualenv virtualenv env/ env/bin/activate pip install opencanary pip install opencanary-correlator opencanaryd –copyconfig $EDITOR ~/.opencanary.conf opencanaryd --start
  • 8. Canary Tokens You'll be familiar with web bugs, the transparent images which track when someone opens an email. They work by embedding a unique URL in a page's image tag, and monitoring incoming GET requests. Imagine doing that, but for file reads, database queries, process executions, patterns in log files, Bitcoin transactions or even Linkedin Profile views. Canarytokens does all this and more. Implant traps in your production systems rather than setting up separate honeypots.
  • 9. Canary Tokens - generate https://canarytokens.org/generate
  • 10.
  • 11. Mats Karlsson Linux, Infrastructure and Nerd. And a passionate maker with Arduino and electronics. https://www.linkedin.com/in/matsk/ mats.o.karlsson@gmail.com