This document discusses Canary and OpenCanary honeypot tools. Canary is a commercial tool that mimics operating systems and services to detect interactions from attackers. It has a graphical user interface and integrates with services like Slack. OpenCanary is an open source alternative that is less feature-rich but free to use. It requires configuring via text files rather than a GUI. The document also explores using Vagrant to automatically deploy OpenCanary virtual machines.

1. Canary & OpenCanary

2. What’s a Canary
https://canary.tools
● “Any Interaction” Honeypot
● Mimic “interesting” OS and services
● Any interaction results in an alert

3. What’s a Canary
https://canary.tools/#how-it-works

4. What’s a Canary

5. What’s a Canary
For-Pay ones are super feature rich
● Multiple services, multiple HTTP skins
● Magically reports back to thinkst for you (over DNS I believe)
● Configure with their GUI and magically upload to the device
● Slack webhook
● Basic API to retrieve alerts
○ Ended up writing some python to pull these alerts and post into our SIEM because there was
no splunk integration

6. What’s a Canary
GUI Set-up

7. What’s a Canary
Pricing
https://canary.tools/#pricing
Canary pricing allows you to start immediately, with tiny upfront costs. For under
$10k, you get 5 Canaries, a dedicated console, and 5 licences for alerts, support
and maintenance.

8. OpenCanary
https://github.com/thinkst/opencanary
Thinkst doesn’t currently have VM/OVA but I was told it was in the works
OpenCanary in the meantime
● Not nearly as feature rich
● No slick gui to config (have to use a conf file)
● No recent updates by Thinkst
● But works ok…
● And it’s free

9. OpenCanary
Decided to use vagrant to spin these things up

10. OpenCanary
Decided to use vagrant to spin these things up

11. OpenCanary

12. OpenCanary

13. OpenCanary

14. OpenCanary
Logging

15. OpenCanary
Logging

16. OpenCanary
Not Vaporware!
https://github.com/carnal0wnage/vagrant_opencanary