search

hackern0v1c3 / CanaryPi

Startup project to create a simple to deploy honey pot style detection tool for alerting on common network attacks
39 stars 1 forks source link

Typo (sorta) on alert from port scan on 465 #17

Open 7MinSec opened 4 years ago

7MinSec commented 4 years ago

Hey buddy :-)

I'm gearing up for another Netwrix presentation and will be showing off CanaryPi again. I fired it up today and did a port scan from a machine on my network and noticed the email I get from the connection on 465 seems to have a typo:

image

The other alerts follow a format that looks more like:

Attack detected from ip x.x.x.x mac y
Portscan connection request sent to x.x.x.x:25
hackern0v1c3 commented 4 years ago

I am pretty sure this is a duplicate of issue #3 . But I'll see if I can go get it cleaned up real quick.

hackern0v1c3 commented 4 years ago

Taking a look back at this I am remembering why it works this way. When a new attack is detected it generates a notification that looks like this 

Attack detected from ip x.x.x.x mac y
Portscan connection request sent to x.x.x.x:25

Then a log file is created that stores the attack type, source ip, and source mac address. That file is used to track the attack until it is no longer detected. Then when the attack is considered over you get the recovery notification and the log file is deleted.

To prevent confusion I had added a mechanism that runs when canary_pi starts up. It checks for any existing attack log files and if it finds any it sends a notification. I think the original idea behind this feature was that if attacks were detected, but your email settings weren't working, then when you fixed your email settings and restarted the program you would get your attack notifications.

These startup notification use the log files names to generate the alerts. The log file has the attack type, source ip, and source mac address info but not the descriptive message that the other alert type has so it looks a little different.

So I can think of two ways to make this better. I could prepend a line to the message that lets you know this is a startup alert so it would look something like this

CanaryPi is starting up and detected existing attack log files.
portscan265 attack deteced from ip x mac y
See CanaryPi logs for more detail.

That would be a really quick simple fix.

Or when I create the initial log file I could write the descriptive message to the first line of the log file. This would be a little more work but would make all of the alerts consistent.

Maybe I do both. So the alerts are consistent but you know if it was sent due to a startup.

7MinSec commented 4 years ago

Awesome man. Not to make more work for you, but I'd vote for both if you're willing.