search

thinkst / opencanary

Modular and decentralised honeypot
http://opencanary.org
BSD 3-Clause "New" or "Revised" License
2.34k stars 363 forks source link

IP Ignorelisting not working #136

Closed CubeF4rm closed 3 years ago

CubeF4rm commented 3 years ago

I'm trying to whitelist our vulnerability and asset scanning servers as they're triggering port scan alerts on the canary.

I've tried adding the IPs into the ignorelist setting in opencanary.conf, but it's not working.

What's the correct syntax for adding IPs to ignore?

cecio commented 3 years ago

Hello.

The syntax should be the following:

"ip.ignorelist": [ "192.168.1.1/32", "192.168.2.1/28" ]

IP format is:

    Range is expected to be in CIDR notation format. If no MASK is
    given /32 is used. It return True if the IP is in the range.

Let me know if this fix the issue.

CubeF4rm commented 3 years ago

I'm afraid not. I set it to: "ip.ignorelist": [ "172.25.1.137/32" ],

Here is an example event generated: {"dst_host": "172.25.0.117", "dst_port": "139", "local_time": "2021-04-28 10:17:59.448620", "local_time_adjusted": "2021-04-28 11:17:59.448687", "logdata": {"ID": "941", "IN": "ens160", "LEN": "44", "MAC": "00:50:56:90:57:9d:00:50:56:90:e4:25:08:00", "OUT": "", "PREC": "0x00", "PROTO": "TCP", "RES": "0x00", "SYN": "", "TOS": "0x00", "TTL": "39", "URGP": "0", "WINDOW": "1024"}, "logtype": 5001, "node_id": "opencanary-1", "src_host": "172.25.1.137", "src_port": "40290", "utc_time": "2021-04-28 10:17:59.448674"}

cecio commented 3 years ago

OK. I'll have a deeper look into this. I'll let you know.

cecio commented 3 years ago

OK, got it: for portscan (and a few other services, mainly where there is an external log check) the verification is done outside the __init__ module. It could be an easy fix, but I'd like to discuss it with @jayjb to define the best approach for this. Thanks.

cecio commented 3 years ago

@jayjb Given this, may it make sense to move the check from the __init__ to the logger.py in the log method. What do you think about it? If you agree I can work on it.

jayjb commented 3 years ago

@cecio, ye i see the issue. There is discrepancy between logging through the CanaryService to our logger, and actually just logging straight to the logger from the module.

I like the idea of moving it to that very end point in logger.py. Thanks for picking this up! Let me know if there anything i can assist with.

jayjb commented 3 years ago

Hi @cubefarm,

Thanks for reporting the issue. It's a good find. We should have a fix ready soon for you!

jayjb commented 3 years ago

Hi @CubeF4rm

This is should be fixed.