search

thinkst / opencanary

Modular and decentralised honeypot
http://opencanary.org
BSD 3-Clause "New" or "Revised" License
2.28k stars 357 forks source link

Contact MAC address #182

Closed gaevoc closed 2 years ago

gaevoc commented 2 years ago

Hi Opencanary team, first of all thank you for your great work, I appreciate it.

My question is about incoming connection MAC address, is there any way to include it in the logged record? This would be very useful in intrusion investigation phase

Thank you

HybridAU commented 2 years ago

Hey @gaevoc

That's an interesting idea, but unfortunately I can't think of a practical way to implement it. Unlike the client IP address, the client MAC address changes with each hop across the network so if an OpenCanary is plugged into a switch or router all the traffic will have the MAC address of that switch, rather than the actual client MAC address.

There are some ways to link an IP address to a MAC address such as ARP or looking at DHCP logs so there might be a way to do it, but it's not going to be easy or reliable.

gaevoc commented 2 years ago

Hi @HybridAU , thank you for your kind answer, I understand your point. Looks like there is nothing easy that can be done to retrieve this information, I will do without :)