thinkst / opencanary

Modular and decentralised honeypot
http://opencanary.org
BSD 3-Clause "New" or "Revised" License
2.31k stars 360 forks source link

PyLogger #203

Closed Neleus closed 1 year ago

Neleus commented 2 years ago

How to exclude some logs from Alerting? I'm using opencanary.logger.SocketJSONHandler in my OpenCanary conf. To my email I've received next Alerts {"dst_host": "192.168.1.121", "dst_port": "445", "local_time": "2022-07-19 11:09:28.443132", "local_time_adjusted": "2022-07-19 11:09:28.443529", "logdata": {"DF": "", "ID": "49799", "IN": "eth0", "LEN": "60", "MAC": "XX:XX:XX:XX:XX:XX", "OUT": "", "PREC": "0x00", "PROTO": "TCP", "RES": "0x00", "SYN": "", "TOS": "0x00", "TTL": "64", "URGP": "0", "WINDOW": "65535"}, "logtype": 5001, "node_id": "opencanary-node1", "src_host": "192.168.1.11", "src_port": "38610", "utc_time": "2022-07-19 11:09:28.443409"} But I want to receive like this {"dst_host": "192.168.1.121", "dst_port": "445", "local_time": "2022-07-19 11:09:28", "node_id": "opencanary-node1", "src_host": "192.168.1.11", "} How to manage this Alert logs? Where are logs template can be edited? Thanks for help.

Neleus commented 2 years ago

As I understand all templates are located in modules directory (opencanary/modules/portscan.py for example) But how to manage Alert notifications as I describe upper need Your help to resolve.

jayjb commented 2 years ago

Hi @Survial,

We usually recommend Opencanary Correlator to help with alerting since Opencanary can produce a lot of logs. You can read about it over here. It is part of our roadmap to build in better alert handling and clean up the logs a bit, but we haven't got there yet.

Neleus commented 2 years ago

@jayjb Opencanary Correlator uses old Python version 2.7 but on 3+ Python it doesn't work (it's a big problem).
It would be perfect to update it to Python3. Thanks.

manincharge commented 2 years ago

Survial, you can run both simultaneously. A bit of a hassle, but doable.

jayjb commented 2 years ago

Hi @Survial,

Ye thats a good point; updating it to work with python3 would be useful. Im nervous the time spent on that, would be better spent on building in some better alert handling within the Opencanary project.