search

thinkst / opencanary

Modular and decentralised honeypot
http://opencanary.org
BSD 3-Clause "New" or "Revised" License
2.28k stars 357 forks source link

Expanding `message` into JSON #225

Closed tjaartvdwalt closed 1 year ago

tjaartvdwalt commented 1 year ago

I have Webhook configuration similar to an example from the documentation:

"Webhook": {
    "class": "opencanary.logger.WebhookHandler",
    "url": "https://my_upload_url",
    "method": "POST",
    "headers": {
        "Authorization": "Bearer MY_TOKEN",
        "Content-Type": "application/json"
    },
    "data": {"collector": "canary", "content": "%(message)s"},
    "status_code": 200
}

I would like the request to have message be a json sub document, but with the current syntax it is a string. I have been fiddling around, but I am unable to make it work.

Is it possible to do?

joewesch commented 1 year ago

Not with the current implementation, no. The WebhookHandler is a sub-class of logging.Handler which returns a Formatter record - which is text.

When you send in application/json it formats the data dictionary to a string. If what you want in the end is %(message)s to just be a part of the dictionary, you can format data to be a string and remove the header - essentially doing a json.dumps yourself.

I just put in a PR (#237) that will be required for this, but something like this should work afterward:

"Webhook": {
    "class": "opencanary.logger.WebhookHandler",
    "url": "https://my_upload_url",
    "method": "POST",
    "headers": {
        "Authorization": "Bearer MY_TOKEN"
    },
    "data": "{\"collector\": \"canary\", \"content\": %(message)s}",
    "status_code": 200
}
joewesch commented 1 year ago

@tjaartvdwalt The changes that I described have been merged in now. If you are running the latest version from the repo you can try it out and see if it will work for you. If you are running the release version, you will need to wait for a new release before you can try out the changes.

hkelley commented 1 year ago

I can't speak for other systems, but at least for Splunk HEC, this config comes through as JSON , (opencanary 0.9.0)

                "Webhook": {
                        "class": "opencanary.logger.WebhookHandler",
                        "url": "https://http-inputs.xxx.splunkcloud.com/services/collector",
                        "headers": {
                                "Authorization": "Splunk xxxx",
                                "Content-Type": "application/json"
                        },
                        "method": "POST",
                        "data": {"host": "enter_node_id", "source":"opencanaryd", "event": "%(message)s"}
                }

Tangentially related to the original issue, is there any way to substitute the node_id value within data?

joewesch commented 1 year ago

@hkelley what are you trying to substitute it with? You may be able to use the Environment Variables substitution.

hkelley commented 1 year ago

I'm trying to use $HOSTNAME (in both node_id and in the webhook data). The variable isn't being substituted in either:

Config:

{
    "device.node_id": "$HOSTNAME",
....
                "Webhook": {
                        "class": "opencanary.logger.WebhookHandler",
...
                        "method": "POST",
                        "data": {"host": "$HOSTNAME", "source":"opencanaryd", "event": "%(message)s"}
                }
            }

Result:

dst_port: 3389
   local_time: 2023-06-20 16:50:24.708368
   local_time_adjusted: 2023-06-20 16:50:24.708403
   logdata: { 
     USERNAME: null
   }
   logtype: 14001
   node_id: $HOSTNAME
   src_port: 14523
   utc_time: 2023-06-20 16:50:24.708398
}
host = [$HOSTNAME]
joewesch commented 1 year ago

I'm not able to reproduce this. I am using the docker version and I updated my device.node_id to "$HOSTNAME" as well and this was the output I got when I started the docker container:

... 
"logdata": {"msg": {"logdata": "Canary running!!!"}},
"logtype": 1001,
"node_id": "a274757b8576",
"src_host": "",
...

Which matches the docker hostname:

# echo $HOSTNAME
a274757b8576
Neleus commented 1 year ago

@tjaartvdwalt just use Slack handler as I. It's default JSON type.

jayjb commented 1 year ago

Hi @hkelley,

Thanks for writing in. Reading this conversation, I am trying to reproduce your issue. Please can you let me know:

  1. How you are running opencanary
  2. What OS you are running it on
  3. what the webhook config looks like
tjaartvdwalt commented 1 year ago

@joewesch sorry for taking so long to reply. Your example works perfectly in 0.9!

As far as I am concerned, the original issue is resolved, but I will keep it open as there are still some secondary issues.

jayjb commented 1 year ago

Hi @tjaartvdwalt,

Please would you mind opening another issue to report a different issue. I'm glad the original issue is resolved.

jayjb commented 1 year ago

I'm closing this issue because the original reporter has had the issue resolved. Please feel free to reopen or create a new issue if there is something new to tackle!