search

thinkst / opencanary

Modular and decentralised honeypot
http://opencanary.org
BSD 3-Clause "New" or "Revised" License
2.28k stars 357 forks source link

Change in rsyslog log entry - No alerts for SMB service in opencanary console #226

Closed greycel closed 1 year ago

greycel commented 1 year ago

I've deployed opencanary service docker image on Rocky Linux v8, as per the documentation configured SAMBA, RSyslog service and was able to get the logs into "/var/log/samba-audit.log" but couldn't see the alerts in opencanary debug console.

Upon further analysis and troubleshooting, observed that log entries generated by "RSYSLOG v8.2102.0-10.el8" in "/var/log/samba-audit.log" were slightly different than what I've seen in other smb related issues,

Sample log entries:

Dec 17 16:09:28 rocky smbd_audit[37113]: user1|192.168.15.105|192.168.15.111|sys1|itshare|SRD1|SMB3_11|OSX|2022/12/17 16:09:28|SRV01|pread_send|ok|/samba/share/testing.txt
Dec 17 16:09:28 rocky smbd_audit[37113]: user1|192.168.15.105|192.168.15.111|sys1|itshare|SRD1|SMB3_11|OSX|2022/12/17 16:09:28|SRV01|pread_recv|ok|/samba/share/testing.txt
Dec 17 16:10:27 rocky smbd_audit[37790]: user1|192.168.15.105|192.168.15.111|sys1|itshare|SRD1|SMB3_11|OSX|2022/12/17 16:10:27|SRV01|pread_send|ok|/samba/share/testing.txt
Dec 17 16:10:27 rocky smbd_audit[37790]: user1|192.168.15.105|192.168.15.111|sys1|itshare|SRD1|SMB3_11|OSX|2022/12/17 16:10:27|SRV01|pread_recv|ok|/samba/share/testing.txt

Log entries have some random ID appended to "smbd_audit". In this case, "smbd_audit[37113]:" makes the regular expression in the "samba.py" module file fail.

As a workaround, I've made the below changes to the "samba.py" module file:

Changed From: audit_re = re.compile(r'^.*smbd_audit:.*$')
Changed to: audit_re = re.compile(r'^.*smbd_audit\[\d{2,}\]:.*$')

Changed From: data = line.split('smbd_audit:',1)[-1].strip().split('|')
Changed to: data = line.split(']:',1)[-1].strip().split('|')

There could be a better approach, but this worked for me.

jayjb commented 1 year ago

Hi @greycel,

Thanks for writing in. That workaround looks like a good way to go. We have actually noticed that the log reading code is quite fragile because it breaks if the logging changes for newer Samba versions (its something we need to figure out going forward).

If you want to create a PR, we would be happy to look through it and try figure a better way of handling these kinds of issues.

jayjb commented 1 year ago

Hi @greycel,

I have made some improvements to the samba log line handling. Thanks for reporting this (and for supplying helpful information). I'm closing this issue since it has been resolved.