Bypass honeypot detection

[ruppde]

Is your feature request related to a problem? Please describe. The tool honeydet is able to detect opencanary: https://github.com/referefref/honeydet/blob/main/signatures.yaml

Describe the solution you'd like Change opencanary to bypass that detection.

Describe alternatives you've considered I see 2 options:

1. Fix the underlying problem like e.g. handling of special characters
2. Write a specific bypass for the detection rule. Would be quicker but is avoided with a slight change in the signatures.yaml mentioned above => cat & mouse game.

Additional context https://github.com/referefref/honeydet

[jayjb]

Hi @ruppde,

Thanks for reporting. We have looked into this and found the following:

• old redis responds as we did. so it’s not a honeypot marker, it’s an old-redis marker in a sense.
• redis has switched the message 4 times in the last few years

  "unknown command '%.128s', with args beginning with: %s"
  "unknown command '%s', with args beginning with: %s"
  "unknown command `%s`, with args beginning with: %s"
  "unknown command '%s'"

What we will do however, is we can build a detection around whether someone is trying to run honeydet against our OpenCanary software.