search

thinkst / opencanary

Modular and decentralised honeypot
http://opencanary.org
BSD 3-Clause "New" or "Revised" License
2.28k stars 357 forks source link

[BUG] HTTP/S logs won't show up in logfile #362

Closed admlko closed 1 month ago

admlko commented 1 month ago

Describe the bug HTTP/S logs won't show up in logfile but does show up in Docker container stdout. Webhook alert won't get triggered. Telnet seems to work just fine and triggers webhook alert.

To Reproduce Steps to reproduce the behavior:

  1. Start container with thinkst/opencanary:latest -image
  2. Make sure it's using config from /root/ -directory (bind mounted)
  3. Open console (exec bash) to the container
  4. Try to connect to the HTTP or HTTPS service using curl: curl -vv http://localhost
  5. Log lines appear in the Docker container stdout but not in the log file /var/tmp/opencanary.log, Webhook alert doesnt' get triggered.
  6. Try to connect to the Telnet service using curl: curl -vv telnet://localhost:23
  7. Log lines appear in the Docker contaner stdout and in the log file /var/tmp/opencanary.log and Webhook alert triggers.

Expected behavior Log lines appearing in /var/tmp/opencanary.log and webhook triggering.

Additional context Configuration file contents:

{
    "device.node_id": "opencanary-1",
    "ip.ignorelist": [  ],
    "git.enabled": false,
    "git.port" : 9418,
    "ftp.enabled": true,
    "ftp.port": 21,
    "ftp.banner": "FTP server ready",
    "http.banner": "Apache/2.2.22 (Ubuntu)",
    "http.enabled": true,
    "http.port": 80,
    "http.skin": "nasLogin",
    "http.skin.list": [
        {
            "desc": "Plain HTML Login",
            "name": "basicLogin"
        },
        {
            "desc": "Synology NAS Login",
            "name": "nasLogin"
        }
    ],
    "https.enabled": true,
    "https.port": 443,
    "https.skin": "nasLogin",
    "https.certificate": "/etc/ssl/opencanary/opencanary.pem",
    "https.key": "/etc/ssl/opencanary/opencanary.key",
    "httpproxy.enabled" : false,
    "httpproxy.port": 8080,
    "httpproxy.skin": "squid",
    "httproxy.skin.list": [
        {
            "desc": "Squid",
            "name": "squid"
        },
        {
            "desc": "Microsoft ISA Server Web Proxy",
            "name": "ms-isa"
        }
    ],
    "llmnr.enabled": false,
    "llmnr.query_interval": 60,
    "llmnr.query_splay": 5,
    "llmnr.hostname": "DC03",
    "llmnr.port": 5355,
    "logger": {
        "class": "PyLogger",
        "kwargs": {
            "formatters": {
                "plain": {
                    "format": "%(message)s"
                },
                "syslog_rfc": {
                    "format": "opencanaryd[%(process)-5s:%(thread)d]: %(name)s %(levelname)-5s %(message)s"
                }
            },
            "handlers": {
                "console": {
                    "class": "logging.StreamHandler",
                    "stream": "ext://sys.stdout"
                },
                "file": {
                    "class": "logging.FileHandler",
                    "filename": "/var/tmp/opencanary.log"
                },
                "Webhook": {
                    "class": "opencanary.logger.WebhookHandler",
                    "url": "https://api.pushover.net/1/messages.json",
                    "method": "POST",
                    "data": {
                        "message": "%(message)s"
                    },
                    "params": {
                        "token": "REDACTED",
                        "user": "REDACTED"
                    },
                    "headers": {
                        "Content-Type": "application/json"
                    },
                    "status_code": 200,
                    "ignore": ["\"dst_port\": -1"]
                }
            }
        }
    },
    "portscan.enabled": false,
    "portscan.ignore_localhost": false,
    "portscan.logfile":"/var/log/kern.log",
    "portscan.synrate": 5,
    "portscan.nmaposrate": 5,
    "portscan.lorate": 3,
    "portscan.ignore_ports": [ ],
    "smb.auditfile": "/var/log/samba-audit.log",
    "smb.enabled": false,
    "mysql.enabled": false,
    "mysql.port": 3306,
    "mysql.banner": "5.5.43-0ubuntu0.14.04.1",
    "ssh.enabled": true,
    "ssh.port": 22,
    "ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4",
    "redis.enabled": false,
    "redis.port": 6379,
    "rdp.enabled": false,
    "rdp.port": 3389,
    "sip.enabled": false,
    "sip.port": 5060,
    "snmp.enabled": false,
    "snmp.port": 161,
    "ntp.enabled": false,
    "ntp.port": 123,
    "tftp.enabled": false,
    "tftp.port": 69,
    "tcpbanner.maxnum":10,
    "tcpbanner.enabled": false,
    "tcpbanner_1.enabled": false,
    "tcpbanner_1.port": 8001,
    "tcpbanner_1.datareceivedbanner": "",
    "tcpbanner_1.initbanner": "",
    "tcpbanner_1.alertstring.enabled": false,
    "tcpbanner_1.alertstring": "",
    "tcpbanner_1.keep_alive.enabled": false,
    "tcpbanner_1.keep_alive_secret": "",
    "tcpbanner_1.keep_alive_probes": 11,
    "tcpbanner_1.keep_alive_interval":300,
    "tcpbanner_1.keep_alive_idle": 300,
    "telnet.enabled": true,
    "telnet.port": 23,
    "telnet.banner": "",
    "telnet.honeycreds": [
        {
            "username": "admin",
            "password": "$pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA"
        },
        {
            "username": "admin",
            "password": "admin1"
        }
    ],
    "mssql.enabled": false,
    "mssql.version": "2012",
    "mssql.port":1433,
    "vnc.enabled": false,
    "vnc.port":5000
}
thinkst-daniel commented 1 month ago

Hi @admlko,

Thanks for writing in. Does this still happen if you explicitly curl index.html, via curl http://localhost/index.html?

admlko commented 1 month ago

Hi @thinkst-daniel,

Thank you for chiming in! :)

Does this still happen if you explicitly curl index.html, via curl http://localhost/index.html?

Your hunch was correct, calling URL with /index.html path shows up in the log file and triggers an alert.

thinkst-daniel commented 1 month ago

Oh great! Glad to hear it's working.

admlko commented 1 month ago

But shouldn't calling the root of web server trigger the alert anyway? I mean, the server responds?

thinkst-daniel commented 1 month ago

That's a good question @admlko. So in this case it is a deliberate design choice. The reason why it only triggers on /index.html is because we only want alerts to fire if someone crosses certain boundaries. The idea is that legitimate users may accidentally connect to the web server, but only once they enter details and try to login does it become malicious.

If you still want alerts to trigger from requests hitting root however, then you can make the following tweak to the http module code:

diff --git a/opencanary/modules/http.py b/opencanary/modules/http.py
index 1917ba6..0d1b469 100644
--- a/opencanary/modules/http.py
+++ b/opencanary/modules/http.py
@@ -175,7 +175,7 @@ class CanaryHTTP(CanaryService):
         root = StaticNoDirListing(self.staticdir)
         root.createErrorPages(self)
         root.putChild(b"", RedirectCustomHeaders(b"/index.html", factory=self))
-        root.putChild(b"index.html", page)
+        root.putChild(b"", page)
         wrapped = EncodingResourceWrapper(root, [GzipEncoderFactory()])
         site = Site(wrapped)
         return internet.TCPServer(self.port, site, interface=self.listen_addr)