Description:
We put a ton of love into ensuring your Canaries are indistinguishable on your network from the devices they emulate. Some attackers, though, may still try fingerprint hosts to check if they are honeypots to avoid triggering alerts. Canaries from update 3.x.7 onwards now feature the "Honeypot Scanner Detected" alert for known honeypot fingerprinting.
This feature gives Canaries the ability to detect and flag when they are scanned with a known honeypot scanning tool, letting you know of this unusual honeypot fingerprinting being done on your network. The feature is enabled by default and does not require any extra configuration to use.
Active honeypot fingerprinting tools will try trick a host into revealing it's a honeypot by interacting with its services where responses aren't uniform between different implementations (like by sending invalid SSH versions or Redis commands). This kind of interactions, when they are very unique to the fingerprinting tool, are highly suspicious, which is what the Canary alerts on.
Currently, this feature adds detects the honeydet tool (running its SSH, MongoDB and Redis fingerprints) with more to come in future.
Note: Honeypot Scanner detection is not available on Docker canaries due to their limited runtime environments.
Example Alert:
A "Honeypot Scanner Detected" alert example is shown below with the following fields:
Tool: The name of the tool being run against your Canary.
Fingerprint ID: Identifies the scanner's fingerprinting technique. In the example below, the tool "honeydet" is running the "opencanary-redis" fingerprinting technique to check if the host is an OpenCanary instance by probing its Redis port.
Protocol: The protocol which was probed on your Canary.
Port: The port your Canary was probed on.