Description:
Custom TCP Services are a way for you to create and deploy your own custom services to your Canaries, without having to write any code.
Creating your custom service is quick and can be easily done by following the below steps.
Step 1:
Log in to your Console.
Step 2:
Click on the Canary you want to configure a Custom TCP Service on.
Note: we have selected the ZACTFS01 Canary.
Step 3:
Click on the gear icon (Configure Canary) to configure this Canary.
Step 4:
Scroll down to the Custom TCP Service and ensure it is enabled.
Step 5:
You can change the way your service behaves by altering fields for the service:
- Port : lets you specify which port the service will listen on.
- Prevent Connection : presents the port when scanned, but will terminate the connection after the tcp handshake.
- Banner on Client Connect : lets you specify a string that is immediately sent to the client when they connect to your service.
- Banner on Receiving Data : lets you specify a string that is sent in response to any client request.
- Alert only if client sends lets you specify a trigger string. An incident is only created if the client’s request includes the supplied string.
- Long lived connection : is described in its own section below.
- Run this service on all unused ports : is described in its own section below.
Note:
You can add up a total of 10 Custom TCP services.
Simply click the + Add service to add an additional Custom TCP Service Module.
Long lived connections
The long lived connections feature lets you specify a secret string that prevents alerts from triggering when entered. In this case, a long lived connection will be maintained between the client and the bird, letting you breadcrumb your network with a trail back to the bird.
When inputting the secret string, the output on the client will be the same as for other input, but you'll notice that no alert comes up on your console. From this point, the client will no longer trigger any alerts, and the bird will periodically trickle small data packets through to the client to keep the connection open.
Run this service on all unused ports
Canaries can run a Custom TCP service on all unused ports. Almost all networks can expect that hosts and devices on them will probe other hosts on the network making many connections to common ports. However, on networks where any unexpected TCP connection raises an alarm, running a Custom TCP service on all unused ports, will let you get alerted if even just one stray connection hits the Canary.