A personality is a preset of ports, services, and IP stack for various vendors that you might find on a network. Each Canary can take on the personality of real systems that you have deployed on your network (and maybe some that you don’t).
These help your Canary present themselves to match the real deal when they show up in network scans. Canaries are configured to emulate their personalities at a network level. This means no licenses (e.g., Microsoft License) or OS images are required.
Canaries are configured to emulate their personalities at a network level. This means no licenses (e.g. Microsoft License) or OS images are required.
If there is a device not in the list that you'd like to see included, feel free to reach out to us here to let us know!
Personalities
Below is a list of the various personalities your Canaries support.
Windows
- IIS 10
- IIS 7
- Microsoft AD Domain Controller 2012
- Microsoft AD Domain Controller 2016
- Microsoft AD Domain Controller 2019
- MS Sharepoint 2010
- Windows 11 Desktop Fileshare
- Windows 10 Desktop Fileshare
- Windows 7 Desktop Fileshare
- Windows 8 Desktop Fileshare
- Windows Server 2000 Office Fileshare
- Windows Server 2003 Office Fileshare
- Windows Server 2008 Office Fileshare
- Windows Server 2012 Office Fileshare
- Windows Server 2016 Office Fileshare
- Windows Server 2019 Office Fileshare
- Windows XP Desktop Fileshare
Linux
- CentOS 7 Server
- Linux Database
- Linux Proxy
- Oracle Enterprise Linux 6
- Oracle Enterprise Linux 7
- Oracle Enterprise Linux 8
- Red Hat Enterprise Linux 9
- Standard Linux Server
Apple
- Mac OS X Fileshare
Networking
- Check Point Mobile VPN
- Cisco Router
- Cisco SSL VPN
- Cisco VoIP Phone 7975G
- Citrix Gateway
- Dell Switch
- F5 BIG-IP Edge Gateway
- FortiGate
- Integrated Dell Remote Access Controller
- Juniper SRX 550
- Palo Alto Firewall
- Pulse VPN
- SonicWALL NSA 220 Firewall Appliance
Vendors
- Canon ImageRUNNER 2525
- Confluence 9
- CUPS Service
- GitLab Server
- HP iLO Server
- IBM z/OS Mainframe
- JBoss Login
- Jenkins Login
- Jira
- Joomla Server
- Kibana Server
- Outlook Web Access
- SAP NetWeaver Windows Server
- Solarwinds
- Sophos User Portal
- Sophos Web Console
- Splunk Linux Server
- Splunk Windows Server
- Synology DiskStation 5 NAS
- Synology DiskStation 6.2 NAS
- Synology DiskStation 7.1 NAS
- VMware ESXi 7 Server
- VMware ESXi Server
- VMware vCenter 7 Server
SCADA
- Hirschmann RS20 Industrial Switch
- Rockwell Automation PLC
- Siemens Simatic 300 PLC
Services
Below is a full list of available services that any Canary can emulate:
- Portscan Detection
- HTTP/S Web Server
- SSH Server
- File Transfer (FTP)
- MySQL
- Web Proxy
- Microsoft SQL Server
- Windows File Share
- Telnet
- TN3270
- File Transfer (TFTP)
- VNC
- Time Server
- VOIP (SIP)
- GIT Repository
- Redis
- Modbus
- MongoDB Database
- Remote Desktop Protocol
- Windows Remote Management
- LDAP
Custom TCP services
Our Custom TCP Service allows you to create any number of services on your Canary that we don't support out of the box. For example, you could add TCP/25 to your Canary to have it emulate the SMTP service. Any activity detected on this port will generate an alert. Click here for our guide on setting up Custom TCP Services.
Emulation
Personality emulation goes beyond just an operating system fingerprint and some port listeners. We do a bunch of tweaking under the hood to make sure your Canaries also talk on the right protocol for each of their services.
If your Canary has been set up as a SCADA device, it will talk on the proper Modbus protocol too!
The scan below shows a port and OS scan performed on a Canary, which has been configured as a Cisco router.
We spoof the MAC address (so it looks legit) and the actual OS identifies as a version of IOS running on Cisco kit.
To get this result, we take things like TTL response times, TCP sequencing, OS fingerprint, and more into account, so all that an attacker sees is a Cisco device, and you get an alert when any of its services are touched.