Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Webhook handler not working for alertmanager #393

Closed
sbl-matter opened this issue Dec 18, 2024 · 2 comments
Closed

Webhook handler not working for alertmanager #393

sbl-matter opened this issue Dec 18, 2024 · 2 comments
Labels
bug stale

Comments

@sbl-matter
Copy link

Describe the bug
Hi, I'm trying to configure opencanary webhook handler to send an alert to alertmanager through a POST on /api/v2/alerts endpoint.

I've installed opencanary on a VM with this ansible role : https://github.com/thinkst/ansible-role-opencanary

Opencanary is throwing errors and ends up crashing at startup, I think because of json structure for the data of the POST request.

Here's the log message :

{"dst_host": "", "dst_port": -1, "local_time": "2024-12-18 08:26:13.691166", "local_time_adjusted": "2024-12-18 08:26:13.691433", "logdata": {"msg": {"logdata": "Added service from class CanaryGit in opencanary.modules.git to fake"}}, "logtype": 1001, "node_id": "opencanary-vm-honey", "src_host": "", "src_port": -1, "utc_time": "2024-12-18 08:26:13.691200"}
{"dst_host": "", "dst_port": -1, "local_time": "2024-12-18 08:26:13.824122", "local_time_adjusted": "2024-12-18 08:26:13.824157", "logdata": {"msg": {"logdata": "Failed to add service from class CanaryGit in opencanary.modules.git. Traceback (most recent call last):\n  File \"/opt/opencanary/bin/opencanary.tac\", line 135, in start_mod\n    logMsg({\"logdata\": msg})\n  File \"/opt/opencanary/bin/opencanary.tac\", line 154, in logMsg\n    logger.log(data, retry=False)\n  File \"/opt/opencanary/lib/python3.11/site-packages/opencanary/logger.py\", line 188, in log\n    self.logger.warn(json.dumps(logdata, sort_keys=True))\n  File \"/usr/lib/python3.11/logging/__init__.py\", line 1506, in warn\n    self.warning(msg, *args, **kwargs)\n  File \"/usr/lib/python3.11/logging/__init__.py\", line 1501, in warning\n    self._log(WARNING, msg, args, **kwargs)\n  File \"/usr/lib/python3.11/logging/__init__.py\", line 1634, in _log\n    self.handle(record)\n  File \"/usr/lib/python3.11/logging/__init__.py\", line 1644, in handle\n    self.callHandlers(record)\n  File \"/usr/lib/python3.11/logging/__init__.py\", line 1706, in callHandlers\n    hdlr.handle(record)\n  File \"/usr/lib/python3.11/logging/__init__.py\", line 978, in handle\n    self.emit(record)\n  File \"/opt/opencanary/lib/python3.11/site-packages/opencanary/logger.py\", line 353, in emit\n    if any(e in message for e in self.ignore):\n       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/opt/opencanary/lib/python3.11/site-packages/opencanary/logger.py\", line 353, in <genexpr>\n    if any(e in message for e in self.ignore):\n           ^^^^^^^^^^^^\nTypeError: 'in <string>' requires string as left operand, not list\n"}}, "logtype": 1001, "node_id": "opencanary-vm-honey", "src_host": "", "src_port": -1, "utc_time": "2024-12-18 08:26:13.824152"}

Here's the config file generated by ansible template :

{
    "device.node_id": "opencanary-vm-honey",
    "ip.ignorelist": [  ],
    "logtype.ignorelist": [ [] ],
    "git.enabled": true,
    "git.port" : 9418,
    "ftp.enabled": false,
    "ftp.port": 21,
    "ftp.banner": "FTP Server Ready",
    "http.banner": "Apache/2.2.22 (Ubuntu)",
    "http.enabled": true,
    "http.port": 80,
    "http.skin": "basicLogin",
    "http.skin.list": [
        {
            "desc": "Plain HTML Login",
            "name": "basicLogin"
        },
        {
            "desc": "Synology NAS Login",
            "name": "nasLogin"
        }    ],
    "https.enabled": false,
    "https.port": 443,
    "https.skin": "basicLogin",
    "https.certificate": "",
    "https.key": "",
    "httpproxy.enabled" : false,
    "httpproxy.port": 8080,
    "httpproxy.skin": "ms-isa",
    "httproxy.skin.list": [
        {
            "desc": "Squid",
            "name": "squid"
        },
        {
            "desc": "Microsoft ISA Server Web Proxy",
            "name": "ms-isa"
        }
    ],
    "llmnr.enabled": false,
    "llmnr.query_interval": 60,
    "llmnr.query_splay": 5,
    "llmnr.hostname": "vm-honey",
    "llmnr.port": 5355,
    "logger": {
        "class": "PyLogger",
        "kwargs": {
            "formatters": {
                "plain": {
                    "format": "%(message)s"
                },
                "syslog_rfc": {
                    "format": "opencanaryd[%(process)-5s:%(thread)d]: %(name)s %(levelname)-5s %(message)s"
                }
            },
            "handlers": {
                "console": {
                    "class": "logging.StreamHandler",
                    "stream": "ext://sys.stdout"
                },
                "file": {
                    "class": "logging.FileHandler",
                    "filename": "/var/log/opencanary.log"
                },
                "webhook": {
                    "class": "opencanary.logger.WebhookHandler",
                    "url": "http://*****:9093/api/v2/alerts",
                    "method": "POST",
                    "data": [{"status":"firing","labels":{"alertname":"opencanary","severity":"critical"},"annotations":{"summary":"Honey pot Alert from Opencanary","description":"%(message)s"}}],
                    "status_code": 200,
                    "ignore": [[]]
                }            }
        }
    },
    "portscan.enabled": true,
    "portscan.ignore_localhost": false,
    "portscan.logfile":"/var/log/kern.log",
    "portscan.synrate": 5,
    "portscan.nmaposrate": 5,
    "portscan.lorate": 3,
    "portscan.ignore_ports": [ [] ],
    "smb.auditfile": "/var/log/samba-audit.log",
    "smb.enabled": false,
    "mysql.enabled": true,
    "mysql.port": 3306,
    "mysql.banner": "5.5.43-0ubuntu0.14.04.1",
    "ssh.enabled": true,
    "ssh.port": 22,
    "ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4",
    "redis.enabled": true,
    "redis.port": 6379,
    "rdp.enabled": true,
    "rdp.port": 3389,
    "sip.enabled": false,
    "sip.port": 5060,
    "snmp.enabled": false,
    "snmp.port": 161,
    "ntp.enabled": false,
    "ntp.port": 123,
    "tftp.enabled": false,
    "tftp.port": 69,
    "tcpbanner.maxnum":10,
    "tcpbanner.enabled": false,
    "tcpbanner_1.enabled": false,
    "tcpbanner_1.port": 8001,
    "tcpbanner_1.datareceivedbanner": "",
    "tcpbanner_1.initbanner": "",
    "tcpbanner_1.alertstring.enabled": false,
    "tcpbanner_1.alertstring": "",
    "tcpbanner_1.keep_alive.enabled": false,
    "tcpbanner_1.keep_alive_secret": "",
    "tcpbanner_1.keep_alive_probes": 11,
    "tcpbanner_1.keep_alive_interval":300,
    "tcpbanner_1.keep_alive_idle": 300,
    "telnet.enabled": false,
    "telnet.port": 23,
    "telnet.banner": "",
    "telnet.honeycreds": [
        {
            "username": "admin",
            "password": "$pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA"
        },
        {
            "username": "admin",
            "password": "admin1"
        }
    ],
    "mssql.enabled": false,
    "mssql.version": "2012",
    "mssql.port": 1433,
    "vnc.enabled": false,
    "vnc.port": 5000
}

Things i've noticed :

  • error will pop on any opencanary module : if i disable one, it just crashes the same on the next module.
  • If i change the data of the POST request so that it's not in an array :
    "data": {"status":"firing","labels":{"alertname":"opencanary","severity":"critical"},"annotations":{"summary":"Honey pot Alert from Opencanary","description":"%(message)s"}}
    Then opencanary is not crashing anymore but alertmanager receives nothing as the data structure is not what is expected.
  • I tried modifying the ansible template to force add a header content-type: application/json but I get the same behavior.

Alertmanager json format : https://prometheus.io/docs/alerting/latest/clients/#sending-alerts
@sbl-matter sbl-matter added the bug label Dec 18, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 1, 2025

This issue is stale because it has been open for 14 days with no activity.

@github-actions github-actions bot added the stale label Jan 1, 2025
@github-actions GitHub Actions
Copy link
Contributor

This issue was closed because it has been inactive for 14 days since being marked as stale.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jan 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sbl-matter