Correlator

Getting Started

To get started create a virtual environment to play in:

$ virtualenv env
$ . env/bin/activate

Inside the virtualenv, install OpenCanary Correlator following the instructions in the README.

The correlator runs with a default config, which we’ll copy and edit to get started.

$ opencanary-correlator
Warning: no config file specified. Using the template config:
/[...]/opencanary_correlator.conf
$ cp /[...]/opencanary_correlator.conf opencanary-correlator.conf

In the config file, fill the Twilio or mandrill details (or both), and the notification addresses for both.

{
  "console.sms_notification_enable": true,
  "console.sms_notification_numbers": ["+336522334455"],
  "console.email_notification_enable": true,
  "console.email_notification_address": ["notifications@opencanary.org"],
  "console.slack_notification_enable": true,
  "console.slack_notification_webhook": ["https://hooks.slack.com/services/example/webhookdata"],
  "twilio.auth_token": "fae9206628714fb2ce00f72e94f2258f",
  "twilio.from_number": "+1201253234",
  "twilio.sid": "BD742385c0810b431fe2ddb9fc327c85ad",
  "console.mandrill_key": "9HCjwugWjibxww7kPFej",
  "scans.network_portscan_horizon": 1000
}

With that in place, ensure that Redis is running and then run the correlator daemon.

$ pgrep redis-server || echo 'Redis is not running!'
$ opencanary-correlator --config=./opencanary-correlator.conf

To configure OpenCanary daemons to send their events to the correlator, edit the logger field in its config and restart the daemon to reload the config.

"logger": {
  "class": "PyLogger",
  "kwargs": {
    "handlers": {
      "json-tcp": {
        "class": "opencanary.logger.SocketJSONHandler",
        "host": "127.0.0.1",  // change to correlator IP
        "port": 1514
      }
    }
  }
}

Troubleshooting

You can test that the Correlator alerts are working by sending an event directly to it (without using OpenCanary).

echo '{"dst_host": "9.9.9.9", "dst_port": 21, "local_time": "2015-07-20 13:38:21.281259", "logdata": {"PASSWORD": "default", "USERNAME": "admin"}, "logtype": 2000, "node_id": "AlertTest", "src_host": "8.8.8.8", "src_port": 49635}' | nc -v localhost 1514

The tool JQ can be used to check that the config file is well-formed JSON.

$ jq . ./opencanary-correlator.conf