Canary is a continually evolving product, and new features, fixes and improvements get rolled out frequently. Catch up with our updates here.
Users of Gmail and Google Inbox's web mail UI will now see an action button on their Canary alert mails called "Jump to incident". Click on it to take you directly to the incident details in your console.
Added rollback functionality to birds which will allow them to revert to previous working settings if you accidentally push a broken network configuration to them.
Updated the update channel, allowing for future patches to be pulled via HTTP or DNS both remotely and locally.
Improvements to the communication channel, catering for networks that don't play nicely with longer DNS query lengths. Our new DNS doctor will prescribe the optimum DNS query length.
Canary v2.1 ships with a brand new MacOS X personality. This personality includes exactly what you would expect: a Mac OS X IP Stack fingerprint, a file share, an Apple MAC address and other preselected services to make it look legit.
Canary v2 ships with awesome new hardware. It's faster, it's more reliable and it's so pretty you'll almost not want to send it to your datacenter.
Canarytokens allow you to create mini tripwires in 3rd party sites or applications (In fact you can use them all over the place!). This version brings you your own, customisable token server. Get alerts when your sites are cloned, documents are viewed or directories are browsed!
We have a bunch of new “fake” services with something for everyone: ICS fans get Modbus. Developers get GIT repositories and lovers of NoSQL get a safe implementation of our favorite key/value store (Redis!).
This release brings through a bunch of new personalities. WindowsXP and Rockwell. It’s all in there, and all deployable with just a few clicks!
Web Servers now have lots of options. JBoss, VMWare, Sharepoint and a host of friends.
If you feel like it, now you can even upload your own document root (or trivially wrap your service in SSL)!
The Windows file share service is now much nicer to use, with an improved Explorer-like interface that supports nested files and directories.
Canary cloaking allows your Canary to be completely invisible to port-scanners and asset inventory systems.
We've added new OS Personalities to Canary. Deploy convincing and interactive Cisco routers, Dell switches, Windows or Linux servers (with a host of different services), in the standard 4-minute setup time you've come to expect.
Choosing an OS Personality will now automatically prepare your Canary with an appropriate MAC address.
This makes the fakery more complete and has a local segment NMAP looking more believable than ever!
Canarys aren't supposed to generate lots of notifications, but what happens if there's a sudden flood of them? (Or if you only check your alerts after a horrible week?) Figuring out exactly what happened from a list of events can be sub-optimal. To help with this, your console now has a handy graph-view.
Clicking on the graph-view icon maps out the activity visually.
Graph view is fully interactive, allowing an easy way to mass-delete events (but also just makes it trivial to spot what's going on).
Alert pruning allows mass deletion of alerts that have accumulated on your console over time. If alerts go above a certain threshold (and have been present for a while on your console) the “Alert Pruning” option will pop up to allow you to quickly delete older events.
Known systems like vulnerability scanners, asset management / inventory servers or an SCCM service scan easily be added to a white list to ensure that they don't set off alerts when interacting with Canary.
In order to ignore alerts from specific IP addresses, ranges or ports, simply add them to the “Ignore these IPs and ports” list on your settings page
Similar to IP address whitelisting, specific SNMP Object Identifiers (OID) can also be ignored. This is done by adding the SNMP OID to the whitelist on your settings page. Once enabled, SNMP OID whitelisting follows the same format as the IP address and port whitelisting.
Now your Canaries can be managed from your console. Whether applying a completely new personality or making subtle changes to the device, you can do it from the comfort of your console! Simply click on your Canary, and then select the “Remote management” option available on each Canary.
You will be able to configure your Canary settings exactly as if you were connected directly to it!.
Apparent port scan activity is common on noisy networks. In order to avoid bothering you with several Port Scan notifications, we’ve added functionality to roll-up multiple port scan alerts and present them as a single consolidated alert.
Canary notifications can be sent as text messages (or SMS, depending on your dialect) directly to your mobile phone. In order to receive alerts via SMS, you must add your mobile number to the “SMS notifications” field on your settings page. Make sure to enter your country code!
You will receive an SMS notification indicating that you’ve been successfully setup.
Now, when an alert is triggered on your Canary, a notification will be sent to your mobile number.
Everybody loves Slack and HipChat. (We do too!) Canary alerts can be sent directly to either with quick configuration on your settings page. This makes it even easier to be notified of activity on your birds.
To set this up, simply enable “Webhook incident Reporting” on your Console settings page.
Then click on either the “Add to Slack” or “Add to HipChat” options:
After adding your Slack details, you simply choose the destination for your Canary Alerts.
After a quick authorisation prompt, you will start receiving your alerts in your channel of choice.
You can also enable a generic webhook if you have your own endpoint, under the “Generic” tab.
Sometimes you’d like to know more about an attacking IP. Have you ever seen it before? Has it attacked a Canary before today? Don't worry, we’ve got you covered.
Click on the link to see what other incidents were attributed to the same source.