Filtering specific events

[lordpengwin]

Is there a way to filter out specific activity? My Ubiquiti router does network discovery using port 10001 and it is causing a huge amount of alerts. I can't see anyway in the opencanary configuration to tell it to ignore these requests.

[HybridAU]

Hi @lordpengwin you can ignore specific IP addresses, if you add ip.ignorelist to your config file e.g.

{
    "device.node_id": "opencanary-1",
    "ip.ignorelist": ["192.168.1.1", "192.168.123.45"],
    "..."
}

Then all traffic from those addresses should be ignored.

[jayjb]

Thanks @HybridAU 💋

@lordpengwin, please let me know if that helps.

[lordpengwin]

Thanks, I did try it but I’m still getting alerts from about the IP address that I ignored. I haven’t had time to try to debug it further. One question, should my opencanary.conf file be in /root/.opencanary.conf or /etc/opencanary/opencanary.conf. I have it in /root. The documentation seems unclear on this.

…

On Feb 28, 2022, 3:27 AM -0500, JayJB ***@***.***>, wrote: Thanks @HybridAU 💋 @lordpengwin, please let me know if that helps. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: ***@***.***>

[HybridAU]

When OpenCanary starts it looks for config files the following order:

1. ./opencanary.conf (i.e. the directory where OpenCanary is installed)
2. ~/.opencanary.conf (i.e. the home directory of the user, usually this will be root so /root/.opencanary.conf)
3. /etc/opencanary/opencanary.conf

It will use the first config file that exists.

[jayjb]

Closing this issue due to inactivity. Please re-open it if you would like to continue the discussion