added basic canary webhook implementation

[cyb3r17]

This PR aims to add canary webhooks support to the DICOMHawk honeypot server.
Steps to reproduce have been added in the README.md

It utilizes a .env file to store the canary url.

Planned roadmap:

• Specify what kind of request was made when the alert is sent
• Lure the attacker via a nested honeypot --> and trigger another webhook for more info.

Please do let me know if any other changes are to be made!

[naxatra2]

I think we can also add in this to include event type, attacker IP, server IP, and timestamp. Is it a good idea ? otherwise logging will not seem useful ?

[cyb3r17]

hey valid points, however these are taken care of by the canary webhook which logs in the IP and other such info

attached is an example

[naxatra2]

Ohh, I didn't think about it that way. nicee

[cyb3r17]

Ohh, I didn't think about it that way. nicee

no worries, the only issue with this method is that since the dicom server itself triggers the canary token webhook, we cannot get the actual ip of the attacker, instead we get the IP of the server. I tried thinking around it, i.e. injecting the canary token URL into the dicom payload as an unused private tag, however that didn't work.

We could possibly setup a virtual directory and setup webhooks to check if triggered, but I believe that's out of scope for this tool.

[cyb3r17]

I realised normal http triggers for the canary token won't work with DICOM, and embedding tokens in a .dcm file has a low success rate of trigger unless a http request is made. Hence this approach let's you alert about intrusion in the honeypot server.

It uses smtp to send an email with the client/attackers IP, port, etc.