mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 16:44:46 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
1079 commits 11 branches 43 tags 36 MiB
Commit graph

371 commits

Author SHA1 Message Date
Gustavo Iñiguez Goia
9207465d58 Do not panic if we can't parse a Regex type rule 
If for some reason a Regex type rule can not be parsed, opensnitchd
panics and exit. We drop regex.MustCompile() in favor of
regex.Compile(), and in case of failure we just drop the packet.

In either case, the daemon should not panic but it should not received
an invalid rule either, specially from the UI.

Closes #4
 2020-02-14 23:15:14 +01:00
Gustavo Iñiguez Goia
a4a5637a22 Fixed errors 
Typos were made.
 2020-02-13 23:19:15 +01:00
Gustavo Iñiguez Goia
1e2f9aa124 Find pid of a process in /proc if debugfs is unavailable 
debugfs is not always available due to different reasons:
https://github.com/evilsocket/opensnitch/issues/214
https://github.com/evilsocket/opensnitch/issues/276

Fallback to /proc parsing, although procfs could also be not available.

Easily testable by unmounting debugfs (umount debugfs) and launch
opensnitchd. It should work as expected.
 2020-02-13 23:08:58 +01:00
Gustavo Iñiguez Goia
d5b7c597ae Fixed typo in netlink parameter 
Thanks to @Ph0rk0z for pointing it out.
 2020-02-13 10:01:22 +01:00
Gustavo Iñiguez Goia
54bb5dcca5 Fixed and improved netlink communications 
Fixed invalid uid.
Fixed/improved netlink sockets querying.
 2020-02-12 22:52:24 +01:00
Gustavo Iñiguez Goia
a6ff8d2c4f Prioritize cache pids with active connections 
Processes with active connections are the most likely to be the latest
modified ones in /proc, thus sort cache pids by time speeds up pids cache
searching. From several ms to us.
 2020-02-12 22:20:26 +01:00
Gustavo Iñiguez Goia
489b64730a Sort process descriptors by modified time 
When parsing /proc/<pid>/fd/ looking for sockets, latest
modified/created descriptors are the most likely to have
generated connections.

This way we decrease the parsing time, system load and speed up process name
retrieval.
 2020-02-11 21:32:48 +01:00
Gustavo Iñiguez Goia
8782b77625 Allow to compile the daemon with outdated libnetfilter-queue 
On Ubuntu 18.04 the libnetfilter-queue is not the latest one (1.0.3) and
it doesn't have UID/GID support.
 2020-02-09 19:28:27 +01:00
Gustavo Iñiguez Goia
7d330f24d9 Bump version to 1.0.0-rc2 2020-02-05 00:57:06 +01:00
Gustavo Iñiguez Goia
a978f405fc Fixed missing returned value 2020-02-05 00:26:32 +01:00
Gustavo Iñiguez Goia
5d92cbb893 Load nfq_get_uid dynamically 
nfq_get_uid symbol does not exist on some systems.
 2019-12-05 01:48:21 +01:00
Gustavo Iñiguez Goia
3e6520edad Version changed to 1.0.0-rc1 2019-12-04 23:16:35 +01:00
Gustavo Iñiguez Goia
996e9ad888 Added netlink IPv6 uid/inode lookup support 2019-12-02 23:53:41 +01:00
Gustavo Iñiguez Goia
d8ad8de6ef Lookup inode and uid via netlink 
It has some advantages over parsing /proc, like performance and
reliability.
 2019-12-01 20:10:49 +01:00
Gustavo Iñiguez Goia
4a30cc5b84 Reduced the pid cache sizes 
It's somewhat arbitrary. It'll depend on each use case.
 2019-12-01 20:05:20 +01:00
Gustavo Iñiguez Goia
cc27be2bae Added initial support for advanced rules (lists) 
Probably not the best UI, just the one I came up with.
 2019-11-20 10:27:28 +01:00
Gustavo Iñiguez Goia
912f85f5d1 Added more timeout options (30s, 5m, 15m, 30m, 1h) 
Added 30s, 5m, 15m, 30m and 1h timeout options to deny or allow
connections.

It helps to avoid repetitive new connection dialogs, while at the same
time it allows you to deny/allow a connection for a short period of time,
and apply the default for the rest.
 2019-11-09 01:35:13 +01:00
Gustavo Iñiguez Goia
93592b6b00 Allow to see which domain a process is trying to resolve 
Ideally this information should go in a different Connection field, but
for now lets use DstHost.
 2019-11-08 01:38:26 +01:00
Gustavo Iñiguez Goia
7eec749498 allow to configure unknown conns interception 
/etc/opensnitchd/default-config.json can now contain
"intercept_unknown": true|false
 2019-11-01 01:00:10 +01:00
Gustavo Iñiguez Goia
845e6a704f Intercept and parse UDPLite connections 
/proc/net/udplite[6]
 2019-10-29 20:01:45 +01:00
Gustavo Iñiguez Goia
a0eacfb8b8 Allow to intercept localhost and multicast connections 2019-10-29 19:53:07 +01:00
Gustavo Iñiguez Goia
65c3790106 Prompt the user to allow/deny all outgoing connections 
With the current implementation, it's not possible to know what
process/pid has created an outgoing connection, but there's still
valuable information that the user may want to know, so:

- display outgoing connections even if the process name/path is unknown.
 (src ip, dst ip, dst port, uid)
- get outgoing connection uid if kernel > 3.6.
 2019-10-25 00:55:32 +02:00
Gustavo Iñiguez Goia
9cc3da6446 experimental cache of inodes and pids 
Just an experimental cache of inodes and pids, which lowers the CPU
usage and improves user's experience.
 2019-10-24 01:01:20 +02:00
Gustavo Iñiguez Goia
dea50635d5 Merge branch 'fix_process_finding' into main 2019-10-21 19:48:17 +02:00
Gustavo Iñiguez Goia
59a11a530c Workaroung process name lookup 2019-10-21 19:45:35 +02:00
Gustavo Iñiguez Goia
5690d37d52 Merge branch 'clean_fw_rules_before_start' into main 2019-10-21 19:25:42 +02:00
Gustavo Iñiguez Goia
8922d445af Clean firewall rules before start 
If opensnitchd dies unexpectedly, firewall rules are not cleaned up.
 2019-10-21 19:23:29 +02:00
Gustavo Iñiguez Goia
ad70655698 removed useless trace log 2019-10-21 00:40:26 +02:00
Gustavo Iñiguez Goia
ce71c383a9 fixed missing funcs declarations and non used var 2019-10-21 00:04:15 +02:00
Gustavo Iñiguez Goia
dedd009204 Merge branch 'daemon_default_config' into main 2019-10-21 00:02:25 +02:00
Gustavo Iñiguez Goia
067d0d8eed Merge branch 'fixed_unwanted_rules_reloading' of github.com:gustavo-iniguez-goya/opensnitch into main 2019-10-20 23:46:04 +02:00
Gustavo Iñiguez Goia
2c3339c728 Merge branch 'fix_grpc_sockets_leaks' into main 2019-10-20 23:25:21 +02:00
Gustavo Iñiguez Goia
1778a5502a Merge branch 'fix_race_read_write_stats' into main 2019-10-20 22:28:45 +02:00
Gustavo Iñiguez Goia
a7e9b5072f project import paths changed 2019-10-20 21:51:35 +02:00
Gustavo Iñiguez Goia
843924fff4 Fixed unwanted rules reloading after adding a new one 
fixes #271
 2019-08-13 19:19:17 +02:00
Gustavo Iñiguez Goia
3bc83efd10 apply default action to connections that can not be parsed 
If a connection can not be parsed for some reason, apply the default
action configured.
 2019-07-31 01:44:41 +02:00
Gustavo Iñiguez Goia
eeed991f8d Allow to configure daemon's default action rule 
If the file /etc/opensnitchd/default-config.json exists,
read it and apply the options to the default rule when there's no client
connected.

If it doesn't exist, just apply the default rule, allow connections
once.

Config example: {"default_action": "deny", "default_duration": "once"}
 2019-07-02 23:41:41 +02:00
Gustavo Iñiguez Goia
e356c84baa Fix grpc sockets leaking when connecting to a UI 
Failured connections to a UI were not being closed, so we ended up
with > 1024 opened sockets, which caused the error Too many files open.
 2019-06-29 13:55:44 +02:00
Gustavo Iñiguez Goia
57d1198635 Fixed race when reading and collecting stats 
When reading stats, a race can occur when sending them to remote UI via
Ping()s if at the same time more stats are being collected(written).
 2019-06-29 13:46:26 +02:00
Peter Stöckli
0efcfe9e65
also detect applications that use the AF_INET6 socket for IPv4 connections 2019-05-13 11:14:58 +02:00
Northern-Lights
ba00f91bde
Fix QueueDNSResponses to include ip6tables 2019-01-26 20:56:12 -08:00
Armen Boursalian
cc3786b919 Fix ignored err check in RunRule 2018-12-30 19:07:05 -08:00
Christina Lena Korosec
08c3e17c37
Fixes #228: Parse IP and port to uint 2018-12-13 12:08:44 +01:00
evilsocket
61cf3d1e08
Merge pull request #224 from jkozera/jkozera/list-rule-type 
Add a 'list' rule type
 2018-11-22 01:56:27 +01:00
Jerzy Kozera
22c4aca5d0 IPv6 support 2018-11-21 22:57:43 +01:00
Jerzy Kozera
616fef6e83 Add a 'list' rule type 2018-11-21 22:51:33 +01:00
Armen Boursalian
a8a52f8650 RWMutex may help performance in DNS tracking 2018-08-28 08:21:26 -07:00
Armen Boursalian
b95c63f0c0 #176: IP -> CNAME -> orig. domain display 2018-08-28 08:20:42 -07:00
Armen Boursalian
bb2ca3887c Put DNS rule higher up in chain 2018-08-23 22:44:48 -07:00
Northern-Lights
f4162b9384
Update probed function sys_execve to do_execve 2018-08-12 13:02:33 -07:00