Comments (17)
You don't need external websites. You can listen locally, regarding VPN e.g. for configd: network changed
which also comes with info if it's a "v4" or "v6" connection. (It doesn't give you your actual public IP, though; for that you would need external IP services, and you would need to extend the .py script.) As for DNS, I think the system.log reads mDNSResponder: SIGHUP: Purge cache
, when DNS changes. (But I'm not sure about the latter; at least that's what happens in my case: I use different DNS when on VPN.)
from security-growler.
Great ideas, here's how I think they should be implemented:
- new DNS change parser:
mDNSResponder: SIGHUP: Purge cache
- new VPN change parser:
configd: network changed
- new public IP change source:
dig +short myip.opendns.com @resolver1.opendns.com
- new local IP change source:
ifconfig | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1' | xargs
The IP change alerts will have to be implemented as sources, since they cant be parsed from the system log. Sources have the ability to run a command on every call, e.g. dig
or ifconfig
. I'll work on this when I have some spare time.
from security-growler.
dig +short myip.opendns.com @resolver1.opendns.com
is definitely the fastest IP lookup. (STUN is also fast, but not everyone has that.)
An alternate for the local IP, maybe slightly faster, could be
ipconfig getifaddr $(route get 0.0.0.0 2>/dev/null | /usr/bin/awk '/interface: / {print $2}')
from security-growler.
@JayBrown actually security growler does run commands periodically and diff subsequent outputs to detect changes. sources
can be of either type, simple "file newline watchers" or "differs" that run a command and check against previous output. See the sockets.py
source for how SC compares netstat
output to detect new sockets being opened. https://github.com/pirate/security-growler/blob/master/sources/sockets.py#L33
from security-growler.
My target is to get DNS and VPN settings out with v2.3
next week, and local/pub ip changes after that (since it requires writing new loggers it takes a bit longer).
from security-growler.
networksetup command has lot of info:
networksetup -listnetworkserviceorder
networksetup -listallnetworkservices
networksetup -getinfo xxx to get local ip4 and ip6, router...
networksetup -getdnsservers xxx to get DNS4-6 Resolvers
ipconfig getpacket en0 - all in one 'record' (DNS different than -getdnsservers!)
did not check, but ip6 is missing from your sample?
from security-growler.
Some remarks:
- a command like
ipconfig getpacket en0
would just output the system/network state at a certain time. You would have to save this info in a prefs file or a db, then run the command again at regular intervals, and diff the results. I don't think this is what Security Growler does, nor what it should do. It's just a monitor/watcher, not a scanner. What you seem to be looking for is an IP or network scanner background script run by an agent or daemon. - Regarding the VPN changes, monitoring system.log for
configd[]: network changed
will probably produce false positives, because I received such a log entry last night (see below), even though I didn't do anything VPN-wise. It was just the computer reconnecting after wake from sleep. So if the configd entries are something like this:
DATE LOCALHOST configd[]: network changed: v4(en1-:192.168.178.2) DNS- Proxy- SMB-
DATE LOCALHOST configd[]: network changed: DNS* Proxy
DATE LOCALHOST configd[]: network changed: v4(en1!:192.168.178.2) DNS+ Proxy+ SMB+
it could be anything, while something like this:
DATE LOCALHOST configd[]: network changed: v4(en1:192.168.178.2, utun1+:10.10.30.15) DNS* Proxy SMB
DATE LOCALHOST configd[]: network changed: v4(utun1/:10.10.30.15, en1\:192.168.178.2) DNS! Proxy- SMB-
DATE LOCALHOST configd[]: network changed
is a clear sign of VPN. However, if we ignore the first set of log entries above, we would only know when a VPN connection is established, not when it is broken down or disconnected by the user. So we have to live with false positives, unless we find a more elegant way.
from security-growler.
I don't all technical about VPN, but some are not 'modifying' values visible in Apple Network, VPN on or off. Is it Apple Network prefs which is not updated if not 'directly' changed?
from security-growler.
An idea, groups like on this page, top 4 groups.
http://www.whatsmyip.org/port-scanner/
from security-growler.
Oh, cool.
from security-growler.
@JayBrown the sites given in my first msg are to verify, not to be used by SG.
from security-growler.
scutil seems to have all we need, at least for VPN defined in Apple Networks...
Found all this by looking at Console, activities when switching VPN on/off.
List of VPN names (here: myVPNname) defined in Apple Network Prefs - Current Config (not all existing config in the drop down list)
scutil --nc list Available network connection services in the current set (*=enabled): * (Disconnected) A2......CC PPP --> PPTP "myVPName" [PPP:PPTP]
Status of the VPN
scutil --nc status myVPName Connected Extended Status { IPv4 : { Addresses : { 0 : 10.163....... } DestAddresses : { 0 : 10.163..... } InterfaceName : ppp0 NetworkSignature : VPN.RemoteAddress=amster.myvpnprovider.com OverridePrimary : 1 Router : 10.163...... ServerAddress : 188.172...... } PPP : { CommRemoteAddress : amster.myvpnprovider.com ConnectTime : 21824 IPCPCompressionVJ : 0 LCPCompressionACField : 1 LCPCompressionPField : 1 LCPMRU : 1500 LCPMTU : 1396 Status : 8 } Status : 2 }
scutil --nc help Valid commands for scutil --nc (VPN connections) Usage: scutil --nc [command] list List available network connection services in the current set status Indicate whether a given service is connected, as well as extended status information for the service show Display configuration information for a given service statistics Provide statistics on bytes, packets, and errors for a given service select Make the given service active in the current set. This allows it to be started start [--user user] [--password password] [--secret secret] Start a given service. Can take optional arguments for user, password, and secret stop Stop a given service suspend Suspend a given service (PPP, Modem on Hold) resume Resume a given service (PPP, Modem on Hold) ondemand [-W] [hostname] ondemand -- --refresh Display VPN on-demand information trigger [background] [port] Trigger VPN on-demand with specified hostname, and optional port and background flag enablevpn [path] Enables the given VPN application type. Takes either a service or VPN type. Pass a path to set ApplicationURL disablevpn Disables the given VPN application type. Takes either a service or VPN type help Display available commands for --nc
from security-growler.
The scutil command wouldn't work with my setup. (I'm using OpenVPN through utun1 with the Viscosity VPN client.)
from security-growler.
Only if defined in Apple Network. There is also the case of a 'double' VPN, two at the same time...
from security-growler.
Check out http://buttered-cat.com/products/view/MetaGrowler, it does some of the network-related things we wanted.
Unfortunately it seems unsupported and is prone to crashing on El Capitan... :(
from security-growler.
For anyone watching this, HardwareGrowler shows IP address and network config changes, and it works well on macOS Sierra. I recommend downloading that and using it, as it's a great app and I'd like to have as little overlap as possible between SG and it.
from security-growler.
Since many of the requested new alerts in this issue are covered by HardwareGrowler, I'm going to close this issue and recommend people download that app in the README. If you guys want a specific network alert that isn't covered by HardwareGrowler, open a separate issue for it.
Here is the current state of new alert requests:
- new DNS change parser (tracked in #42)
- new public IP change (tracked in #43)
- new ARP resolution change (tracked in #30)
- √ new VPN change (covered by HardwareGrowler)
- √ new local IP change (covered by HardwareGrowler)
- √ new wifi/LAN connection (covered by HardwareGrowler)
- √ new bluetooth connections (covered by HardwareGrowler)
from security-growler.
Related Issues (20)
- sed: /Users/ in menu HOT 4
- Guide for suggested actions to take when being portscanned/attacked HOT 8
- VPN triggers sudo lsof i:21 error HOT 1
- New menu layout? HOT 10
- New App icon HOT 10
- Detect ARP spoofing/poisoning HOT 1
- Ambiguous redirect HOT 4
- [Off-topic] What apps are there in your menu bar? HOT 9
- Can't get past "Starting" HOT 3
- Immediately Stopped Working After Launch HOT 7
- Add email notifications logger using mailuitils
- error: BSM audit: getaddrinfo failed for... HOT 1
- Auto-start on launch HOT 7
- Airport state change HOT 1
- macOS sierra logging system breaks sudo, nmap, and other system.log alerts HOT 6
- Alert on DNS resolver changes
- Alert on new public IP address with GeoIP and latency
- iTunes 3689 HOT 3
- Autostart or Persistence HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-growler.