Detect Network Settings Changes / VPN / DNS about security-growler HOT 17 CLOSED

You don't need external websites. You can listen locally, regarding VPN e.g. for configd: network changed which also comes with info if it's a "v4" or "v6" connection. (It doesn't give you your actual public IP, though; for that you would need external IP services, and you would need to extend the .py script.) As for DNS, I think the system.log reads mDNSResponder: SIGHUP: Purge cache, when DNS changes. (But I'm not sure about the latter; at least that's what happens in my case: I use different DNS when on VPN.)

from security-growler.

Great ideas, here's how I think they should be implemented:

• new DNS change parser: mDNSResponder: SIGHUP: Purge cache
• new VPN change parser: configd: network changed
• new public IP change source: dig +short myip.opendns.com @resolver1.opendns.com
• new local IP change source: ifconfig | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1' | xargs

The IP change alerts will have to be implemented as sources, since they cant be parsed from the system log. Sources have the ability to run a command on every call, e.g. dig or ifconfig. I'll work on this when I have some spare time.

from security-growler.

dig +short myip.opendns.com @resolver1.opendns.com is definitely the fastest IP lookup. (STUN is also fast, but not everyone has that.)

An alternate for the local IP, maybe slightly faster, could be
ipconfig getifaddr $(route get 0.0.0.0 2>/dev/null | /usr/bin/awk '/interface: / {print $2}')

from security-growler.

@JayBrown actually security growler does run commands periodically and diff subsequent outputs to detect changes. sources can be of either type, simple "file newline watchers" or "differs" that run a command and check against previous output. See the sockets.py source for how SC compares netstat output to detect new sockets being opened. https://github.com/pirate/security-growler/blob/master/sources/sockets.py#L33

from security-growler.

My target is to get DNS and VPN settings out with v2.3 next week, and local/pub ip changes after that (since it requires writing new loggers it takes a bit longer).

from security-growler.

networksetup command has lot of info:
networksetup -listnetworkserviceorder
networksetup -listallnetworkservices
networksetup -getinfo xxx to get local ip4 and ip6, router...
networksetup -getdnsservers xxx to get DNS4-6 Resolvers

ipconfig getpacket en0 - all in one 'record' (DNS different than -getdnsservers!)

did not check, but ip6 is missing from your sample?

from security-growler.

Some remarks:

• a command like ipconfig getpacket en0 would just output the system/network state at a certain time. You would have to save this info in a prefs file or a db, then run the command again at regular intervals, and diff the results. I don't think this is what Security Growler does, nor what it should do. It's just a monitor/watcher, not a scanner. What you seem to be looking for is an IP or network scanner background script run by an agent or daemon.
• Regarding the VPN changes, monitoring system.log for configd[]: network changed will probably produce false positives, because I received such a log entry last night (see below), even though I didn't do anything VPN-wise. It was just the computer reconnecting after wake from sleep. So if the configd entries are something like this:

DATE LOCALHOST configd[]: network changed: v4(en1-:192.168.178.2) DNS- Proxy- SMB-
DATE LOCALHOST configd[]: network changed: DNS* Proxy
DATE LOCALHOST configd[]: network changed: v4(en1!:192.168.178.2) DNS+ Proxy+ SMB+

it could be anything, while something like this:

DATE LOCALHOST configd[]: network changed: v4(en1:192.168.178.2, utun1+:10.10.30.15) DNS* Proxy SMB
DATE LOCALHOST configd[]: network changed: v4(utun1/:10.10.30.15, en1\:192.168.178.2) DNS! Proxy- SMB-
DATE LOCALHOST configd[]: network changed

is a clear sign of VPN. However, if we ignore the first set of log entries above, we would only know when a VPN connection is established, not when it is broken down or disconnected by the user. So we have to live with false positives, unless we find a more elegant way.

from security-growler.

I don't all technical about VPN, but some are not 'modifying' values visible in Apple Network, VPN on or off. Is it Apple Network prefs which is not updated if not 'directly' changed?

from security-growler.

An idea, groups like on this page, top 4 groups.
http://www.whatsmyip.org/port-scanner/

from security-growler.

Oh, cool.

from security-growler.

@JayBrown the sites given in my first msg are to verify, not to be used by SG.

from security-growler.

scutil seems to have all we need, at least for VPN defined in Apple Networks...

Found all this by looking at Console, activities when switching VPN on/off.

List of VPN names (here: myVPNname) defined in Apple Network Prefs - Current Config (not all existing config in the drop down list)

scutil --nc list
Available network connection services in the current set (*=enabled):
* (Disconnected)   A2......CC    PPP --> PPTP    "myVPName"  [PPP:PPTP]

Status of the VPN

scutil --nc status myVPName
Connected
Extended Status  {
  IPv4 :  {
    Addresses :  {
      0 : 10.163.......
    }
    DestAddresses :  {
      0 : 10.163.....
    }
    InterfaceName : ppp0
    NetworkSignature : VPN.RemoteAddress=amster.myvpnprovider.com
    OverridePrimary : 1
    Router : 10.163......
    ServerAddress : 188.172......
  }
  PPP :  {
    CommRemoteAddress : amster.myvpnprovider.com
    ConnectTime : 21824
    IPCPCompressionVJ : 0
    LCPCompressionACField : 1
    LCPCompressionPField : 1
    LCPMRU : 1500
    LCPMTU : 1396
    Status : 8
  }
  Status : 2
}

scutil --nc help
Valid commands for scutil --nc (VPN connections)
Usage: scutil --nc [command]
    list
        List available network connection services in the current set
    status 
        Indicate whether a given service is connected, as well as extended status information for the service
    show 
        Display configuration information for a given service
    statistics 
        Provide statistics on bytes, packets, and errors for a given service
    select 
        Make the given service active in the current set. This allows it to be started
    start  [--user user] [--password password] [--secret secret]
        Start a given service. Can take optional arguments for user, password, and secret
    stop 
        Stop a given service
    suspend 
        Suspend a given service (PPP, Modem on Hold)
    resume 
        Resume a given service (PPP, Modem on Hold)
    ondemand [-W] [hostname]
    ondemand -- --refresh
        Display VPN on-demand information
    trigger  [background] [port]
        Trigger VPN on-demand with specified hostname, and optional port and background flag
    enablevpn  [path]
        Enables the given VPN application type. Takes either a service or VPN type. Pass a path to set ApplicationURL
    disablevpn 
        Disables the given VPN application type. Takes either a service or VPN type
    help
        Display available commands for --nc

from security-growler.

The scutil command wouldn't work with my setup. (I'm using OpenVPN through utun1 with the Viscosity VPN client.)

from security-growler.

Only if defined in Apple Network. There is also the case of a 'double' VPN, two at the same time...

from security-growler.

Check out http://buttered-cat.com/products/view/MetaGrowler, it does some of the network-related things we wanted.

Unfortunately it seems unsupported and is prone to crashing on El Capitan... :(

from security-growler.

For anyone watching this, HardwareGrowler shows IP address and network config changes, and it works well on macOS Sierra. I recommend downloading that and using it, as it's a great app and I'd like to have as little overlap as possible between SG and it.

from security-growler.

Since many of the requested new alerts in this issue are covered by HardwareGrowler, I'm going to close this issue and recommend people download that app in the README. If you guys want a specific network alert that isn't covered by HardwareGrowler, open a separate issue for it.

Here is the current state of new alert requests:

• new DNS change parser (tracked in #42)
• new public IP change (tracked in #43)
• new ARP resolution change (tracked in #30)
• √ new VPN change (covered by HardwareGrowler)
• √ new local IP change (covered by HardwareGrowler)
• √ new wifi/LAN connection (covered by HardwareGrowler)
• √ new bluetooth connections (covered by HardwareGrowler)

from security-growler.