pirate / security-growler Goto Github PK
View Code? Open in Web Editor NEW:satellite: A Mac menubar app that notifies you whenever SSH, VNC, sudo, or other auth events occur.
Home Page: https://sweeting.me/security-growler
:satellite: A Mac menubar app that notifies you whenever SSH, VNC, sudo, or other auth events occur.
Home Page: https://sweeting.me/security-growler
System Log contains events for Airport Wi-Fi
OS X 10.11.6:
kernel[0]: AirPort: Link Up on en0
kernel[0]: AirPort: RSN handshake complete on en0
kernel[0]: AirPort: Link Down on en0. Reason 8 (Disassociated because station leaving).
Possible Parser:
import re
# Should we filter on: kernel[0]: AirPort:
SUDO_EVENT_FILTER = re.compile('kernel')
#Nov 14 20:29:24 Mark Fleming
# kernel[0]: AirPort: Link Up on en0
# kernel[0]: AirPort: RSN handshake complete on en0
#
# kernel[0]: AirPort: Link Down on en0. Reason 8 (Disassociated because station leaving).
TITLE = 'AIRPORT EVENT: {interface}'
BODY = '{port}\n'
EXCLUDE_LINES = ('airportd',) # dont alert on sudo events that contain these strings
def parse(line, source=None):
if SUDO_EVENT_FILTER.findall(line) and not any(pattern in line for pattern in EXCLUDE_LINES):
interface = line.split('Link Up on ', 1)[-1]
port = line.split('AirPort:', 1)[-1]
return ('alert',
TITLE.format(interface=interface),
BODY.format(port=port))
return (None, '', '')
Unfortunately getting the PID of a process attached to a given port seems to require root privileges on unix.
The options are:
Gives PID, process, and owner. Requires root:
sudo lsof +c 0 -i:5900
Gives no PID, owner, or name. Doesn't require root, and almost 2x the speed of lsof
netstat -tan | grep '[:.]5900'
If anyone has any advice on how to get around this conundrum, I'd love to hear. VNC is currently the only logger that requires root permissions, all the others work fine if the user has read access to /var/log/
. I really don't want to ask for an admin password for the app if I don't need to, but at the same time this is valuable connection information that I want to see if someone is VNCing into my computer.
Hello,
I've got this message on my notification panel: Stopped Watching Sources @ 14:20 IOError
Do I need to do a further tweak in order to make it run on my OS 10.11.3?
Thanks.
Faxo
Dear,
Would it be possible to start security-growler directly on OS X boot/launching the app? I've added security-growler to System Preferences ๐ Users & Groups ๐ myuser ๐ Login Items
.
It doesn't auto kick-start however, only when I manually click the menu bar icon.
Kind regards,
Rowan Kaag
After launching the app the icon appears in the menu bar but it only says "Security Growler is not running". I want to use notification center on Mac OS X 10.9.2.
I checked the requirements.txt and installed appscript via sudo easy_install.
What else could be the reason?
Thanks
As PushAlotAuth is quite content weak and seems abandoned, do you think this project can be adapted for linux-based systems? I can see that the notification script is made for OSX, then I think is hackable for linux.
It would be great if Security Growler was periodically checking for updates and maybe even automatically updated itself.
Sometimes the menubar log gets really really long if the app is left running.
I should add a menubar item that allows resetting, so that you can still view the log history by opening SecurityGrowler.log
, but the menubar only shows items since it was cleared.
This seems to be a bug. After wake from sleep Security Growler doesn't work, doesn't respond to anything. On my system (10.11.4) I need to select "Stop the background agent & Quit" from the menulet's menu. Funny thing is that the Security Growler menulet then actually doesn't quit; it keeps running, which would itself be another bug (a bug within a bug), and instead I get the notification that it's now watching, and then it works fine.
Growler get killed or doesn't have an autostart option. Everytime I have to run it manually.
Hi,
I had several port scan warnings overnight unfortunately the log doesn't indicate the originating IP so I couldn't identify if this was something on my LAN or coming in via either of my two routers. Including as much detail as possible on the log message would be a big help.
Thanks,
Joey
I'm using the Ostiarius background process by Objective-See to block the execution of unsigned apps/binaries, and the system.log entries look like this:
27/04/16 15:07:03,000 kernel[0]: OSTIARIUS: /Applications/APP_NAME.app/Contents/MacOS/APP_BINARYNAME is from the internet & is unsigned -> BLOCKING!
Is there a way to monitor this? I tried adding "OSTIARIUS:" into the settings file, but that didn't do the trick.
I get this error a lot:
SSH EVENT: UNKNOWN:: from: | error: BSM audit: getaddrinfo failed for...
SSH EVENT: : from: | Could not write ident string to UNKNOWN...
let me know if you need any trace
You've got a github link to http://nikisweeting.github.io/security-growler in the repo description that's broken. I'd submit a pull request, but I don't think that's possible for stuff that isn't literally in the repo.
I'm splitting this out from #24, I want to add an alert whenever DNS resolvers change on the system, as these can be used to snoop on traffic and redirect people maliciously.
We can watch for the following event in the syslog, or just manually check the dns resolution conf and alert whenever it changes.
mDNSResponder: SIGHUP: Purge cache
/etc/resolv.conf
When being port-scanned, it would be nice to know who is scanning us.
Maybe this info can be parsed from lsof
? It's a bit difficult since portscans are very rapid and usually rely on collecting port-closed RST responses, and not opening TCP sockets for very long.
I have obviously looked over the code, and I assume I have an error in my setttings.py. But for some reason v2.2 isn't getting past "Starting ...." And the log is wholly unhelpful:
[05/19 12:37] --------
[05/19 13:10] --------
[05/19 13:11] --------
To replace the one from Appleยฉยฎโข Network Utility, even in the meantime of another one.
http://www.urlopener.com/ to open all in one shot
Alphabetic order.
http://www.iconarchive.com/show/beautiful-flat-icons-by-elegantthemes/eye-icon.html
http://www.iconarchive.com/show/blend-icons-by-laurent-baumann/Network-icon.html
http://www.iconarchive.com/show/blue-bits-icons-by-icojam/globe-search-icon.html
http://www.iconarchive.com/show/cerulean-icons-by-iconleak/glasses-sunglasses-icon.html
http://www.iconarchive.com/show/crystal-clear-icons-by-everaldo/App-xeyes-icon.html
http://www.iconarchive.com/show/ecommerce-business-icons-by-designcontest/alert-icon.html
http://www.iconarchive.com/show/free-global-security-icons-by-aha-soft/CCTV-Camera-icon.html
http://www.iconarchive.com/show/free-global-security-icons-by-aha-soft/Satellite-icon.html
http://www.iconarchive.com/show/free-google-glass-icons-by-aha-soft/Googler-icon.html
http://www.iconarchive.com/show/galactica-icons-by-iconhive/world-icon.html
http://www.iconarchive.com/show/galaxian-icons-by-evermor-design/Search-icon.html
http://www.iconarchive.com/show/harry-potter-icons-by-anton-gerasimenko/Glasses-icon.html
http://www.iconarchive.com/show/heartquake-prevention-icons-by-iconshock/linterna-icon.html
http://www.iconarchive.com/show/heartquake-prevention-icons-by-iconshock/pito-icon.html
http://www.iconarchive.com/show/heartquake-prevention-icons-by-iconshock/telefono-icon.html
http://www.iconarchive.com/show/holographic-icons-by-radvisual/Web-browser-icon.html
http://www.iconarchive.com/show/matrilineare-icons-by-sora-meliae/Devices-camera-web-icon.html
http://www.iconarchive.com/show/oxygen-icons-by-oxygen-icons.org/Actions-irc-voice-icon.html
http://www.iconarchive.com/show/oxygen-icons-by-oxygen-icons.org/Apps-esd-icon.html
http://www.iconarchive.com/show/oxygen-icons-by-oxygen-icons.org/Apps-preferences-desktop-notification-bell-icon.html
http://www.iconarchive.com/show/oxygen-icons-by-oxygen-icons.org/Apps-step-icon.html
http://www.iconarchive.com/show/oxygen-icons-by-oxygen-icons.org/Apps-utilities-system-monitor-icon.html
http://www.iconarchive.com/show/oxygen-icons-by-oxygen-icons.org/Categories-preferences-system-network-icon.html
http://www.iconarchive.com/show/oxygen-icons-by-oxygen-icons.org/Places-network-workgroup-icon.html
http://www.iconarchive.com/show/pleasant-icons-by-harwen/Network-Connections-icon.html
http://www.iconarchive.com/show/simple-icons-by-harwen/Network-Service-icon.html
http://www.iconarchive.com/show/space-invaders-icons-by-turbomilk/earth-attack-icon.html
http://www.iconarchive.com/show/summer-collection-icons-by-benjigarner/Network-Web-icon.html
http://www.iconarchive.com/show/transformers-icons-by-ypf/Internet-Explorer-icon.html
http://www.iconarchive.com/show/transformers-icons-by-ypf/network-connections-icon.html
http://www.iconarchive.com/show/vista-hardware-devices-icons-by-icons-land/Security-Camera-icon.html
http://www.iconarchive.com/show/web-icons-by-studiomx/Earth-Alert-icon.html
http://www.iconarchive.com/show/web-icons-by-studiomx/Earth-Scan-icon.html
Currently TCP connection alerts just show that some connection was opened on a port, with a source and target, but we don't specify whether the connection is incoming or outgoing.
A great improvement would be to change the direction of the arrow in the notification to indicate:
outgoing: process@localhost -> host:port
incoming: host -> process@localhost:port
Hello!
Would it be possible to detect various changes to the network settings?
DNS, VPN,IP4/6...
Can use these 2, great ones:
http://ipv6-test.com
http://ip-api.com
http://whatismyipaddress.com/proxy-check
Hello,
Running but all menu except Quit are disabled.
Each I launch SG, got this in Console.
I cut "25/04/16 18:16:2" from each line.
1,700 lsd[414]: LaunchServices: Could not store lsd-identifiers file at /private/var/db/lsd/com.apple.lsdschemes.plist 1,725 launchservicesd[80]: SecTaskLoadEntitlements failed error=22 1,729 launchservicesd[80]: SecTaskLoadEntitlements failed error=22 1,750 webinspectord[1355]: SecTaskLoadEntitlements failed error=22 1,750 webinspectord[1355]: SecTaskLoadEntitlements failed error=22 1,814 appleeventsd[51]: SecTaskLoadEntitlements failed error=22 1,829 usernoted[434]: SecTaskLoadEntitlements failed error=22 4,730 Barsoom[561]: 27700 already launched. Inject 4,796 Security Growler[27700]: barsoomHelper loaded 4,902 launchservicesd[80]: SecTaskLoadEntitlements failed error=22 6,755 launchservicesd[80]: SecTaskLoadEntitlements failed error=22
After launching the the SecurityGrowler.app, an icon appears on the menubar, clicking on it shows "Security growler is not running โน".
Is there anything else to be done to make it running?
Something in README.md could help contributors.
Is it normal for iTunes to be making incessant port connections when home sharing is turned on but not (knowingly) being used?
sudo[123]: trader : no tty present and no askpass program specified ; TTY=unknown ; PWD=/Applications/Security Growler Light.app/Contents/Resources ; USER=root ; COMMAND=/usr/sbin/lsof +c 0 -i:21
Error msg repeated indefinitely, every 10-90 sec.
SGLight: v2.2 May, 2.
VPN PPTP
IP6 local only and IP6 off on router.
Hello,
I had SG, then I installed the SG-Light as I'm not in black mode.
When launched, I get this between the 2 lines
sed: /Users/trader/Library/Logs/SecurityGrowler.log
In fact, the update log is in /Users/trader/SecurityGrowler.log
and is updated.
Nothing in the /Logs folder.
After trying SG, then SGL, etc stopping the bg agent, SGL is ok and shows the ports list and the updated log is in the /Logs folder.
Would be nice to have a guide / starting point / F.A.Q. so beginners don't just "pull the ethernet cable" when they see a "Incoming Portscan Detected" warning. =]
Hi all,
Running MacOS Sierra and using the terminal with some random sudo + nmap commands.
However, I get no notifications for these events. I use the latest Security Growler.app (dark mode).
Any idea why?
Cheers,
Andreas
What about moving 'settings' menu items in second level menus?
This will allow to have
Easily add new trackers without changing everything or having a huge main menu.
Menu Layout when SG is stopped, second level menus collapsed:
Security Growler > Watching > โโโโโโโโโโโโโโโโโโโ Watching Stopped
When SG is activated, all second level menus unfolded:
Security Growler > About... Request a Feature View the Full log Clear Menubar Log Ports Info (http://www.speedguide.net/ports.php) Settings... Quit... Watching > Logs > /var/log/system.log: ssh sudo Ostiarius Ports Scan /abc/de/xy.log: mno hijkl Connections > 21 FTP 445 SMB 585 IMAP SSL 993 IMAP SSL 3306 MySQL 3689 iTunes 5432 PostgreSQL 5900 VNC โโโโโโโโโโโโโโโโโโโโโโโโโโโโ 10:05 05/02 Watching Started 10:22 event bla 13:55 event blabla
Make it clearer, what do you think?
I'm splitting this out from #24. I want to add an alert whenever your public IP changes.
I can easily get GeoIP from the public IP, and display latency by pinging 8.8.8.8. This will create a useful alert that shows the following:
local IP <latency ms> public ip (geolocation)
The command to get the new public ip is:
dig +short myip.opendns.com @resolver1.opendns.com
-> 123.123.123.123
The command to get the GeoIP reported city is (requires brew install geoip
):
geoiplookup 123.123.123.123 | tail -1 | perl -pe 's/.*?: .*?, .., .*?, //g' | perl -pe 's/, .*$//g'
-> Montrรฉal
The command to get the latency is:
ping -c 1 -t 1 8.8.8.8 | tail -1 | perl -pe 's/^(.* = \d*\.\d*\/)(\d*)(.\d*\/.*)$/$2 ms/gm'
-> 19ms
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.