pirate / security-growler Goto Github PK

System Log contains events for Airport Wi-Fi

OS X 10.11.6:

kernel[0]: AirPort: Link Up on en0
kernel[0]: AirPort: RSN handshake complete on en0

kernel[0]: AirPort: Link Down on en0. Reason 8 (Disassociated because station leaving).

Possible Parser:

import re

# Should we filter on: kernel[0]: AirPort: 

SUDO_EVENT_FILTER = re.compile('kernel')

#Nov 14 20:29:24 Mark Fleming
# kernel[0]: AirPort: Link Up on en0
# kernel[0]: AirPort: RSN handshake complete on en0
# 
# kernel[0]: AirPort: Link Down on en0. Reason 8 (Disassociated because station leaving).


TITLE = 'AIRPORT EVENT: {interface}'
BODY = '{port}\n'

EXCLUDE_LINES = ('airportd',)  # dont alert on sudo events that contain these strings


def parse(line, source=None):
    if SUDO_EVENT_FILTER.findall(line) and not any(pattern in line for pattern in EXCLUDE_LINES):
        interface = line.split('Link Up on ', 1)[-1]
        port = line.split('AirPort:', 1)[-1]
       
        return ('alert',
            TITLE.format(interface=interface),
            BODY.format(port=port))

    return (None, '', '')

Unfortunately getting the PID of a process attached to a given port seems to require root privileges on unix.

The options are:

Gives PID, process, and owner. Requires root:

sudo lsof +c 0 -i:5900

Gives no PID, owner, or name. Doesn't require root, and almost 2x the speed of lsof

netstat -tan | grep '[:.]5900'

If anyone has any advice on how to get around this conundrum, I'd love to hear. VNC is currently the only logger that requires root permissions, all the others work fine if the user has read access to /var/log/. I really don't want to ask for an admin password for the app if I don't need to, but at the same time this is valuable connection information that I want to see if someone is VNCing into my computer.

Hello,
I've got this message on my notification panel: Stopped Watching Sources @ 14:20 IOError Do I need to do a further tweak in order to make it run on my OS 10.11.3?
Thanks.
Faxo

Dear,

Would it be possible to start security-growler directly on OS X boot/launching the app? I've added security-growler to System Preferences 👉 Users & Groups 👉 myuser 👉 Login Items.
It doesn't auto kick-start however, only when I manually click the menu bar icon.

Kind regards,
Rowan Kaag

After launching the app the icon appears in the menu bar but it only says "Security Growler is not running". I want to use notification center on Mac OS X 10.9.2.
I checked the requirements.txt and installed appscript via sudo easy_install.
What else could be the reason?
Thanks

As PushAlotAuth is quite content weak and seems abandoned, do you think this project can be adapted for linux-based systems? I can see that the notification script is made for OSX, then I think is hackable for linux.

It would be great if Security Growler was periodically checking for updates and maybe even automatically updated itself.

Sometimes the menubar log gets really really long if the app is left running.

I should add a menubar item that allows resetting, so that you can still view the log history by opening SecurityGrowler.log, but the menubar only shows items since it was cleared.

This seems to be a bug. After wake from sleep Security Growler doesn't work, doesn't respond to anything. On my system (10.11.4) I need to select "Stop the background agent & Quit" from the menulet's menu. Funny thing is that the Security Growler menulet then actually doesn't quit; it keeps running, which would itself be another bug (a bug within a bug), and instead I get the notification that it's now watching, and then it works fine.

Growler get killed or doesn't have an autostart option. Everytime I have to run it manually.

https://developer.apple.com/library/mac/documentation/darwin/reference/manpages/man5/pf.conf.5.html

Hi,
I had several port scan warnings overnight unfortunately the log doesn't indicate the originating IP so I couldn't identify if this was something on my LAN or coming in via either of my two routers. Including as much detail as possible on the log message would be a big help.

Thanks,
Joey

Hello,
When I run security-growler I got this message :

I'm on OSX Yosemite (10.10.5).

I'm using the Ostiarius background process by Objective-See to block the execution of unsigned apps/binaries, and the system.log entries look like this:
27/04/16 15:07:03,000 kernel[0]: OSTIARIUS: /Applications/APP_NAME.app/Contents/MacOS/APP_BINARYNAME is from the internet & is unsigned -> BLOCKING!
Is there a way to monitor this? I tried adding "OSTIARIUS:" into the settings file, but that didn't do the trick.

I get this error a lot:

SSH EVENT: UNKNOWN:: from: | error: BSM audit: getaddrinfo failed for...
SSH EVENT: : from: | Could not write ident string to UNKNOWN...

let me know if you need any trace

You've got a github link to http://nikisweeting.github.io/security-growler in the repo description that's broken. I'd submit a pull request, but I don't think that's possible for stuff that isn't literally in the repo.

I'm splitting this out from #24, I want to add an alert whenever DNS resolvers change on the system, as these can be used to snoop on traffic and redirect people maliciously.

We can watch for the following event in the syslog, or just manually check the dns resolution conf and alert whenever it changes.

• DNS change line found in syslog: mDNSResponder: SIGHUP: Purge cache
• file containing DNS resolution order: /etc/resolv.conf

When being port-scanned, it would be nice to know who is scanning us.

Maybe this info can be parsed from lsof? It's a bit difficult since portscans are very rapid and usually rely on collecting port-closed RST responses, and not opening TCP sockets for very long.

I have obviously looked over the code, and I assume I have an error in my setttings.py. But for some reason v2.2 isn't getting past "Starting ...." And the log is wholly unhelpful:

[05/19 12:37] --------
[05/19 13:10] --------
[05/19 13:11] --------

settings.py

SecurityGrowler.log

To replace the one from Apple©®™ Network Utility, even in the meantime of another one.
http://www.urlopener.com/ to open all in one shot
Alphabetic order.

http://www.iconarchive.com/show/beautiful-flat-icons-by-elegantthemes/eye-icon.html
http://www.iconarchive.com/show/blend-icons-by-laurent-baumann/Network-icon.html
http://www.iconarchive.com/show/blue-bits-icons-by-icojam/globe-search-icon.html
http://www.iconarchive.com/show/cerulean-icons-by-iconleak/glasses-sunglasses-icon.html
http://www.iconarchive.com/show/crystal-clear-icons-by-everaldo/App-xeyes-icon.html
http://www.iconarchive.com/show/ecommerce-business-icons-by-designcontest/alert-icon.html
http://www.iconarchive.com/show/free-global-security-icons-by-aha-soft/CCTV-Camera-icon.html
http://www.iconarchive.com/show/free-global-security-icons-by-aha-soft/Satellite-icon.html
http://www.iconarchive.com/show/free-google-glass-icons-by-aha-soft/Googler-icon.html
http://www.iconarchive.com/show/galactica-icons-by-iconhive/world-icon.html
http://www.iconarchive.com/show/galaxian-icons-by-evermor-design/Search-icon.html
http://www.iconarchive.com/show/harry-potter-icons-by-anton-gerasimenko/Glasses-icon.html
http://www.iconarchive.com/show/heartquake-prevention-icons-by-iconshock/linterna-icon.html
http://www.iconarchive.com/show/heartquake-prevention-icons-by-iconshock/pito-icon.html
http://www.iconarchive.com/show/heartquake-prevention-icons-by-iconshock/telefono-icon.html
http://www.iconarchive.com/show/holographic-icons-by-radvisual/Web-browser-icon.html
http://www.iconarchive.com/show/matrilineare-icons-by-sora-meliae/Devices-camera-web-icon.html
http://www.iconarchive.com/show/oxygen-icons-by-oxygen-icons.org/Actions-irc-voice-icon.html
http://www.iconarchive.com/show/oxygen-icons-by-oxygen-icons.org/Apps-esd-icon.html
http://www.iconarchive.com/show/oxygen-icons-by-oxygen-icons.org/Apps-preferences-desktop-notification-bell-icon.html
http://www.iconarchive.com/show/oxygen-icons-by-oxygen-icons.org/Apps-step-icon.html
http://www.iconarchive.com/show/oxygen-icons-by-oxygen-icons.org/Apps-utilities-system-monitor-icon.html
http://www.iconarchive.com/show/oxygen-icons-by-oxygen-icons.org/Categories-preferences-system-network-icon.html
http://www.iconarchive.com/show/oxygen-icons-by-oxygen-icons.org/Places-network-workgroup-icon.html
http://www.iconarchive.com/show/pleasant-icons-by-harwen/Network-Connections-icon.html
http://www.iconarchive.com/show/simple-icons-by-harwen/Network-Service-icon.html
http://www.iconarchive.com/show/space-invaders-icons-by-turbomilk/earth-attack-icon.html
http://www.iconarchive.com/show/summer-collection-icons-by-benjigarner/Network-Web-icon.html
http://www.iconarchive.com/show/transformers-icons-by-ypf/Internet-Explorer-icon.html
http://www.iconarchive.com/show/transformers-icons-by-ypf/network-connections-icon.html
http://www.iconarchive.com/show/vista-hardware-devices-icons-by-icons-land/Security-Camera-icon.html
http://www.iconarchive.com/show/web-icons-by-studiomx/Earth-Alert-icon.html
http://www.iconarchive.com/show/web-icons-by-studiomx/Earth-Scan-icon.html

Currently TCP connection alerts just show that some connection was opened on a port, with a source and target, but we don't specify whether the connection is incoming or outgoing.

A great improvement would be to change the direction of the arrow in the notification to indicate:

outgoing: process@localhost -> host:port
incoming: host -> process@localhost:port

Yes, this is very very offtopic, but my curiosity made me do it...
Which apps are there in your menu-bar?

Few different ideas/realizations:

• https://github.com/uiucseclab/arpspoofdetect
• http://www.samiux.blogspot.ru/2014/12/howto-arpon-on-mac-osx-yosemite-10101.html
• http://pastebin.com/qHYPYEK2

Hello!

Would it be possible to detect various changes to the network settings?
DNS, VPN,IP4/6...

Can use these 2, great ones:
http://ipv6-test.com
http://ip-api.com
http://whatismyipaddress.com/proxy-check

Hello,

Running but all menu except Quit are disabled.
Each I launch SG, got this in Console.
I cut "25/04/16 18:16:2" from each line.

1,700 lsd[414]: LaunchServices: Could not store lsd-identifiers file at /private/var/db/lsd/com.apple.lsdschemes.plist
1,725 launchservicesd[80]: SecTaskLoadEntitlements failed error=22
1,729 launchservicesd[80]: SecTaskLoadEntitlements failed error=22
1,750 webinspectord[1355]: SecTaskLoadEntitlements failed error=22
1,750 webinspectord[1355]: SecTaskLoadEntitlements failed error=22
1,814 appleeventsd[51]: SecTaskLoadEntitlements failed error=22
1,829 usernoted[434]: SecTaskLoadEntitlements failed error=22
4,730 Barsoom[561]: 27700 already launched. Inject
4,796 Security Growler[27700]: barsoomHelper loaded
4,902 launchservicesd[80]: SecTaskLoadEntitlements failed error=22
6,755 launchservicesd[80]: SecTaskLoadEntitlements failed error=22

After launching the the SecurityGrowler.app, an icon appears on the menubar, clicking on it shows "Security growler is not running ☹".

Is there anything else to be done to make it running?

Something in README.md could help contributors.

Is it normal for iTunes to be making incessant port connections when home sharing is turned on but not (knowingly) being used?

sudo[123]: trader : no tty present and no askpass program specified ; TTY=unknown ; PWD=/Applications/Security Growler Light.app/Contents/Resources ; USER=root ; COMMAND=/usr/sbin/lsof +c 0 -i:21

Error msg repeated indefinitely, every 10-90 sec.

SGLight: v2.2 May, 2.
VPN PPTP
IP6 local only and IP6 off on router.

Hello,
I had SG, then I installed the SG-Light as I'm not in black mode.

When launched, I get this between the 2 lines

sed: /Users/trader/Library/Logs/SecurityGrowler.log

In fact, the update log is in /Users/trader/SecurityGrowler.log
and is updated.
Nothing in the /Logs folder.

After trying SG, then SGL, etc stopping the bg agent, SGL is ok and shows the ports list and the updated log is in the /Logs folder.

Would be nice to have a guide / starting point / F.A.Q. so beginners don't just "pull the ethernet cable" when they see a "Incoming Portscan Detected" warning. =]

Hi all,

Running MacOS Sierra and using the terminal with some random sudo + nmap commands.
However, I get no notifications for these events. I use the latest Security Growler.app (dark mode).
Any idea why?

Cheers,
Andreas

What about moving 'settings' menu items in second level menus?
This will allow to have

• the list of watched items always available
• the main menu mainly with only reported events

Easily add new trackers without changing everything or having a huge main menu.

Menu Layout when SG is stopped, second level menus collapsed:

Security Growler  >  
Watching          >  
———————————————————
Watching Stopped

When SG is activated, all second level menus unfolded:

Security Growler  >  About...
                     Request a Feature
                     View the Full log
                     Clear Menubar Log
                     Ports Info (http://www.speedguide.net/ports.php)
                     Settings...
                     Quit...

Watching          >  Logs       >  /var/log/system.log:
                                   ssh
                                   sudo
                                   Ostiarius
                                   Ports Scan

                                   /abc/de/xy.log:
                                   mno
                                   hijkl

    
                    Connections >  21   FTP
                                   445  SMB
                                   585  IMAP SSL
                                   993  IMAP SSL
                                   3306 MySQL
                                   3689 iTunes
                                   5432 PostgreSQL
                                   5900 VNC

————————————————————————————
10:05 05/02 Watching Started
10:22 event bla
13:55 event blabla

Make it clearer, what do you think?

I'm splitting this out from #24. I want to add an alert whenever your public IP changes.

I can easily get GeoIP from the public IP, and display latency by pinging 8.8.8.8. This will create a useful alert that shows the following:

local IP <latency ms> public ip (geolocation)

The command to get the new public ip is:
dig +short myip.opendns.com @resolver1.opendns.com -> 123.123.123.123

The command to get the GeoIP reported city is (requires brew install geoip):
geoiplookup 123.123.123.123 | tail -1 | perl -pe 's/.*?: .*?, .., .*?, //g' | perl -pe 's/, .*$//g' -> Montréal

The command to get the latency is:
ping -c 1 -t 1 8.8.8.8 | tail -1 | perl -pe 's/^(.* = \d*\.\d*\/)(\d*)(.\d*\/.*)$/$2 ms/gm' -> 19ms