### Install Dependencies and Compile OpenSnitch Source: https://github.com/evilsocket/opensnitch/wiki/Compilation Installs necessary system dependencies, Go tools, Python packages, clones the repository, and compiles/installs OpenSnitch. Enables and starts the opensnitchd service and launches the UI. ```bash # install dependencies sudo apt-get install git libnetfilter-queue-dev libpcap-dev protobuf-compiler python3-pip pyqt5-dev-tools qttools5-dev-tools qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools python3-pyqt5.qtsql python3-notify2 go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.32.0 go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.3.0 export GOPATH=~/go #you may want to change this if your Go directory is different export PATH=$PATH:$GOPATH/bin # This step is optional if your distribution already packages these 2 libs. # You can try to install them with: sudo apt install python3-grpcio python3-protobuf python3 -m pip install --user grpcio protobuf python3 -m pip install --user grpcio-tools qt-material # clone the repository git clone https://github.com/evilsocket/opensnitch cd opensnitch # compile && install make sudo make install # enable opensnitchd as a systemd service and start the UI sudo systemctl enable --now opensnitchd opensnitch-ui & ``` -------------------------------- ### Install GUI from Command Line Source: https://github.com/evilsocket/opensnitch/wiki/GUI-known-problems If the OpenSnitch GUI fails to install or run correctly after using a graphical installer (e.g., double-clicking a .deb file), try installing it via the command line using dpkg and apt. ```bash $ sudo dpkg -i `*opensnitch*deb`; sudo apt -f install ``` -------------------------------- ### TLS-Mutual Server Configuration Example Source: https://github.com/evilsocket/opensnitch/wiki/Nodes-authentication Example configuration for 'tls-mutual' authentication. Ensure the paths to certificates and keys are correct for your setup. ```json "Server": { "Address": "127.0.0.1:12345", "Authentication": { "Type": "tls-mutual", "TLSOptions": { "CACert": "/etc/opensnitchd/certs/ca-cert.pem", "SkipVerify": false, "ClientAuthType": "req-and-verify-cert" } } } ``` -------------------------------- ### Enable and Start nftables Service Source: https://github.com/evilsocket/opensnitch/wiki/System-rules-legacy Commands to enable the nftables service to start on boot and to start it immediately. Ensure nftables is running before applying configurations. ```bash $ sudo systemctl enable nftables ``` ```bash $ sudo systemctl start nftables ``` -------------------------------- ### Install qt-material Package Source: https://github.com/evilsocket/opensnitch/blob/master/ui/opensnitch/themes/README.md Install the qt-material package using pip to enable GUI customization. ```bash ~ $ pip3 install qt-material ``` -------------------------------- ### Enable and Start OpenSnitch Service Source: https://github.com/evilsocket/opensnitch/wiki/Installation Manually enable and start the OpenSnitch daemon if it doesn't start automatically after installation or reboot. ```bash sudo systemctl enable --now opensnitch sudo systemctl start opensnitch ``` -------------------------------- ### Enable and Start OpenSnitch Service Source: https://github.com/evilsocket/opensnitch/wiki/Configurations Use these systemctl commands to apply configuration changes and ensure the OpenSnitch service starts automatically on boot. ```bash systemctl restart opensnitch systemctl enable --now opensnitch ``` -------------------------------- ### Enable and Start OpenSnitch Daemon Source: https://github.com/evilsocket/opensnitch/wiki/Compilation Enables the `opensnitchd` service to start automatically on boot and then starts the service manually. ```bash sudo systemctl enable opensnitchd sudo service opensnitchd start ``` -------------------------------- ### pbuilder build options Source: https://github.com/evilsocket/opensnitch/wiki/Building-packages-with-pbuilder Example options for specifying distribution and architecture when using pbuilder. ```bash --distribution sid --architecture armhf ``` -------------------------------- ### Create pbuilder chroot environment Source: https://github.com/evilsocket/opensnitch/wiki/Building-packages-with-pbuilder Install qemu-static and create a pbuilder chroot environment for armhf architecture and sid distribution. ```bash $ sudo apt install qemu-static $ sudo pbuilder create --architecture armhf --distribution sid --debootstrap qemu-debootstrap --basetgz /var/cache/pbuilder/sid-armhf.tgz ``` -------------------------------- ### Configure Yara IOC Scanner Task Source: https://github.com/evilsocket/opensnitch/blob/master/daemon/tasks/iocscanner/README.md Example configuration for running the Yara tool as part of the IOC scanner task. This setup includes directories and files to scan, YARA rules, and reporting options. ```json { "name": "IOC-scanner", "data": { "interval": "15s", "schedule": [ { "weekday": [0,1,2,3,4,5,6], "time": ["09:55:00", "20:15:20", "22:10:45", "00:07:10", "01:17:55"], "hour": [], "minute": [], "second": [] } ], "tools": [ { "name": "yara", "msgstart": "IOC scanner yara started", "msgend": "IOC scanner yara finished", "enabled": false, "cmd": ["/usr/bin/yara"], "dataDir": "/etc/opensnitchd/tasks/iocscanner/data/", "options": { "debug": false, "recursive": true, "scanprocs": false, "fastscan": false, "maxSize": 0, "maxProcessMem": 0, "maxRunningTime": "1h", "threads": 1, "priority": 0, "reports": [ { "type": "file", "path": "/etc/opensnitchd/tasks/iocscanner/reports", "format": "" } ], "dirs": [ "/dev/shm", "/tmp", "/var/tmp", "/etc/cron.d", "/etc/cron.daily", "/etc/cron.weekly", "/etc/systemd/", "/etc/update-motd.d/", "/etc/udev/rules.d/", "/var/spool/", "/etc/xdg/autostart/", "/var/www/", "/home/*/.config/systemd/user/", "/home/*/.config/autostart/" ], "files": [ "/etc/ld.so.config", "/etc/motd", "/etc/rc.local", "/etc/shadow", "/etc/passwd", "/home/*/.bashrc", "/etc/crontab" ], "rules": [ "/etc/opensnitchd/tasks/iocscanner/yara/unix-redflags/*.yar" ], "exclusions": { "dirs": [], "files": [] }, "tags": [ "linux", "exfiltration", "persistance" ] } }, { "name": "decloaker-procs", "enabled": true, "cmd": [ ``` -------------------------------- ### Install gRPC and Protobuf for Go Source: https://github.com/evilsocket/opensnitch/wiki/Compilation Installs the latest versions of gRPC and Protobuf for Go. Note that specific versions (v1.32.0 for protoc-gen-go and v1.3.0 for protoc-gen-go-grpc) are recommended to avoid compilation errors. ```bash go install google.golang.org/protobuf@latest go install google.golang.org/protobuf/cmd/protoc-gen-go@latest go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest ``` -------------------------------- ### TLS-Mutual Server Configuration Example Source: https://github.com/evilsocket/opensnitch/wiki/Nodes-authentication Full configuration example for 'tls-mutual' authentication, including paths for CA certificate, server certificate, client certificate, and client key. ```json "Server": { "Address": "127.0.0.1:12345", "Authentication": { "Type": "tls-mutual", "TLSOptions": { "CACert": "/etc/opensnitchd/certs/ca-cert.pem", "ServerCert": "/etc/opensnitchd/certs/server-cert.pem", "ClientCert": "/etc/opensnitchd/certs/client-cert.pem", "ClientKey": "/etc/opensnitchd/certs/client-key.pem", "SkipVerify": false, "ClientAuthType": "req-and-verify-cert" } } } ``` -------------------------------- ### Install Alternative Dependencies Source: https://github.com/evilsocket/opensnitch/wiki/Installation Install alternative Python dependencies if you prefer not to use pip for grpcio and protobuf. ```bash $ sudo apt install python3-grpcio python3-protobuf python3-slugify ``` -------------------------------- ### Compile and Install Daemon Source: https://github.com/evilsocket/opensnitch/wiki/Compilation Compiles the OpenSnitch daemon after installing necessary development packages. Installs the daemon as a systemd service. ```bash cd daemon make sudo make install ``` -------------------------------- ### Configure Debsums IOC Scanner Tool Source: https://github.com/evilsocket/opensnitch/blob/master/daemon/tasks/iocscanner/README.md Example configuration for the 'debsums' tool within the IOC scanner task. This tool verifies the integrity of installed Debian packages. ```json { "name": "debsums", "msgStart": "IOC scanner debsums started", "msgEnd": "IOC scanner debsums finished", "enabled": false, "cmd": ["debsums", "-c"], "options": { "reports": { "path": "/etc/opensnitchd/tasks/iocscanner/reports", "format": "" } } } ``` -------------------------------- ### Install OpenSnitch UI Source: https://github.com/evilsocket/opensnitch/wiki/Compilation Installs the OpenSnitch UI package using pip, making the `opensnitch-ui` command available. Optionally, you can copy the desktop entry to autostart the UI on login. ```bash sudo pip3 install . # cp opensnitch_ui.desktop ~/.config/autostart/ ``` -------------------------------- ### Install qt-material Package Source: https://github.com/evilsocket/opensnitch/wiki/Events-window-themes Install the qt-material package using pip to enable theme customization for OpenSnitch GUI. This is a prerequisite for applying custom themes. ```bash python3 -m pip install qt-material ``` -------------------------------- ### Install gRPC and Protobuf for Older Systems Source: https://github.com/evilsocket/opensnitch/wiki/GUI-known-problems On specific Linux distributions like Ubuntu 22.x, installing older versions of grpcio and protobuf can resolve issues related to the GUI not showing up or related errors. This is a workaround for a known bug. ```bash ~ $ pip install grpcio==1.41.0 ~ $ pip install protobuf==3.20.0 ``` -------------------------------- ### Install OpenSnitch Daemon Only Source: https://github.com/evilsocket/opensnitch/wiki/Nodes Use this command to install only the OpenSnitch daemon from Debian repositories, avoiding the installation of the GUI. ```bash sudo apt install --no-install-recommends opensnitch ``` -------------------------------- ### Install Translation Manually Source: https://github.com/evilsocket/opensnitch/blob/master/ui/i18n/README.md Copy the compiled translation file (.qm) to the appropriate system directory to test the new translation. The exact path may vary. ```bash mkdir -p /usr/lib/python3/dist-packages/opensnitch/i18n// cp locales//opensnitch-.qm /usr/lib/python3/dist-packages/opensnitch/i18n// ``` -------------------------------- ### Install Dependencies for Older Distributions Source: https://github.com/evilsocket/opensnitch/wiki/GUI-known-problems On older distributions (e.g., Ubuntu 16..18, Linux Mint 17..19), the GUI may crash or not show up due to missing dependencies. Install 'unicode_slugify' and specific versions of 'grpcio' and 'protobuf' using pip. ```bash $ pip3 install grpcio==1.16.1 $ pip3 install unicode_slugify $ pip3 install protobuf==3.6 ``` ```bash ~ $ pip uninstall setuptools ``` -------------------------------- ### Example Custom Theme XML Source: https://github.com/evilsocket/opensnitch/blob/master/ui/opensnitch/themes/README.md Example of an XML file defining color resources for a custom theme named 'dark_white'. This file should be placed in the OpenSnitch themes directory. ```xml #ffffff #8a8a8a #232629 #4f5b62 #31363b #f0f0f0 #d1d1d1 ``` -------------------------------- ### Install OpenSnitch on Arch Linux Source: https://github.com/evilsocket/opensnitch/wiki/Installation Install OpenSnitch using pacman on Arch Linux. ```bash sudo pacman -S opensnitch ``` -------------------------------- ### Enable and Start OpenSnitch Daemon Source: https://github.com/evilsocket/opensnitch/wiki/FAQs Use these commands to ensure the OpenSnitch daemon is running and enabled to start on boot. Check the daemon's status with `pgrep opensnitchd`. ```bash $ sudo systemctl enable opensnitchd $ sudo systemctl start opensnitchd.service ``` -------------------------------- ### Install OpenSnitch DEB Packages Source: https://github.com/evilsocket/opensnitch/wiki/Installation Use this command to install OpenSnitch and its UI from .deb files on Debian-based systems. ```bash sudo apt install ./opensnitch*.deb ./python3-opensnitch-ui*.deb ``` -------------------------------- ### Install Dependencies for Older Ubuntu Source: https://github.com/evilsocket/opensnitch/wiki/Installation Install required Python packages using pip for Ubuntu 16.04.x if the installer prompts for dependencies. ```bash sudo pip3 install grpcio==1.16.1 protobuf ``` -------------------------------- ### Download Malware MD5 Hashes Source: https://github.com/evilsocket/opensnitch/wiki/block-lists Example command to download a full list of malware MD5 hashes from bazaar.abuse.ch and prepare it for use with OpenSnitch. ```bash ~ $ wget https://bazaar.abuse.ch/export/txt/md5/full/ -O /tmp/md5list-full.zip ~ $ unzip -d /tmp/md5list-full.zip /etc/opensnitchd/md5list/ ~ $ head -3 /etc/opensnitchd/md5list/full_md5.txt ``` -------------------------------- ### Install Dependencies for Older Linux Mint/MX Linux Source: https://github.com/evilsocket/opensnitch/wiki/Installation Install necessary development packages for OpenSnitch on older versions of Linux Mint or MX Linux. ```bash apt-get install g++ python3-dev python3-wheel python3-slugify ``` -------------------------------- ### Install UI Dependencies Source: https://github.com/evilsocket/opensnitch/wiki/Compilation Installs the Python 3 dependencies for the OpenSnitch UI from the `requirements.txt` file. It's recommended to upgrade pip first if encountering issues. ```bash cd ui sudo pip3 install -r requirements.txt ``` -------------------------------- ### TLS-Simple Server Configuration Example with Server Cert Source: https://github.com/evilsocket/opensnitch/wiki/Nodes-authentication Alternative 'tls-simple' configuration using the server's public certificate for node authentication. Replace 'CACert' with 'ServerCert' and provide the path to the server certificate. ```json "ServerCert": "/etc/opensnitchd/certs/server-cert.pem", ``` -------------------------------- ### Install Auditd and Plugins Source: https://github.com/evilsocket/opensnitch/wiki/monitor-method-auditd Installs the necessary auditd and audispd_plugins packages on Debian/Ubuntu systems. ```bash apt install auditd audispd_plugins ``` -------------------------------- ### Install OpenSnitch RPM Packages (dnf) Source: https://github.com/evilsocket/opensnitch/wiki/Installation Install OpenSnitch and its UI using dnf for modern RPM-based systems like Fedora or CentOS Stream. ```bash sudo dnf install ./opensnitch-*.rpm ./opensnitch-ui-*.rpm ``` -------------------------------- ### Simple UDP Server Implementation Source: https://github.com/evilsocket/opensnitch/wiki/Why-OpenSnitch-does-not-intercept-application-XXX A basic example of a UDP server in C. Ensure proper error handling and socket management for production use. ```c #include #include #include #include #include #include #define PORT 8080 #define MAXLINE 1024 int main() { int sockfd, n; struct sockaddr_in servaddr, cliaddr; char buffer[MAXLINE]; // Creating socket file descriptor if ((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { perror("socket creation failed"); exit(EXIT_FAILURE); } memset(&servaddr, 0, sizeof(servaddr)); memset(&cliaddr, 0, sizeof(cliaddr)); // Filling server information servaddr.sin_addr.s_addr = INADDR_ANY; servaddr.sin_family = AF_INET; // IPv4 servaddr.sin_port = htons(PORT); // Bind the socket with the server address if (bind(sockfd, (const struct sockaddr *)&servaddr, sizeof(servaddr)) < 0) { perror("bind failed"); exit(EXIT_FAILURE); } socklen_t len = sizeof(cliaddr); //len is value // Server receives message from client n = recvfrom(sockfd, (char *)buffer, MAXLINE, MSG_WAITALL, (struct sockaddr *) &cliaddr, &len); buffer[n] = '\0'; printf("Client: %s\n", buffer); // Server sends message to client const char *hello = "Hello from server"; sendto(sockfd, hello, strlen(hello), MSG_CONFIRM, (const struct sockaddr *) &cliaddr, len); printf("Hello message sent.\n"); close(sockfd); return 0; } ``` -------------------------------- ### Start SIEM Stack with Docker Compose Source: https://github.com/evilsocket/opensnitch/wiki/SIEM-integration Use docker-compose to launch the necessary SIEM services (Grafana, Loki, Promtail, syslog-ng). Verify that all containers are running after execution. ```bash # docker-compose up -d siem_minio_1 done siem_write_1 done siem_read_1 done siem_gateway_1 done siem_grafana_1 done siem_promtail_1 done syslog-ng done ``` -------------------------------- ### Install Missing SVG Package for Icons Source: https://github.com/evilsocket/opensnitch/wiki/GUI-known-problems Ensure the 'qt5-svg' package (or its equivalent on your distribution, e.g., 'libqt5svg5' on Debian) is installed to display icons correctly in the GUI. ```bash ~ $ XDG_CURRENT_DESKTOP=GNOME opensnitch-ui ``` ```bash ~ $ QT_QPA_PLATFORMTHEME=qt5ct opensnitch-ui ``` -------------------------------- ### Configure QT Version for Ubuntu 22.xx Source: https://github.com/evilsocket/opensnitch/wiki/Compilation Sets the QT environment variable to `qt5` and installs the `qttools5-dev` package, which includes the `lrelease` binary, to ensure proper UI building on Ubuntu 22.xx. ```bash #set env var for QT version export QT_SELECT=qt5 #install qt tools which includes lrelease sudo apt install qttools5-dev ``` -------------------------------- ### Install OpenSnitch RPM Packages (yum) Source: https://github.com/evilsocket/opensnitch/wiki/Installation Install OpenSnitch and its UI using yum for RPM-based systems like older CentOS or RHEL. ```bash sudo yum localinstall opensnitch-*.rpm; sudo yum localinstall opensnitch-ui*.rpm ``` -------------------------------- ### Custom Highlight Rules Example Source: https://github.com/evilsocket/opensnitch/blob/master/ui/opensnitch/plugins/highlight/README.md Example of custom rules to colorize connections blocked by 'block-domains' in purple and connections to port 443 in dark red. These rules can be added to a custom JSON configuration file. ```json { "text": [ "443" ], "cols": [7], "color": "white", "bgcolor": "darkRed", "alignment": [] }, { "text": [ "block-domains" ], "cols": [13], "color": "white", "bgcolor": "darkMagenta", "alignment": [] } ``` -------------------------------- ### Example of Regexp List Match Log Source: https://github.com/evilsocket/opensnitch/wiki/block-lists Example log entry showing a regexp list match, indicating the matched domain and the specific regexp that caused the match. ```text [2023-03-02 00:28:26] DBG Regexp list match: pixel.abandonedaction.com, ^pixels?[-.] [2023-03-02 00:28:26] DBG ✘ /lib/systemd/systemd-resolved -> 56143:192.168.1.103 => pixel.abandonedaction.com (172.17.0.3):53 (000-a-pihole-regexp) ``` -------------------------------- ### Start Elastic Stack with Docker Compose Source: https://github.com/evilsocket/opensnitch/wiki/SIEM-integration Execute docker-compose to initialize the Elastic Stack components (Elasticsearch, Logstash, Kibana) for SIEM integration. This command starts the necessary services for log aggregation and analysis. ```bash # docker-compose up -d Recreating docker-elk-elasticsearch_logstash_1 ... Recreating docker-elk-elasticsearch_logstash_1 ... done Recreating docker-elk-syslog_logstash_1 ... Recreating docker-elk-syslog_logstash_1 ... done Recreating docker-elk-kibana_logstash_1 ... Recreating docker-elk-kibana_logstash_1 ... done ``` -------------------------------- ### Configure Rule to Use Downloaded Lists Source: https://github.com/evilsocket/opensnitch/blob/master/daemon/tasks/downloader/README.md This example shows how to configure a rule to use domain lists that are updated by the downloader task. Point the 'data' field to the directory where the downloader saves the lists. ```json (...) "operator": { "operand": "lists.domains", "data": "/etc/opensnitchd/tasks/downloader/blocklist/domains/", "type": "lists", "list": [], "sensitive": false }, (...) ``` -------------------------------- ### Start OpenSnitch GUI with TCP Socket Source: https://github.com/evilsocket/opensnitch/wiki/Configurations Run the OpenSnitch GUI, specifying the TCP socket to listen on. This command is used on the central GUI server. ```bash opensnitch-ui --socket [::]:50051 ``` -------------------------------- ### Apply limits on connections (1MB/s) Source: https://github.com/evilsocket/opensnitch/wiki/System-rules This example applies a rate limit of 1 megabyte per second to connections. It can be combined with other rules, like limiting download bandwidth for specific ports. ```json { "Statement": { "Op": "", "Name": "limit", "Values": [ { "Key": "units", "Value": "1" }, { "Key": "rate-units", "Value": "mbytes" } ] } } ``` -------------------------------- ### Enable OpenSnitch on Hyperland Startup Source: https://github.com/evilsocket/opensnitch/wiki/GUI-known-problems To ensure OpenSnitch starts maximized in Hyperland, configure your Nix system by setting 'services.opensnitch.enable = true;' in configuration.nix. This will launch the program automatically during system startup. ```nix services.opensnitch.enable = true; ``` -------------------------------- ### OpenSnitch Chain Configuration Example Source: https://github.com/evilsocket/opensnitch/wiki/System-rules An example JSON structure for defining a new chain in OpenSnitch. It includes fields for Name, Table, Family, Priority, Type, Hook, Policy, and an empty list for Rules. ```json { "Name": "input", "Table": "filter", "Family": "inet", "Priority": "", "Type": "filter", "Hook": "input", "Policy": "accept", "Rules": [ ] } ``` -------------------------------- ### Run Central GUI with TCP Socket Source: https://github.com/evilsocket/opensnitch/wiki/Configurations Start the OpenSnitch UI listening on a TCP socket to accept connections from remote daemons. Replace '[::]:50051' with your desired IP and port. ```bash $ /usr/local/bin/opensnitch-ui --socket "[::]:50051" ``` -------------------------------- ### Configure Dark Theme with qt5ct Source: https://github.com/evilsocket/opensnitch/wiki/GUI-known-problems To enable dark theme support when it's not automatically applied, install qt5-style-plugins and set the GTK2 platform theme. This is useful for older distributions or specific desktop environments. ```bash ~ $ sudo apt-get install -y qt5-style-plugins ~ $ sudo cat << EOF | sudo tee /etc/environment QT_QPA_PLATFORMTHEME=gtk2 EOF ``` -------------------------------- ### Configure OpenSnitch on NixOS Source: https://github.com/evilsocket/opensnitch/wiki/Installation Add these lines to your NixOS configuration to enable and install OpenSnitch and its UI. ```nix services.opensnitch.enable = true; environment.systemPackages = with pkgs; [ opensnitch-ui ]; ``` -------------------------------- ### Application-Launched External Processes Source: https://github.com/evilsocket/opensnitch/wiki/Getting-started Examples of external processes launched by applications like Epiphany, gnome-maps, snap, or Spotify. These may trigger separate OpenSnitch prompts. ```shell /usr/bin/epiphany /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitNetworkProcess ``` -------------------------------- ### Allow System Commands Rule for OpenSnitch Source: https://github.com/evilsocket/opensnitch/wiki/Known-problems Use this rule to allow critical system processes like dirmngr, xbrlapi, host, and slim. Save this JSON to `/etc/opensnitchd/rules/000-allow-system-cmds.json` to ensure system stability, especially after initial setup or when default actions are set to deny. ```json { "created": "2021-04-26T09:58:03.704090244+02:00", "updated": "2021-04-26T09:58:03.704216578+02:00", "name": "000-allow-system-cmds", "enabled": true, "precedence": true, "action": "allow", "duration": "always", "operator": { "type": "regexp", "operand": "process.path", "sensitive": false, "data": "^(/usr/bin/host|/usr/bin/xbrlapi|/usr/bin/dirmngr|/usr/bin/slim)", "list": [] } } ``` -------------------------------- ### Python Traceback Example Source: https://github.com/evilsocket/opensnitch/wiki/GUI-known-problems This is an example of a Python traceback that may occur due to compatibility issues. It is useful for reporting bugs. ```bash Traceback (most recent call last): File "/usr/lib/python3.8/site-packages/opensnitch/dialogs/prompt.py", line 362, in _on_apply_clicked self._rule.name = slugify("%s %s %s" % (self._rule.action, self._rule.operator.type, self._rule.operator.data)) File "/usr/lib/python3.8/site-packages/slugify.py", line 24, in slugify unicode( NameError: name 'unicode' is not defined ``` -------------------------------- ### Launch GUI with XCB on Wayland Source: https://github.com/evilsocket/opensnitch/wiki/GUI-known-problems If experiencing Wayland-specific issues like incorrect pop-up positioning or random crashes, try launching the GUI with the XCB platform plugin. ```bash ~ $ QT_QPA_PLATFORM=xcb opensnitch-ui ``` -------------------------------- ### Example Logstash Event Format Source: https://github.com/evilsocket/opensnitch/wiki/SIEM-integration This is an example of an event that Logstash should be receiving from OpenSnitch. It includes timestamp, document type, rule, action, and event details. ```json { "@timestamp" => 2023-07-19T13:49:54.546806822Z, "document" => { "Type" => 0, "Rule" => "000-allow-domains", "Action" => "allow", "Event" => { "protocol" => "udp", "dst_ip" => "9.9.9.9", "process_args" => [ [0] "/usr/bin/firefox-esr" ], (...) } ``` -------------------------------- ### Ensure GUI Autostart on Reboot Source: https://github.com/evilsocket/opensnitch/wiki/GUI-known-problems If the OpenSnitch GUI does not appear after rebooting, verify that the autostart desktop entry exists and is correctly linked. ```bash ~ $ ls ~/.config/autostart/opensnitch_ui.desktop ``` ```bash ~ $ mkdir -p ~/.config/autostart/ ~ $ ln -s /usr/share/applications/opensnitch_ui.desktop ~/.config/autostart/ ``` -------------------------------- ### Auditd Event Log Example Source: https://github.com/evilsocket/opensnitch/wiki/monitor-method-auditd Example log messages generated by auditd, showing syscall information, process titles, file paths, and connection details. ```log mar 08 18:37:48 ono-sendai audit[12704]: SYSCALL arch=c000003e syscall=41 success=yes exit=204 a0=a a1=2 a2=0 a3=7f02480008d0 items=0 ppid=12654 pid=12704 auid=1000 uid=1000 gid=1000 euid=1000 suid> mar 08 18:37:48 ono-sendai audit: PROCTITLE proctitle="iceweasel" mar 08 18:37:48 ono-sendai audit: PATH item=0 name="/run/user/1000/bus" inode=41813 dev=00:15 mode=0100400 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=0 c> mar 08 18:37:48 ono-sendai audit: CWD cwd="/tmp" mar 08 18:37:48 ono-sendai audit: SOCKADDR saddr=01002FF2756E2F7FF573613030302F343435627573 ``` -------------------------------- ### Download Opensnitch .dsc file Source: https://github.com/evilsocket/opensnitch/wiki/Building-packages-with-pbuilder Use wget to download the source package description file for Opensnitch. ```bash $ wget https://github.com/gustavo-iniguez-goya/opensnitch/releases/download/v1.0.0rc10/opensnitch_1.0.0rc10-1.dsc ``` -------------------------------- ### Download Ads and Tracking Domains List Source: https://github.com/evilsocket/opensnitch/wiki/block-lists Use this command to download a comprehensive list of ad and tracking domains to a specified directory. Ensure the directory exists and you have the necessary permissions. ```bash sudo mkdir /media/ads-list/ sudo chown USER:USER /media/ads-list/ # replace USER with your user wget https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt -O /media/ads-list/ads-and-tracking-extended.txt ``` -------------------------------- ### Create a New Downloader Task Instance Source: https://github.com/evilsocket/opensnitch/blob/master/daemon/tasks/downloader/README.md To create multiple downloader instances, use a unique name for each task and ensure the 'parent' field is set to 'downloader' to inherit base configurations. ```json { "name": "myupdater", "parent": "downloader", "description": "", "data": { ... } } ``` -------------------------------- ### OpenSnitch Rule Expression Example Source: https://github.com/evilsocket/opensnitch/wiki/System-rules An example of a rule expression within OpenSnitch, specifically demonstrating a connection tracking (ct) statement to check for 'invalid' state. This is part of the 'Expressions' array in a rule definition. ```json "Expressions": [ { "Statement": { "Op": "", "Name": "ct", "Values": [ { "Key": "state", "Value": "invalid" } ] } } ``` -------------------------------- ### Enable Systray Icon on GNOME Source: https://github.com/evilsocket/opensnitch/wiki/GUI-known-problems To enable systray icons on GNOME Shell versions 3.16 and later, install the gnome-shell-extension-appindicator. This involves downloading the extension, installing it, restarting GNOME, enabling the extension, and restarting the OpenSnitch UI. ```bash ~ $ sudo yum install gnome-shell-extension-appindicator.noarch # RESTART GNOME: logout or press ALT+F2 and type 'r' ~ $ gnome-extensions enable appindicatorsupport@rgcjonas.gmail.com ~ $ killall opensnitch-ui ``` -------------------------------- ### List open file descriptors for a process Source: https://github.com/evilsocket/opensnitch/wiki/Why-OpenSnitch-does-not-intercept-application-XXX Use 'ls -l' on /proc//fd/ to view symbolic links to socket inodes and other file types. ```bash $ ls -l /proc/1/fd/ lrwx------. 1 root root 64 mar 8 16:37 99 -> 'socket:[18403475]' lrwx------. 1 root root 64 mar 8 16:37 99 -> 'anon_inode:[eventpoll]' lrwx------. 1 root root 64 mar 8 16:37 99 -> 'anon_inode:[timerfd]' ``` -------------------------------- ### Add Script to Crontab Source: https://github.com/evilsocket/opensnitch/wiki/block-lists Example of how to add a script to the user's crontab for periodic execution, such as updating adlists. ```bash $ crontab -e 0 11,17,23 * * * /home/ga/utils/opensnitch/update_adlists.sh ``` -------------------------------- ### Uninstall Pip Packages (GUI Dependencies) Source: https://github.com/evilsocket/opensnitch/wiki/Installation Remove pip-installed transient dependencies for the UI. Verify installation location with `pip show` if unsure. ```bash pip3 uninstall grpcio PyQt5 Unidecode ``` -------------------------------- ### Cross Compile OpenSnitch for armhf Source: https://github.com/evilsocket/opensnitch/wiki/Cross-compilation Use these commands to cross-compile the OpenSnitch daemon for the armhf architecture. Ensure you have the necessary development libraries and toolchain installed. ```bash sudo dpkg --add-architecture armhf sudo apt update sudo apt install libnetfilter-queue-dev:armhf libmnl-dev:armhf sudo apt install gcc-8-arm-linux-gnueabihf gcc-8-arm-linux-gnueabihf-base gcc-8-plugin-dev-arm-linux-gnueabi gcc-arm-linux-gnueabi export CC=arm-linux-gnueabi-gcc export CGO_LDFLAGS="-L/usr/lib/arm-linux-gnueabihf/" GOOS=linux GOARM=7 GOARCH=arm CGO_ENABLED=1 PKG_CONFIG_PATH="/usr/lib/arm-linux-gnueabihf/pkgconfig/" go build -o opensnitchd-arm -x . ``` -------------------------------- ### Filter by Specific Port Range using Regex Source: https://github.com/evilsocket/opensnitch/wiki/Rules-editor Use regular expressions to target a specific range of ports. This example targets ports 5551 through 5555. ```regex ^555[12345]$ ``` -------------------------------- ### Copy Custom Theme File Source: https://github.com/evilsocket/opensnitch/wiki/Events-window-themes Copy a theme file to the OpenSnitch configuration directory to make it available for selection in the GUI. Ensure the file has a .xml extension. ```bash cp .local/lib/python3.9/site-packages/qt_material/themes/dark_red.xml .config/opensnitch/my-dark-theme.xml ``` -------------------------------- ### Fix UI Build on Fedora Source: https://github.com/evilsocket/opensnitch/wiki/Compilation Creates a symbolic link for the `lrelease` binary on Fedora systems to resolve UI build issues. This is necessary because Fedora provides `lrelease-qt5` instead of `lrelease`. ```bash sudo ln -s /usr/lib64/qt5/bin/lrelease-qt5 /usr/local/bin/lrelease ``` -------------------------------- ### Filter by Multiple Ports using Regex Source: https://github.com/evilsocket/opensnitch/wiki/Rules-editor Use regular expressions to specify multiple target ports. This example targets ports 53, 80, and 443. ```regex ^(53|80|443)$ ``` -------------------------------- ### System Processes for System Functions Source: https://github.com/evilsocket/opensnitch/wiki/Getting-started List of system processes that perform functions like device discovery or domain resolution. ```shell /usr/libexec/colord-sane /usr/sbin/avahi-daemon /usr/libexec/dleyna-server-service /lib/systemd/systemd-timesyncd /usr/lib/systemd/systemd-resolved /usr/sbin/ntpd ``` -------------------------------- ### Configure Locales for Unicode Source: https://github.com/evilsocket/opensnitch/wiki/Compilation Ensures proper UTF-8 locale generation and sets the `LC_CTYPE` environment variable, which can resolve unicode-related errors during installation, particularly for the `unicode-slugify` package. ```bash sudo apt install locales sudo locale-gen en_US.UTF-8 export LC_CTYPE=en_US.UTF-8 ``` -------------------------------- ### Example Log Warnings for No Interception Source: https://github.com/evilsocket/opensnitch/wiki/daemon-known-problems These log messages indicate potential issues with nftables rules or libnetfilter_queue, often stemming from missing kernel support or specific configurations. ```log 2 │ [2023-06-24 18:06:54] WAR nftables: error applying changes: conn.Receive: netlink receive: no such file or directory 3 │ [2023-06-24 18:06:54] ERR Error while running DNS nftables rule: Error adding DNS interception rules 4 │ [2023-06-24 18:06:54] WAR nftables: error applying changes: conn.Receive: netlink receive: no such file or directory 5 │ [2023-06-24 18:06:54] ERR Error while running conntrack nftables rule: Error adding interception rule ``` -------------------------------- ### Filter by Exact Executable Path Source: https://github.com/evilsocket/opensnitch/wiki/Rules-examples Specify an exact path for an executable. This will not match versions or subdirectories. ```text /usr/bin/python3 ``` -------------------------------- ### Check CONFIG_FTRACE_SYSCALLS Support Source: https://github.com/evilsocket/opensnitch/wiki/daemon-known-problems Confirm that your kernel supports syscalls tracing by checking for the CONFIG_FTRACE_SYSCALLS option. This is required for enabling tracepoints. ```bash ~ $ grep FTRACE_SYSCALLS /boot/config-$(uname -r) CONFIG_FTRACE_SYSCALLS=y ``` -------------------------------- ### Configure Syslog Logger in OpenSnitch Source: https://github.com/evilsocket/opensnitch/wiki/SIEM-integration Add a syslog logger to the OpenSnitch configuration to send events to a SIEM. Ensure the 'Server', 'Protocol', 'Format', and 'Tag' are set appropriately for your SIEM setup. ```json "Server": { "Address": "unix:///tmp/osui.sock", "LogFile": "/var/log/opensnitchd.log", "Loggers": [ { "Name": "syslog", "Server": "127.0.0.1:514", "Protocol": "udp", "Format": "rfc5424", "Tag": "opensnitchd" } ] }, (...) ``` ```json "Server": { (...) "Loggers": [ { "Name": "syslog", "Server": "127.0.0.1:514", "Protocol": "udp", "Format": "rfc5424", "Tag": "opensnitchd" } ] }, ``` -------------------------------- ### Check Kernel Configuration for NFQUEUE Support Source: https://github.com/evilsocket/opensnitch/wiki/daemon-known-problems Verify that your kernel is configured with the necessary options for NFQUEUE support. This is crucial for opensnitchd to function correctly. ```bash $ grep -E "(NFT|NETLINK|NFQUEUE)" /boot/config-$(uname -r) CONFIG_NFT_QUEUE=y CONFIG_NETFILTER_NETLINK_QUEUE=y CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y ``` -------------------------------- ### Allow Curl to Specific IP and Port Source: https://github.com/evilsocket/opensnitch/wiki/Rules Use this rule to allow `curl` to connect only to a specific IP address and port. Ensure `curl` is installed and this rule is applied when the default action is not 'allow'. ```json { "created": "2020-02-07T14:16:20.550255152+01:00", "updated": "2020-02-07T14:16:20.729849966+01:00", "name": "allow-curl-net-proxy", "description": "allow curl only to 10.168.10.164 on port 8081", "enabled": true, "precedence": false, "action": "allow", "duration": "always", "operator": { "type": "list", "operand": "list", "list": [ { "type": "simple", "operand": "process.path", "sensitive": false, "data": "/usr/bin/curl", "list": null }, { "type": "simple", "operand": "dest.ip", "sensitive": false, "data": "10.168.10.164", "list": null }, { "type": "simple", "operand": "dest.port", "sensitive": false, "data": "8081", "list": null } ] } } } ```