forked from evilsocket/opensnitch
-
Notifications
You must be signed in to change notification settings - Fork 20
Rules
Gustavo Iñiguez Goia edited this page Jun 20, 2020
·
7 revisions
Rules are stored as JSON files inside the -rule-path folder, in the simplest cast a rule looks like this:
{
"created": "2018-04-07T14:13:27.903996051+02:00",
"updated": "2018-04-07T14:13:27.904060088+02:00",
"name": "deny-simple-www-google-analytics-l-google-com",
"enabled": true,
"action": "deny",
"duration": "always",
"operator": {
"type": "simple",
"operand": "dest.host",
"data": "www-google-analytics.l.google.com"
}
}| Field | Description |
|---|---|
| created | UTC date and time of creation. |
| update | UTC date and time of the last update. |
| name | The name of the rule. |
| enabled | Use to temporarily disable and enable rules without moving their files. |
| action | Can be deny or allow. |
| duration | For rules persisting on disk, this value is default to always. |
| operator.type | Can be simple, in which case a simple == comparison will be performed, or regexp if the data field is a regular expression to match. |
| operator.operand | What element of the connection to compare, can be one of: true (will always match), process.path (the path of the executable), process.command (full command line, including path and arguments), provess.env.ENV_VAR_NAME (use the value of an environment variable of the process given its name), user.id, dest.ip, dest.host or dest.port. |
| operator.data | The data to compare the operand to, can be a regular expression if type is regexp. |
An example with a regular expression:
{
"created": "2018-04-07T14:13:27.903996051+02:00",
"updated": "2018-04-07T14:13:27.904060088+02:00",
"name": "deny-any-google-analytics",
"enabled": true,
"action": "deny",
"duration": "always",
"operator": {
"type": "regexp",
"operand": "dest.host",
"data": "(?i)
}
}An example whitelisting a whole process:
{
"created": "2018-04-07T15:00:48.156737519+02:00",
"updated": "2018-04-07T15:00:48.156772601+02:00",
"name": "allow-simple-opt-google-chrome-chrome",
"enabled": true,
"action": "allow",
"duration": "always",
"operator": {
"type": "simple",
"operand": "process.path",
"data": "/opt/google/chrome/chrome"
}
}Example of a complex rule using the operator list, saved from the GUI (Note: version v1.0.0-rc2):
{
"created": "2020-02-07T14:16:20.550255152+01:00",
"updated": "2020-02-07T14:16:20.729849966+01:00",
"name": "deny-list-type-simple-operand-destip-data-1101-type-simple-operand-destport-data-23-type-simple-operand-userid-data-1000-type-simple-operand-processpath-data-usrbintelnetnetkit",
"enabled": true,
"action": "deny",
"duration": "always",
"operator": {
"type": "list",
"operand": "list",
"data": "[{\"type\": \"simple\", \"operand\": \"dest.ip\", \"data\": \"1.1.0.1\"}, {\"type\": \"simple\", \"operand\": \"dest.port\", \"data\": \"23\"}, {\"type\": \"simple\", \"operand\": \"user.id\", \"data\": \"1000\"}, {\"type\": \"simple\", \"operand\": \"process.path\", \"data\": \"/usr/bin/telnet.netkit\"}]",
"list": [
{
"type": "simple",
"operand": "dest.ip",
"data": "1.1.0.1",
"list": null
},
{
"type": "simple",
"operand": "dest.port",
"data": "23",
"list": null
},
{
"type": "simple",
"operand": "user.id",
"data": "1000",
"list": null
},
{
"type": "simple",
"operand": "process.path",
"data": "/usr/bin/telnet.netkit",
"list": null
}
]
}
}
- Installation
-
Getting started
- Events window
- Process monitor dialog
- Configuration
- Compilation
- GUI translations
- FAQs and common errors
- Examples OpenSnitch in action