Skip to content

Commit 4d63a02

Browse files
Merge pull request #1600 from tredondo/wiki
Rules: document missing operands, clarify others, correct grammar
2 parents 4c8b93b + e9713d3 commit 4d63a02

1 file changed

Lines changed: 38 additions & 26 deletions

File tree

wiki/Rules.md

Lines changed: 38 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88

99
### Format
1010

11-
Rules are stored as JSON files inside the `-rule-path` directory (by default `/etc/opensnitchd/rules`), in its simplest form, a rule looks like this:
11+
Rules are stored as JSON files in the directory passed via `-rules-path` (by default `/etc/opensnitchd/rules`). In its simplest form, a rule looks like this:
1212

1313
```json
1414
{
@@ -21,39 +21,41 @@ Rules are stored as JSON files inside the `-rule-path` directory (by default `/e
2121
"duration": "always",
2222
"operator": {
2323
"type": "simple",
24-
"sensitive": false,
2524
"operand": "dest.host",
26-
"data": "www-google-analytics.l.google.com"
25+
"data": "www-google-analytics.l.google.com",
26+
"sensitive": false
2727
}
2828
}
2929
```
3030

3131
| Field | Description |
3232
| -----------------|---------------|
3333
| created | UTC date and time of creation. |
34-
| update | UTC date and time of the last update. |
34+
| updated | UTC date and time of the last update. |
3535
| name | The name of the rule. |
36+
| description | Free-text annotation field, optional, daemon ignores it. |
3637
| enabled | Enable or disable the rule. |
3738
| precedence | `true` or `false`. Sets if a rule take precedence over the rest (>= v1.2.0). If a connection matches this rule, no other rules will be evaluated.|
3839
| action | Can be `deny`, `reject` or `allow`. `reject` kills the socket, terminating the connection immediately. `deny` drops/ignores the packet. |
3940
| duration | The duration of the rule in [Duration format](https://pkg.go.dev/time#ParseDuration). `always` is always used when the rule is written to disk. The rest of the options are temporary, until they reach the deadline: `12h`, `5h`, `1h`, `30s`, or `once` to only run the rule one time. |
4041
| operator.type | `simple`, `regexp`, `network`, `lists`, `list`, `range`.|
4142
|| `simple` is a simple `==` comparison.|
42-
|| `regexp` matches the regexp from the `data` field against the connection |
43+
|| `regexp` matches the regexp from the `data` field against the connection. Uses [Go's RE2](https://github.com/google/re2/wiki/syntax) — no lookahead/lookbehind/backrefs. Note that the GUI uses Python's regex engine to validate input, so a pattern accepted by the editor may still fail to compile in the daemon. |
4344
|| `network` checks if the IP of a connection is contained within the specified network range (127.0.0.1/8, 192.168.1.0/24, etc) |
4445
|| `lists` will look for matches on lists of something (domains, IPs, etc). Typically used to create [blocklists](https://github.com/evilsocket/opensnitch/wiki/block-lists)|
4546
|| `range` (v1.9.0) will check if an Operand (`dest.port` or `source.port`) is within the given range.|
4647
|| `list`, a combination of all of the previous types.|
4748
| operator.data | The data of the rule against which an outbound connection will be compared: an IP, a destination port, a command line, etc. |
48-
| operator.sensitive | If `true`, the property-data comparison is case sensitive. Defaults to `false`. |
49+
| operator.sensitive | Case sensitivity, default `false` (case insensitive). |
4950
| operator.operand | Property of the connection against which the rule will be compared: |
5051
| | `true` - will always match |
5152
| | `process.path` - the absolute path of the executable |
5253
| | `process.id` PID of the process|
5354
| | `process.command` (full command line, including path and arguments). Note that cmdlines can contain or not the process name, and the path can be absolute or relative (`./cmd -x a`).|
54-
| | `process.parent.path` (v1.7.0) check against ONE of the parent path. You can add multiple parent paths with the `list` type, to match the tree of a process. |
55-
| | `provess.env.ENV_VAR_NAME` (use the value of an environment variable of the process given its name). |
55+
| | `process.parent.path` (v1.7.0) checks against **any** ancestor in the process tree (parent, grandparent, etc., up to PID 1). To require multiple ancestors, combine with `list` — but note this matches when each path appears anywhere in the chain, regardless of order or depth. |
56+
| | `process.env.ENV_VAR_NAME` (use the value of an environment variable of the process given its name). |
5657
| | `process.hash.md5` (v1.7.0) - verify the checksum of an executable |
58+
| | `process.hash.sha1` |
5759
| | `user.id` - UID |
5860
| | `user.name` user name (v1.7.0). Check against a regular system username (no namespaces, containers or virtual user names).|
5961
| | `protocol` - TCP, UDP, UDPLITE, SCTP, DCCP, ICMP (append "6" for IPv6 protocols: TCP6)|
@@ -72,9 +74,17 @@ Rules are stored as JSON files inside the `-rule-path` directory (by default `/e
7274
| | `lists.nets` (v1.5.0) list of network ranges [read more](https://github.com/evilsocket/opensnitch/wiki/block-lists)|
7375
| | `lists.hash.md5` (v1.7.0) list of md5s |
7476

77+
For `lists.*` operands, the `data` field is the path to a **directory**
78+
(not a single file). The daemon loads every file under it that has a
79+
recognized extension (`.txt`, `.list`, `.dat`, etc.). **Files without
80+
an extension are silently skipped** — see [block-lists](https://github.com/evilsocket/opensnitch/wiki/block-lists)
81+
for the full file format and examples. `lists.domains` matches each line
82+
exactly (so `example.com` does not match `www.example.com`); use
83+
`lists.domains_regexp` for wildcard subdomain matching.
84+
7585
### Some considerations
7686

77-
All the fields you select when defining a rule will be used to match connections, for example:
87+
All the fields you select when defining a rule will be used to match connections. For example:
7888
- Rule: allow -> port 443 -> Dst IP 1.1.1.1 -> Protocol TCP -> Host www.site.test
7989
* This rule will match connections to port 443 __AND__ IP 1.1.1.1 __AND__ protocol TCP __AND__ host www.site.test
8090
* connections to IP 2.2.2.2 won't match, connections to port 80 won't match, etc...
@@ -84,10 +94,13 @@ Rules are stored as JSON files inside the `-rule-path` directory (by default `/e
8494
- Rule: allow -> port ^(53|80|443)$ -> UID 1000 -> Path /app/bin/test -> [x] domains list
8595
* This rule will match connections to ports (53 __OR__ 80 __OR__ 443) __AND__ UID 1000 __AND__ Path /app/bin/test __AND__ domains in the specified.
8696

87-
- If you select multiple lists on the same rule, bear in mind that all the lists must match in order to apply an action:
88-
[Read this disccussion to learn more](https://github.com/evilsocket/opensnitch/discussions/877#discussioncomment-5247997)
97+
- If you select multiple lists on the same rule, bear in mind that all the lists must match in order to apply an action. [Read this discussion to learn more](https://github.com/evilsocket/opensnitch/discussions/877#discussioncomment-5247997).
98+
99+
The GUI auto-generates rule names based on the fields you specify. If these include long paths, command lines, or domains, the resulting name can get quite long (up to 128 characters). However, you can edit the rule name as you please.
89100

90-
Rule precedence: When a connection is attempted, OpenSnitch evaluates each of the enabled rules. The rules are sorted in the alphabetical order of rule names (since v.1.2.0). OpenSnitch goes through the list and as soon as it encounters a Deny/Reject rule or an _Important_ ([x] Priority) rule (since v1.2.0) that matches the connection, that rule will be immediately selected as the effective rule. If no such rule is found, then the last non-Important Allow rule that matched will be selected. If no rule matched, it shows a pop-up dialogue, or applys the default action if that's not possible.
101+
#### Rule precedence
102+
103+
When a connection is attempted, OpenSnitch evaluates each of the enabled rules. The rules are sorted in the alphabetical order of rule names (since v.1.2.0). OpenSnitch goes through the list and as soon as it encounters a Deny/Reject rule or an _Important_ (`[x] Priority rule`) (since v1.2.0) that matches the connection, that rule will be immediately selected as the effective rule. If no such rule is found, then the last non-Important Allow rule that matched will be selected. If no rule matched, it shows a pop-up dialogue, or applys the default action if that's not possible.
91104

92105
- In the following example, the Deny rule takes precedence over the Allow rules:
93106
```
@@ -105,9 +118,9 @@ Rule precedence: When a connection is attempted, OpenSnitch evaluates each of th
105118

106119
This way you can not only prioritize critical connections (like VPNs), but also gain performance.
107120

108-
**More on rules performance**
121+
#### More on rules performance
109122

110-
As already mentioned, the order of rules is critical. If you use Firefox and prioritize Allow rules to allow Firefox's connections, web navegation will be faster.
123+
As already mentioned, the order of rules is critical. If you use Firefox and prioritize Allow rules to allow Firefox's connections, web navigation will be faster.
111124

112125
But the type of rule also impacts the rule's performance. `regexp` and `list` types are slower than `simple` because `regexp` and `list` types check multiple parameters while simple rules check just one. And `regexp` is the slowest, because is the more complex type.
113126

@@ -128,7 +141,7 @@ An example with a regular expression:
128141
"type": "regexp",
129142
"sensitive": false,
130143
"operand": "dest.host",
131-
"data": "(?i)"
144+
"data": "(?i)google-?analytics"
132145
}
133146
}
134147
```
@@ -265,17 +278,17 @@ If you want to restrict it further, under the `Addresses` tab you can review wha
265278

266279
### For servers
267280

268-
These recommendations also apply to the Linux Desktop, but are specially important on servers.
281+
These recommendations also apply to the Linux Desktop, but are specially important on servers.
269282

270-
Why? If someone gets access to the system, usually there're a few directories where everyone can write files: `/tmp`, `/var/tmp` or `/dev/shm`.
271-
Thus these directories are usually used to drop malicious files or download remote binaries to escalate privileges, mine cryptocoins, etc.
283+
Why? If someone gets access to the system, usually there are a few directories where everyone can write files: `/tmp`, `/var/tmp` or `/dev/shm`.
284+
Thus these directories can be used to drop malicious files or download remote binaries to escalate privileges, mine cryptocoins, etc.
272285

273-
Usually the attackers use `wget`, `curl` or `bash` to establish outbound connections ([malware examples](https://github.com/evilsocket/opensnitch/discussions/1119)). So, if you don't need these binaries, just uninstall them.
286+
Usually the attackers use `wget`, `curl` or `bash` to establish outbound connections (as in these [malware examples](https://github.com/evilsocket/opensnitch/discussions/1119)). So, if you don't need these binaries, just uninstall them.
274287

275-
There're two approaches to secure a server with OpenSnitch:
288+
There are two approaches to secure a server with OpenSnitch:
276289

277-
1) restrict everything by default (`DefaultAction` set to deny/reject in the `default-config.json` file) and allow only system binaries and needed apps. Incoming connections will keep working, but NEW outbound connections will be denied.
278-
2) allow everything by default, and deny connections from specific locations, or by binary / destination.
290+
1) Restrict everything by default (`DefaultAction` set to deny/reject in the `default-config.json` file) and allow only system binaries and needed apps. Incoming connections will keep working, but NEW outbound connections will be denied.
291+
2) Allow everything by default, and deny connections from specific locations, or by binary / destination.
279292

280293

281294
- If you need curl or wget and the `DefaultAction` is not `allow`, restrict their outbound connections as much as possible (this practice applies to any other binary of the server):
@@ -377,11 +390,10 @@ There're two approaches to secure a server with OpenSnitch:
377390

378391
- You can also block outbound connections to crypto mining pools and malware domains/ips with [blocklists rules](https://github.com/evilsocket/opensnitch/wiki/block-lists).
379392

380-
One of the common reason to compromise servers is to mine cryptos. Denying connections to the mining pools, disrupts the operation.
393+
One of the common reason to compromise servers is to mine cryptocurrencies. Denying connections to the mining pools disrupts the operation.
381394

382395
- Think also if your web server, database server, etc, needs to establish connections to remote IPs.
383396

384-
In some cases, the download of malicious files is executed from common applications: [pg_mem campaign](https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/)
385-
386-
**Note** that the default policy should be deny everything unless explicitely allowed. But by creating a rule to deny specifically these directories, you can have a place where to monitor these executions.
397+
In some cases, the download of malicious files is executed from common applications; see the [pg_mem campaign](https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/)
387398

399+
**Note** that the default policy should be to deny everything unless explicitly allowed. But by creating a rule to deny specifically these directories, you can have a place where to monitor these executions.

0 commit comments

Comments
 (0)