Skip to content

Rules editor

Jump to bottom
wiki auto updater edited this page Jun 10, 2024 · 3 revisions

Rules can be edited from the GUI, by clicking on the name of the rule:

image

image

(Since v1.2.0, all rules comparison are case-insensitive by the default for destination host, process path and process arguments.)

Parameters

field descrption
Enable Enables or disables the rule.
Priority Indicates that this rule has precedence over the rest.
Case sensitive Make the comparison case-sensitive for ALL fields.
Duration Always writes the rule to disk.

Each field can be literal or a regex expression.

Some examples:

  • Filtering by multiple ports:

    [x] To this port: ^(53|80|443)$

    targets ports 53 OR 80 OR 443.

    [x] To this port: ^555[12345]$

    targets ports 5551, 5552, 5553, 5554 OR 5555.

  • Filtering by an exact domain, and nothing else: [x] To this host: github.com (will match only github.com, not www.github.com, etc)

  • Filtering by a domain and its subdomains: [x] To this host: .*\.git.luolix.top

  • Filtering an executable path:

    [x] From this executable: /usr/bin/python3

    (warning: /usr/bin/python3.6/3.7/3.8/etc won't match this rule)

  • Allow common system commands:

    Name: 000-allow-system-cmds
Action: Allow
[x] Priority rule
[x] From this executable: ^(/usr/sbin/ntpd|/lib/systemd/systemd-timesyncd|/usr/bin/xbrlapi|/usr/bin/dirmngr)$
[x] To this port: ^(53|123)$
[x] From this User ID: ^(0|115|118)$

  • Blocking connections made by executables launched from /tmp:

    Action:                   Deny
[x] From this executable: /tmp/.*

  • Filtering an executable path with regexp, for example any python binary in /usr/bin/:

    [x] From this executable: ^/usr/bin/python[0-9\.]*$

    Case insensitive rules:

    [x] From this executable: (?i:.*ping)

  • Filtering LAN IPs or multiple ranges: ^(127\..*|172\..*|192.168\..*|10\..*)$

See these issues for some discussions and more examples: #17, #31, #73

Note: Don't use "," to specify domains, IPs, etc. It's not supported. For example this won't work (it could be added if you complain loud enough):

[x] To this host: www.example.org, www.test.me

Python regular expression documentation

Golang regular expression documentation

Golang regular expression syntax

Note: Golang does not support Perl syntax (like (?!...))

However you can use negated chars classes. For example, block all outgoing connections, except those to localhost:

[x] Action: deny

[x] To this destination IP: [^:127.0.0.1:]

Note on allowing all connections to localhost:

While it might be seem obvious to allow everything to localhost, be aware that you might want to allow only certain connections/programs:

OpenSnitch in action

Please help us make this wiki better.

How to submit changes: https://github.com/evilsocket/opensnitch/blob/wiki/README.md

  1. Installation
    1. Dependencies and how it works
  2. Getting started
    1. Events window
      1. Themes
    2. Process monitor dialog
    3. Pop-up dialogs
  3. Configuration
    1. Monitor method: audit
    2. Monitor method: eBPF
    3. Rules
      1. Best practices
    4. Rules editor
      1. Rules examples
    5. System rules
      1. System rules legacy
    6. Block lists, ads|malware|...
    7. Nodes
      1. Authentication
      2. Configuration examples
      3. Generating TLS certificates
    8. SIEM integration
      1. Grafana + Loki + Promtail
      2. ElasticSearch + LogStash + Kibana
  4. Compilation
    1. Cross-compilation for arm
    2. Building packages with pbuilder
  5. GUI translations
    1. Adding, updating and installing translations
  6. FAQs and common errors
    1. Known problems
      1. GUI known problems
      2. daemon known problems
      3. General
    2. FAQs
    3. Why OpenSnitch does not intercept application XXX
  7. Examples OpenSnitch in action
Clone this wiki locally