This is artifact parses Little Snitch’s network traffic log.
More information about Little Snitch can be found here: https://www.obdev.at/products/littlesnitch/index.html
name: MacOS.Network.LittleSnitch
author: Wes Lambert -- @therealwlambert
description: |
This is artifact parses Little Snitch's network traffic log.
More information about Little Snitch can be found here:
https://www.obdev.at/products/littlesnitch/index.html
# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
type: CLIENT
parameters:
- name: CSVGlob
default:
- name: ExecutableRegex
description: "Filter on executable name"
default: .
type: regex
- name: IPRegex
description: "Filter on IP address"
default: .
type: regex
- name: ParentRegex
description: "Filter on parent exectuable"
default: .
type: regex
- name: RemoteHostnameRegex
description: "Filter on IP remote hostname"
default: .
type: regex
sources:
- precondition:
SELECT OS From info() where OS = 'windows' OR OS = 'linux' OR OS = 'darwin'
query: |
LET LittleSnitchLogs <= SELECT FullPath FROM glob(globs=CSVGlob)
LET ProtocolTable <= SELECT * from parse_csv(accessor="data", filename='''
Number,ProtocolName
1,ICMP
6,TCP
17,UDP
''')
SELECT * FROM foreach(row={
SELECT
timestamp(string=date) AS Time,
direction AS Direction,
uid AS UID,
ipAddress AS `IP Address`,
remoteHostname AS `Remote Hostname`,
if(condition=ProtocolTable.ProtocolName[0], then=ProtocolTable.ProtocolName[0], else=protocol) AS Protocol,
port AS Port,
connectCount AS `Connect Count`,
denyCount AS `Deny Count`,
byteCountIn AS `Bytes In`,
byteCountOut AS `Bytes Out`,
connectingExecutable AS `Executable`,
parentAppExecutable AS `Parent`
FROM parse_csv(filename=LittleSnitchLogs.FullPath)})