MacOS.Network.LittleSnitch

This is artifact parses Little Snitch’s network traffic log.

More information about Little Snitch can be found here: https://www.obdev.at/products/littlesnitch/index.html


name: MacOS.Network.LittleSnitch
author: Wes Lambert -- @therealwlambert
description: |
   This is artifact parses Little Snitch's network traffic log.
   
   More information about Little Snitch can be found here:
   https://www.obdev.at/products/littlesnitch/index.html

# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
type: CLIENT

parameters:
   - name: CSVGlob
     default:
   - name: ExecutableRegex
     description: "Filter on executable name"
     default: .
     type: regex
   - name: IPRegex
     description: "Filter on IP address"
     default: .
     type: regex
   - name: ParentRegex
     description: "Filter on parent exectuable"
     default: .
     type: regex
   - name: RemoteHostnameRegex
     description: "Filter on IP remote hostname"
     default: .
     type: regex
     
sources:

  - precondition:
      SELECT OS From info() where OS = 'windows' OR OS = 'linux' OR OS = 'darwin'

    query: |
      LET LittleSnitchLogs <= SELECT FullPath FROM glob(globs=CSVGlob)
      LET ProtocolTable <= SELECT * from parse_csv(accessor="data", filename='''
        Number,ProtocolName
        1,ICMP
        6,TCP
        17,UDP
        ''')
      SELECT * FROM foreach(row={ 
        SELECT
            timestamp(string=date) AS Time,
            direction AS Direction,
            uid AS UID,
            ipAddress AS `IP Address`,
            remoteHostname AS `Remote Hostname`,
            if(condition=ProtocolTable.ProtocolName[0], then=ProtocolTable.ProtocolName[0], else=protocol) AS Protocol,
            port AS Port,
            connectCount AS `Connect Count`,
            denyCount AS `Deny Count`,
            byteCountIn AS `Bytes In`,
            byteCountOut AS `Bytes Out`,
            connectingExecutable AS `Executable`,
            parentAppExecutable AS `Parent`
        FROM parse_csv(filename=LittleSnitchLogs.FullPath)})