Rule Groups: Great idea but not very useful right now. I have suggestions!

General discussions about Little Snitch
Post Reply
ls_usr_4711
Posts: 4
Joined: Mon Jun 04, 2018 12:58 pm

Rule Groups: Great idea but not very useful right now. I have suggestions!

Post by ls_usr_4711 » Mon Jun 04, 2018 1:12 pm

I like the idea if rule groups but right now I cannot use them because no one (as far as I know) offers any subscriptions and also I would have to trust the source which most likes I wouldn't.

What I would like is rule groups that I can add and modify myself so I can add rules to groups instead of profiles and be able to enable that group whenever I need to. What would be even better is if those groups could be triggered by an application connecting to a specific host (or any host, depending on what I want) so I could decide then to enable that group for a certain amount of time. That way I could give an application access to different hosts but only when I am present and aware what is happening.

What do you guys think?

HatfulOfDoves
Posts: 6
Joined: Thu Jun 07, 2018 10:31 am

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Post by HatfulOfDoves » Thu Jun 07, 2018 12:58 pm

I've tried a bunch of different subscription lists and host files and LS always tells me the format is wrong, no matter how many varieties of formats I try. What is the accepted format for subscription groups?

ls_usr_4711
Posts: 4
Joined: Mon Jun 04, 2018 12:58 pm

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Post by ls_usr_4711 » Wed Jun 13, 2018 1:26 pm

HatfulOfDoves wrote:I've tried a bunch of different subscription lists and host files and LS always tells me the format is wrong, no matter how many varieties of formats I try. What is the accepted format for subscription groups?

This is:
https://obdev.at/resources/littlesnitch ... le.lsrules

daniela
Objective Development
Objective Development
Posts: 56
Joined: Wed Jun 21, 2017 10:08 am

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Post by daniela » Mon Jun 18, 2018 1:51 pm

HatfulOfDoves wrote: What is the accepted format for subscription groups?


The easiest way to create a rule group file is by selecting the rules to publish in Little Snitch Configuration and choosing File > Export Selected Rules….
Alternatively, you can create the .lsrules file using a text editor or a script. The latter option allows you to dynamically create the JSON depending on parameters passed in the URL used for subscribing.

Find more details here:
https://help.obdev.at/littlesnitch/#/ls ... scriptions

nudge
Posts: 12
Joined: Sat Jan 13, 2018 9:20 am

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Post by nudge » Thu Jun 21, 2018 11:48 am

I've been testing this and found it to work as described and it's almost perfect for my needs. It will only check for rule updates either daily or weekly. Otherwise you have to get the user to open LS Configuration and manually run the update. I would prefer more control over that but otherwise you just need to get your rules organised properly and converted into json format and you're up and running. Also, when the user subscribes to a ruleset, in my case they need to change nearly all the default options for the rules to be immediately enabled as required. I know that's a safety measure so okay I can live with that.

The easiest way to create your rule sets is to export existing rules, although I might get around to writing a script to convert them from the format used on the blacklist site mentioned above. If you're sharing rules with multiple users, you'll need to think about organising them into groups anyway.

I'm using a private github repo to serve my test rules over https with version control thrown in. All in all it's pretty cool to have this and I'm very happy obdev have developed this feature. Thank you !

iFrankZagarino
Posts: 5
Joined: Fri Jun 22, 2018 1:46 pm

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Post by iFrankZagarino » Fri Jun 22, 2018 1:55 pm

Hey guys,

I just registered here to let you know that I found someone who wrote an awesome python script which converts the host files from https://github.com/StevenBlack/hosts into .lsrules-files

You'll find it on github, too.
https://github.com/naveednajam/Little-Snitch---Rule-Groups

It works fine though, but the only problem so far is, that when you have such an amount of rules (nearly 70000 blocks) the Little Snitch Network Monitor doesn't respond anymore (had to deactivate it) and Little Snitch needs way more memory than before (800MB). Perhaps obdev is able to fix that problem in a later update. So it's not the perfect alternative to host file based blocking yet. But I'll try and play a bit longer with it.

edit:
Don't activate all rules! I'm not even able to start the configuration to disable the rules. There seems to be a huge CPU and memory problem with Little Snitch while it has a huge amount of connections to handle

christian
Objective Development
Objective Development
Posts: 1442
Joined: Thu Nov 09, 2006 11:46 am

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Post by christian » Tue Jul 10, 2018 4:21 pm

We have improved the object archiving performance in 4.1.3 nightly and thus (experimentally) increased the maximum amount of rules in a subscription to 100k. If anybody wants to try this, please download 4.1.3 nightly.

Rule set analysis in Little Snitch Configuration and Network Monitor is still slow, but Little Snitch should not get stuck completely.

pgeorgan
Posts: 4
Joined: Tue Nov 27, 2018 12:05 am

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Post by pgeorgan » Tue Nov 27, 2018 12:06 am

iFrankZagarino wrote:Hey guys,

I just registered here to let you know that I found someone who wrote an awesome python script which converts the host files from https://github.com/StevenBlack/hosts into .lsrules-files

You'll find it on github, too.
https://github.com/naveednajam/Little-Snitch---Rule-Groups

It works fine though, but the only problem so far is, that when you have such an amount of rules (nearly 70000 blocks) the Little Snitch Network Monitor doesn't respond anymore (had to deactivate it) and Little Snitch needs way more memory than before (800MB). Perhaps obdev is able to fix that problem in a later update. So it's not the perfect alternative to host file based blocking yet. But I'll try and play a bit longer with it.

edit:
Don't activate all rules! I'm not even able to start the configuration to disable the rules. There seems to be a huge CPU and memory problem with Little Snitch while it has a huge amount of connections to handle



I didn't have that problem. Could be an issue with an older computer, though. The StevenBlack conversion to rule groups worked great (though, I already had these in a hosts file).
Last edited by pgeorgan on Tue Nov 27, 2018 1:36 am, edited 1 time in total.

christian
Objective Development
Objective Development
Posts: 1442
Joined: Thu Nov 09, 2006 11:46 am

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Post by christian » Tue Nov 27, 2018 12:15 am

You probably have Little Snitch 4.3 nightly installed. This version has greatly improved performance for large rule sets.

pgeorgan
Posts: 4
Joined: Tue Nov 27, 2018 12:05 am

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Post by pgeorgan » Tue Nov 27, 2018 12:41 am

christian wrote:You probably have Little Snitch 4.3 nightly installed. This version has greatly improved performance for large rule sets.


That I do!

pgeorgan
Posts: 4
Joined: Tue Nov 27, 2018 12:05 am

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Post by pgeorgan » Wed Nov 28, 2018 6:31 pm

Silly question, but how do I subscribe to my own .lsrules file if it's not a URL?

christian
Objective Development
Objective Development
Posts: 1442
Joined: Thu Nov 09, 2006 11:46 am

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Post by christian » Wed Nov 28, 2018 9:25 pm

This is currently not possible. We have not implemented it because it's hard to explain the security implications. Every intruder would have an easy way to make rules as he wishes. And if you synchronize the file among computers, access to one of them is sufficient to add rules.

What exactly is your use case? Can it be done in a more secure manner?

pgeorgan
Posts: 4
Joined: Tue Nov 27, 2018 12:05 am

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Post by pgeorgan » Fri Nov 30, 2018 4:32 pm

Hmm. I guess a better question would be, is there a way to batch import a set of rules that are in .lsrules format? Currently, I have a custom script that exports .lsrules files from Steven Black's Hosts to my own GitHub repo. From there, I've subscribed to my own repo via Rule Group subscriptions.

christian
Objective Development
Objective Development
Posts: 1442
Joined: Thu Nov 09, 2006 11:46 am

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Post by christian » Fri Nov 30, 2018 4:59 pm

If we make a seamless scriptable import of .lsrules files, every malware can use it for their purpose. We therefore insist on loading from a remote machine (with valid SSL certificate). This is not easily available to malware running locally.

Post Reply