Page 1 of 1

Rule Groups: Great idea but not very useful right now. I have suggestions!

Posted: Mon Jun 04, 2018 1:12 pm
by ls_usr_4711
I like the idea if rule groups but right now I cannot use them because no one (as far as I know) offers any subscriptions and also I would have to trust the source which most likes I wouldn't.

What I would like is rule groups that I can add and modify myself so I can add rules to groups instead of profiles and be able to enable that group whenever I need to. What would be even better is if those groups could be triggered by an application connecting to a specific host (or any host, depending on what I want) so I could decide then to enable that group for a certain amount of time. That way I could give an application access to different hosts but only when I am present and aware what is happening.

What do you guys think?

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Posted: Thu Jun 07, 2018 12:58 pm
by HatfulOfDoves
I've tried a bunch of different subscription lists and host files and LS always tells me the format is wrong, no matter how many varieties of formats I try. What is the accepted format for subscription groups?

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Posted: Wed Jun 13, 2018 1:26 pm
by ls_usr_4711
HatfulOfDoves wrote:I've tried a bunch of different subscription lists and host files and LS always tells me the format is wrong, no matter how many varieties of formats I try. What is the accepted format for subscription groups?

This is:
https://obdev.at/resources/littlesnitch ... le.lsrules

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Posted: Mon Jun 18, 2018 1:51 pm
by daniela
HatfulOfDoves wrote: What is the accepted format for subscription groups?


The easiest way to create a rule group file is by selecting the rules to publish in Little Snitch Configuration and choosing File > Export Selected Rules….
Alternatively, you can create the .lsrules file using a text editor or a script. The latter option allows you to dynamically create the JSON depending on parameters passed in the URL used for subscribing.

Find more details here:
https://help.obdev.at/littlesnitch/#/ls ... scriptions

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Posted: Thu Jun 21, 2018 11:48 am
by nudge
I've been testing this and found it to work as described and it's almost perfect for my needs. It will only check for rule updates either daily or weekly. Otherwise you have to get the user to open LS Configuration and manually run the update. I would prefer more control over that but otherwise you just need to get your rules organised properly and converted into json format and you're up and running. Also, when the user subscribes to a ruleset, in my case they need to change nearly all the default options for the rules to be immediately enabled as required. I know that's a safety measure so okay I can live with that.

The easiest way to create your rule sets is to export existing rules, although I might get around to writing a script to convert them from the format used on the blacklist site mentioned above. If you're sharing rules with multiple users, you'll need to think about organising them into groups anyway.

I'm using a private github repo to serve my test rules over https with version control thrown in. All in all it's pretty cool to have this and I'm very happy obdev have developed this feature. Thank you !

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Posted: Fri Jun 22, 2018 1:55 pm
by iFrankZagarino
Hey guys,

I just registered here to let you know that I found someone who wrote an awesome python script which converts the host files from https://github.com/StevenBlack/hosts into .lsrules-files

You'll find it on github, too.
https://github.com/naveednajam/Little-Snitch---Rule-Groups

It works fine though, but the only problem so far is, that when you have such an amount of rules (nearly 70000 blocks) the Little Snitch Network Monitor doesn't respond anymore (had to deactivate it) and Little Snitch needs way more memory than before (800MB). Perhaps obdev is able to fix that problem in a later update. So it's not the perfect alternative to host file based blocking yet. But I'll try and play a bit longer with it.

edit:
Don't activate all rules! I'm not even able to start the configuration to disable the rules. There seems to be a huge CPU and memory problem with Little Snitch while it has a huge amount of connections to handle

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Posted: Tue Jul 10, 2018 4:21 pm
by christian
We have improved the object archiving performance in 4.1.3 nightly and thus (experimentally) increased the maximum amount of rules in a subscription to 100k. If anybody wants to try this, please download 4.1.3 nightly.

Rule set analysis in Little Snitch Configuration and Network Monitor is still slow, but Little Snitch should not get stuck completely.

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Posted: Tue Nov 27, 2018 12:06 am
by pgeorgan
iFrankZagarino wrote:Hey guys,

I just registered here to let you know that I found someone who wrote an awesome python script which converts the host files from https://github.com/StevenBlack/hosts into .lsrules-files

You'll find it on github, too.
https://github.com/naveednajam/Little-Snitch---Rule-Groups

It works fine though, but the only problem so far is, that when you have such an amount of rules (nearly 70000 blocks) the Little Snitch Network Monitor doesn't respond anymore (had to deactivate it) and Little Snitch needs way more memory than before (800MB). Perhaps obdev is able to fix that problem in a later update. So it's not the perfect alternative to host file based blocking yet. But I'll try and play a bit longer with it.

edit:
Don't activate all rules! I'm not even able to start the configuration to disable the rules. There seems to be a huge CPU and memory problem with Little Snitch while it has a huge amount of connections to handle



I didn't have that problem. Could be an issue with an older computer, though. The StevenBlack conversion to rule groups worked great (though, I already had these in a hosts file).

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Posted: Tue Nov 27, 2018 12:15 am
by christian
You probably have Little Snitch 4.3 nightly installed. This version has greatly improved performance for large rule sets.

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Posted: Tue Nov 27, 2018 12:41 am
by pgeorgan
christian wrote:You probably have Little Snitch 4.3 nightly installed. This version has greatly improved performance for large rule sets.


That I do!

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Posted: Wed Nov 28, 2018 6:31 pm
by pgeorgan
Silly question, but how do I subscribe to my own .lsrules file if it's not a URL?

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Posted: Wed Nov 28, 2018 9:25 pm
by christian
This is currently not possible. We have not implemented it because it's hard to explain the security implications. Every intruder would have an easy way to make rules as he wishes. And if you synchronize the file among computers, access to one of them is sufficient to add rules.

What exactly is your use case? Can it be done in a more secure manner?

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Posted: Fri Nov 30, 2018 4:32 pm
by pgeorgan
Hmm. I guess a better question would be, is there a way to batch import a set of rules that are in .lsrules format? Currently, I have a custom script that exports .lsrules files from Steven Black's Hosts to my own GitHub repo. From there, I've subscribed to my own repo via Rule Group subscriptions.

Re: Rule Groups: Great idea but not very useful right now. I have suggestions!

Posted: Fri Nov 30, 2018 4:59 pm
by christian
If we make a seamless scriptable import of .lsrules files, every malware can use it for their purpose. We therefore insist on loading from a remote machine (with valid SSL certificate). This is not easily available to malware running locally.