I immediately thought of that too. The names these people come up with are so embarrassing. And I'm not even talking about the meaning of 'snitch'. But you already have a tool within the same IT area that is basically named the same. Why the hell would you do that? Aren't there other words in the dictionary?
thanks! snitch is closer to an ss/netstat replacement (sockets + processes) than a traffic monitor. traffic monitoring is planned, but not implemented yet.
I always wondered how useful such tools are against a competent adversary. If you are a competent engineer designing malware, wouldn't you introduce a dormancy period into your malware executable and if possible only talk to C&C while the user is doing something that talks to other endpoints? Maybe even choose the communication protocol based on what the user is doing to blend in even better.
agreed on the limits. snitch isnt aimed at adversarial detection; its a local debugging/inspection tool. a competent attacker can blend in by design, so this isnt meant to be a standalone security control
Tools like these aren't really intended for adversarial environments, and pure network tools that are designed for real adversaries have a really spotty track record (good search: [bro vantage point problem]).
When I saw this headline I assumed it was Little Snitch an existing network monitor and firewall for Macs.
Might need a different name.
https://www.obdev.at/products/littlesnitch/index.html
There's also a Linux clone of little snitch, OpenSnitch.
There's also https://github.com/snitch-org/snitch with the AUR package name 'snitch'.
Seems like a fine name. Why would little snitch existing necessitate a name change?
Because it's potentially trademark infringement because it could confuse people.
Exactly right.
I immediately thought of that too. The names these people come up with are so embarrassing. And I'm not even talking about the meaning of 'snitch'. But you already have a tool within the same IT area that is basically named the same. Why the hell would you do that? Aren't there other words in the dictionary?
> The names these people come up with are so embarrassing. And I'm not even talking about the meaning of 'snitch'.
They should call it "rat" and be done with it.
Besides, "snitch" works for Little Snitch -- I've always found it somehow endearing, although the bare word is unflattering.
it's weird that both lsof and ss defaults are so awful
Like, ss without any options shows such arcane, rarely needed details as send/receive queue size but not the application socket belongs to.
And omits listening sockets which is main use for such tools.
I know picking the right defaults is hard ask but they managed to pick all the wrong defaults.
I think the same applies for many of the new breed of command line applications like fd and ag/rg.
Being able to use them intuitively trumps ubiquity, speed or features.
The demo recording-as-code seems cool (in https://github.com/karol-broda/snitch/tree/master/demo)
It looks nice, and I don't see anything wrong with it, but I've been using iptraf-ng since forever and I think it has a slight edge here.
Is it possible I've missed something from the demonstration video on that page?
thanks! snitch is closer to an ss/netstat replacement (sockets + processes) than a traffic monitor. traffic monitoring is planned, but not implemented yet.
I love the recent increase in TUI-based tooling. This looks cool - will check it out!
Are they as accessible as GUI though (genuine question)
UI libraries have a lot of features for allowing people with disabilities to “read” and interact with the screen in efficient ways
I don't like the name but I like the TUI, connection monitoring is perfectly handled by a TUI!
I can't read as fast as your demo GIF. Just infuriating.
I always wondered how useful such tools are against a competent adversary. If you are a competent engineer designing malware, wouldn't you introduce a dormancy period into your malware executable and if possible only talk to C&C while the user is doing something that talks to other endpoints? Maybe even choose the communication protocol based on what the user is doing to blend in even better.
agreed on the limits. snitch isnt aimed at adversarial detection; its a local debugging/inspection tool. a competent attacker can blend in by design, so this isnt meant to be a standalone security control
With a name like Snitch, it should be aimed at adversarial detection.
Just my two snitches.
Tools like these aren't really intended for adversarial environments, and pure network tools that are designed for real adversaries have a really spotty track record (good search: [bro vantage point problem]).
That search did not come up with much. Can you elaborate?
Nice! Couple of notes:
1. Can you highlight the currently selected row with a different background?
2. Maybe add optional reverse DNS lookups?
prettyneat.gif
Thanks for sharing
I just want a single tool that has a known, generalized set of capabilities on just about every distribution.
Systemd's obsession with remaking every single wheel in Linux has been aggravating enough. Please don't do it again.
No-one is stopping you from using netstat.
What’s with the hostility of someone making something that’s useful for themselves and sharing it with others?