thanks! snitch is closer to an ss/netstat replacement (sockets + processes) than a traffic monitor. traffic monitoring is planned, but not implemented yet.
I always wondered how useful such tools are against a competent adversary. If you are a competent engineer designing malware, wouldn't you introduce a dormancy period into your malware executable and if possible only talk to C&C while the user is doing something that talks to other endpoints? Maybe even choose the communication protocol based on what the user is doing to blend in even better.
agreed on the limits. snitch isnt aimed at adversarial detection; its a local debugging/inspection tool. a competent attacker can blend in by design, so this isnt meant to be a standalone security control
Tools like these aren't really intended for adversarial environments, and pure network tools that are designed for real adversaries have a really spotty track record (good search: [bro vantage point problem]).
Might need a different name.
https://www.obdev.at/products/littlesnitch/index.html
Systemd's obsession with remaking every single wheel in Linux has been aggravating enough. Please don't do it again.
Is it possible I've missed something from the demonstration video on that page?
1. Can you highlight the currently selected row with a different background?
2. Maybe add optional reverse DNS lookups?
Just my two snitches.