Skip to content

Intrusion detection and file integrity monitoring in rust.

License

Notifications You must be signed in to change notification settings

snitch-ids/snitch

Repository files navigation

Snitch - Intrusion Detection System

Rust

Snitch is a file integrity and authentication monitoring system.

  • Snitch calculates and persists hashes of files found by recursing user defined directories. If a file hash changes Snitch will send a warning to the user via a sender to notify about the modified file.

  • Snitch can also watch authentication logs and send a notification when user logs in or become root.

Installation

Pre-compiled

Get the deb package or precompiled binary for OSX from the latest release.

Homebrew

brew tap snitch-ids/snitch
brew install snitch

From source

cargo install snitch

Note that access to root level folders and monitoring authentication logs usually requires an installation as root.

Configuration

Snitch can be configured in /etc/snitch/config.yaml. If that file does not exist you can run

snitch --demo-config > /etc/snitch/config.yaml

to create a template that should be fine on Linux, OSX and Windows to get started.

This is on example configuration:

---
directories:
  - /System
  - /Users
  - /sbin
  - /opt
sender:
  backend:
    url: http://api.snitch.cool
    token: MYPERSONALGENERATEDTOKEN
  telegram:
    bot_token: 3892394878927:DLKjsjs-EXAMPLE-exampleJDij4s
    chat_id: 1234567890
  email:
    smtp_user: secure
    smtp_password: secure
    smtp_server: imap.foo.bar
    receiver_address: my-receiving-address@gmail.com
  slack:
    webhook_url: sendmymessagestoslack.com
    channel: #mysecuritymessages
authentication_logs: ~
snitch_root: /tmp/snitch/

Each sender is optional.

Connect to snitch.cool

Go to snitch.cool and register with your email and a password. Confirm the email address. Go to Token and click Create Token.

Copy the created token and paste it into the section in your snitch config.yaml:

sender:
  backend:
    url: http://api.snitch.cool
    token: <PASTE-TOKEN-HERE>

Usage

Test the configured senders:

snitch --send-test-message

Run the initial scan

snitch --init

and trigger a scan to verify file integrity with

snitch --scan

Watch for file changes:

snitch --watch-files

Watch authentication logs:

snitch --watch-authentications

Performance

Ubuntu20.04 (~150.000 files) takes about one minute to hash on one virtual CPU core using SHA265 hashing.