opensnitch icon indicating copy to clipboard operation
opensnitch copied to clipboard
verified publisher icon evilsocket

[Feature Request] regex lib update to allow negative lookaheads

Open Morriz opened this issue 9 months ago • 1 comments

Summary:

The current Go-style regular expressions, based on RE2 syntax, do not support lookaheads like (?!), not allowing for important use cases such as:

Detection and automatic creation of DENY outbound ip rules for later processing by scripts/ai to do research. (The event log could also be used for this but it is transient in nature and a more explicit and stateful approach is desired.)

My thoughts:

  1. create one negative lookahead regex to ALLOW ALL trusted (with host name) dns queries: the ones NOT matching ^(?!.*-in-addr\.arpa$).*
  2. alerts should still be thrown when direct ip traffic is caught, resulting in automatic creation of these rules.
  3. Now we have an explicit list of rules clearly showing the culprits, which can then be processed by a script to put the ips into a blacklist (I use this script like that now):
#!/usr/bin/env python3
import os
import re

# Directory to scan
rules_dir = "/etc/opensnitchd/rules/"

# Output TXT file
output_txt = "/etc/opensnitchd/blacklists/outbound-ips.txt"

# Regex pattern to extract IP-like structure from filenames
ip_pattern = re.compile(
    r"(\d{1,3})-(\d{1,3})-(\d{1,3})-(\d{1,3})-in-addr-arpa-53\.json$"
)

# List to store found IP addresses
ip_addresses = []

# Scan directory
for filename in os.listdir(rules_dir):
    match = ip_pattern.search(filename)
    if match:
        # Convert dash-separated to dot-separated IP address
        ip = ".".join(match.groups())
        ip_addresses.append(ip)

# Write to TXT
with open(output_txt, mode="w") as txtfile:
    for ip in ip_addresses:
        txtfile.write(f"{ip}\n")

print(f"Extracted {len(ip_addresses)} IPs to {output_txt}")

And with this one rule those get blocked:

{
  "created": "2025-04-07T11:06:38+02:00",
  "updated": "2025-04-07T11:06:39+02:00",
  "name": "0-blacklist",
  "description": "",
  "action": "deny",
  "duration": "always",
  "operator": {
    "operand": "lists.ips",
    "data": "/etc/opensnitchd/blacklists",
    "type": "lists",
    "list": [],
    "sensitive": false
  },
  "enabled": true,
  "precedence": true,
  "nolog": false
}

Morriz avatar Apr 07 '25 11:04 Morriz

Could you use pcre for this?

pcre • Go bindings for libpcre (C-based) • Requires CGo, so not pure Go • Full PCRE syntax, very fast, but requires native dependencies

Morriz avatar Apr 07 '25 11:04 Morriz