sn0int

• Update time crate to fix build issue with Rust 1.80.0 (thanks @chenrui333!)
• Update container base image to Alpine 3.20

Thanks

We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.

• Port to clap 4 (this solves a bug in zsh completions too)
• Fix compile issue on Rust 1.72.0 by updating the geo dependency (thanks @ZhongRuoyu, #249)
• Change the workspace size calculation from bytesize and 1 KB -> 1000 bytes, to humansize and 1 KiB -> 1024 bytes.

This is a very small release but marked as semver-minor due to the output change.

Thanks

We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.

• Fix compile issue on rust 1.67.0 by updating dependencies (thanks @ZhongRuoyu)
• Refactor mqtt to do keep-alive automatically and by default. Some mqtt brokers started rejecting a keep-alive value of 0 as invalid, refusing the connection.

Thanks

We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.

• Add missing seccomp syscall (clone3)
• Sandbox crash error message has been changed from EOF while parsing a value at line 1 column 0 to Sandbox child has crashed
• Support compiling for RISC-V 64-bit (#234, @SpriteOvO)
• Fixes related to path handling (#227, @stoeckmann)
• Reduce some heap allocation

Thanks

We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.

• Add missing seccomp syscalls (rt_sigaction, rseq)
• Update Dockerfile to alpine 3.15 and buildkit (you might need to export DOCKER_BUILDKIT=1)
• Fix some clippy warnings
• Fix a typo in an example module (#224, @ysf)

Thanks

We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.

• Fix seccomp issue with fstat

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.

sn0int rescope -i

There've been commands for {scope,noscope,autoscope,autonoscope} for a while, scope/noscope sets entities to out-of-scope which automatically excludes them from further investigations, and autoscope/autonoscope is a system to automatically set things out-of-scope with a hierarchical rule set.

In the past there was no way to re-apply these rules to existing entities. This is now possible with the rescope command that's available both from the interactive cli and the commandline.

It defaults to non-interactive mode that shows a diff when applying the rules and asks for confirmation. -n is a dry-run to always reject the change, -y to automatically apply it and -i to interactively decide for each entity.

Besides the obvious y and n there's also:

• d (done) - apply the changes confirmed so far, skip the rest
• a (always) - apply all other changes matching this specific rule: if example.com matched noscope .com and you select a, example.com would be set out-of-scope and the next-up foobar.com would be automatically set out-of-scope without asking again
• x (never) - skip this change and all future changes matched by this rule

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.

• Allow using run <module> interactively
• Allow setting a proxy with run -X <proxy>
• Add functions for perceptual image hashing
• Allow setting a different default user agent

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.

• Support invoking shell commands with ! from readline
• The workspace can be selected with the SN0INT_WORKSPACE environment variable. Running shell commands with the new ! feature autoamtically sets this variable to the current workspace
• Bump dependencies

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.

• Fix seccomp segfault with open on x86_64 musl
• Update dependencies
• Update dockerfile baseimage

Thanks

We'd like to thank @repi for their support on github sponsors.

• Fix build failure on aarch64 musl

Thanks

We'd like to thank @repi for their support on github sponsors.

• Added new stats command to show data in the workspace. This is also available as a subcommand with sn0int -w foo stats
• Add select --values as shorthand for jq -r .value
• Allow deleting multiple workspaces at once

Thanks

We'd like to thank @repi for their support on github sponsors.

• Speedup initial setup of a new workspace by 1242% (2913ms vs 217ms in my tests)
• Update dependencies (including security updates)

Thanks

We'd like to thank @repi for their support on github sponsors.

• Introduce stealth levels (loud, normal, silent, offline) that modules can specify and you can select which modules you want to enable based on the stealth level
• The author and repository can be added to module metadata
• Support inverse rules for notifications
• Some structs can now be streamed into the database from stdin with sn0int add --stdin
• The http functions now support redirects

Thanks

We'd like to thank @repi for their support on github sponsors.

Bugfixes in notification system

• Execution of a notification hook doesn't cause further queued executions to abort anymore.
• Ratelimits are now shared with notification modules as well so webhook ratelimits can be honored.

Thanks

We'd like to thank @repi for their support on github sponsors.

New Feature: calendar

Previous releases introduced activity as a new discoverable datapoint, there's now a new cal command to show a calendar that's annotated with a heat-map.

sn0int cal 2020

It's also possible to break them down to a specific time (-T) which defaults to 12 minute slices, or group by hour instead (-H). To -C to show additional days for context (this also works in the month view):

sn0int cal -TC3

New Feature: notify

There's a new notification system that you can hook into. Notifications are also just sent with regular sn0int modules that take -- Source: notifications as input, to get the list of notification modules that are currently installed run:

sn0int pkg list --source notifications

This enables you to run sn0int automatically and unattended to monitor infrastructure. A full walk-through of how to setup notification routing can be found here:

https://sn0int.readthedocs.io/en/latest/notifications.html

Please note that this feature is still very much work in progress.

Misc

• Add deprecation notice for mod command in favor of pkg
• Make pkg quickstart skip already installed modules
• Make sn0int more forgiving with accidential ^C
• Fix seccomp issues with sleep

Thanks

We'd like to thank @repi for their support on github sponsors.

• Fix incomplete osx 10.13 dns bugfix

• Work around issue with ipv6 dns resolvers on OSX 10.13
• Support patterns in pkg list
• Add select --count
• Improve error messages
• Fix a display issue with netblocks in detailed view

• Add functions to connect to mqtt broker
• Add decryption function for libsodium secret box
• Add binary support in http_request/http_send
• Fix a bug that prevented adding urls with empty body
• Switch docker container to alpine
• Do not error for read timeouts in sock_recvline
• Support geoip database path used by geoipupdate
• Replace quickstart with pkg quickstart
• Support more advanced time references in sn0int activity, like '1h ago'
• Change update check interval

• Fix seccomp build issues on aarch64
• Fix regression in x509_parse_pem (dependency downgraded and sent https://github.com/rusticata/x509-parser/pull/27)
• Add sn0int run --dump-sandbox-init-msg for sandbox debugging
• Add exit and quit to exit the sn0int cli