spyguard / spyguard Goto Github PK

SpyGuard is a forked and enhanced version of TinyCheck. SpyGuard's main objective is to detect signs of compromise by monitoring network flows transmitted by a device.

License: Apache License 2.0

Python 43.99% JavaScript 1.09% HTML 0.15% Vue 30.11% CSS 22.07% Shell 2.59%

cybersecurity iot smartphone wifi-hotspot mitm

spyguard's Introduction

Description

SpyGuard is a forked and enhanced version of TinyCheck, developed by the same author when he was working at Kaspersky. SpyGuard's main objective is to detect signs of compromise by monitoring network flows transmitted by a device.

As it uses WiFi, SpyGuard can be used against a wide range of devices, such as smartphones, laptops, IOTs or workstations. To do its job, the analysis engine of SpyGuard is using Indicators of Compromise (IOCs), anomaly detection and is supported by Suricata.

Examples of use cases

📰 Journalists	🏦 IT Services	🌏 NGOs	👩 Women's Shelter	👮‍♂️ LEA
As a journalist, I need to test my smartphone's against spyware before or during engagements with confidential informants.	Working for a public institution, I aim to set up a self-service station where individuals can check their smartphones for spyware.	After traveling overseas, I'm looking to check my phone and laptop quickly.	I seek to examine the smartphones of women upon their arrival for any stalkerware.	I aim to check the communications of a smartphone in response to a complaint, as a preliminary step before proceeding with a full forensic analysis.

Note: SpyGuard is not a forensic tool. Therefore, it might miss malware that does not communicate during the analysis. Please refer to the FAQ for more information.

Installation

You need a debian-like operating system to install it easly by using the provided bash script. Once you've cloned the repository, just launch install.sh as root. Here are the command lines to do that:

cd /tmp/ && git clone https://github.com/SpyGuard/spyguard
cd spyguard && sudo bash install.sh

Once installed, you can go to the backend interface located at https://localhost:8443 to manage the device and setup the right network interfaces to get it working. Please look at the dedicated wiki page to get some tips regarding it.

Warning

Please check prior the installation that your Linux distribution is using nmcli to manage networks. If you want to install it on a Raspberry Pi you need to activate it via the raspi-config interface prior Spyguard installation (See here).

The frontend is available at the URL https://localhost:8000.

Smartphone analysis best practices

Do the interception in a public place (library, restaurant, train station...) or common place (office, home...);
Intercept the network communications of the device for at least 15 minutes;
Interact with the analysed device during the interception (reboot it, take a photo, send an SMS...);

SpyGuard and Stalkerware threat

The indicators of compromise (IOCs) linked to stalkerware are now fully managed by ECHAP, a French association working against cyberviolence. Even though stalkerware still remains a threat, remember that most of digital violence and surveillance is done by using simple means, such as hacking cloud & mail accounts. Therefore, we encourage you to consult the ECHAP guides and apply their advice to your digital life alongside of device checks.

Important

It is worth mentioning that the IOCs are distributed under the Creative Common BY-NC-SA licence. This imply a non commercial use of them. Please respect this licence and ask ECHAP for any question related to that.

Commercial use

You can use SpyGuard in a commercial product. However, you can't use SpyGuard as the name of your product and you’re still required to follow the terms and conditions that the Apache License imposes, like refering to the SpyGuard project in customer documentation. Moreover, a sweet note to explain your use to the author is always appreciated, please see the contact below. You liked SpyGuard? Do not hesistate to make a donation!

Contact

If you need an express help to understand the results of the analysis or have a specific demand/question, do not hesitate to contact the author via Twitter or by sending an email at [email protected]. A bug? Do not hesitate to open a new issue.

They have contributed to or helped this project

To work, Spyguard is using a lot of awesome opensource projects, libraries, and fonts, kudos to them:

Dumpcap, Dig, Suricata, NetworkManager, Python, VueJS, Pip, pydig, pymisp, netaddr, pyyaml, flask, flask_httpauth, pyjwt, sqlalchemy, psutil, pyudev, qrcode, netifaces, weasyprint, python-whois, publicsuffix2, six, Exo2 font, Virtual Keyboard, OpenSSL, Spectre CSS.

Icons and design created via Figma, list of active TOR nodes taken from Dan.me.uk

spyguard's People

Contributors

Stargazers

Watchers

spyguard's Issues

change software's name

hi everyone, i've already installed spyguard on my raspberry and now i ould like to change the name "spyguard", anyone knows how to do it? because i tried many times to modify the code but not works : (
thanks

problem with the report

After spyguard finishes the scan, when I hit show report, it doesn't work. It always stays on the page.

This is the error:

vue-router.esm.js:2046 Uncaught (in promise) Error: Navigation cancelled from "/analysis" to "/report" with a new navigation.
at Ht (vue-router.esm.js:2046:15)
at Bt (vue-router.esm.js:2028:10)
at vue-router.esm.js:2399:22
at r (vue-router.esm.js:2084:7)
at r (vue-router.esm.js:2091:9)
at qt (vue-router.esm.js:2095:3)
at vue-router.esm.js:2397:5
at r (vue-router.esm.js:2084:7)
at vue-router.esm.js:2088:11
at vue-router.esm.js:2384:11
Ht @ vue-router.esm.js:2046
Bt @ vue-router.esm.js:2028
(anonimo) @ vue-router.esm.js:2399
r @ vue-router.esm.js:2084
r @ vue-router.esm.js:2091
qt @ vue-router.esm.js:2095
(anonimo) @ vue-router.esm.js:2397
r @ vue-router.esm.js:2084
(anonimo) @ vue-router.esm.js:2088
(anonimo) @ vue-router.esm.js:2384
(anonimo) @ vue-router.esm.js:2127
(anonimo) @ vue-router.esm.js:2203
Promise.then (asinc)
(anonimo) @ vue-router.esm.js:2150
(anonimo) @ vue-router.esm.js:2171
(anonimo) @ vue-router.esm.js:2171
Gt @ vue-router.esm.js:2170
(anonimo) @ vue-router.esm.js:2106
h @ vue-router.esm.js:2362
r @ vue-router.esm.js:2087
r @ vue-router.esm.js:2091
r @ vue-router.esm.js:2091
qt @ vue-router.esm.js:2095
te.confirmTransition @ vue-router.esm.js:2392
te.transitionTo @ vue-router.esm.js:2260
e.replace @ vue-router.esm.js:2618
(anonimo) @ vue-router.esm.js:3049
_e.replace @ vue-router.esm.js:3048
(anonimo) @ analysis.vue:54
Promise.then (asinc)
get_alerts @ analysis.vue:49
(anonimo) @ analysis.vue:41
setInterval (asinc)
(anonimo) @ analysis.vue:41
Promise.then (asinc)
start_analysis @ analysis.vue:39
created @ analysis.vue:72
Xe @ vue.runtime.esm.js:3015
In @ vue.runtime.esm.js:4029
t._init @ vue.runtime.esm.js:5678
a @ vue.runtime.esm.js:5811
cr @ vue.runtime.esm.js:4542
init @ vue.runtime.esm.js:4404
n @ vue.runtime.esm.js:4559
v @ vue.runtime.esm.js:6552
d @ vue.runtime.esm.js:6506
T @ vue.runtime.esm.js:6801
j @ vue.runtime.esm.js:6894
(anonimo) @ vue.runtime.esm.js:7062
Tn.t._update @ vue.runtime.esm.js:3767
r @ vue.runtime.esm.js:3873
t.get @ vue.runtime.esm.js:3444
t.run @ vue.runtime.esm.js:3520
Wn @ vue.runtime.esm.js:4119
(anonimo) @ vue.runtime.esm.js:3141
rn @ vue.runtime.esm.js:3063
Promise.then (asinc)
Qe @ vue.runtime.esm.js:3088
un @ vue.runtime.esm.js:3153
Xn @ vue.runtime.esm.js:4205
t.update @ vue.runtime.esm.js:3511
t.notify @ vue.runtime.esm.js:720
set @ vue.runtime.esm.js:1035
(anonimo) @ vue-router.esm.js:3005
(anonimo) @ vue-router.esm.js:3004
te.updateRoute @ vue-router.esm.js:2414
(anonimo) @ vue-router.esm.js:2263
(anonimo) @ vue-router.esm.js:2402
r @ vue-router.esm.js:2084
r @ vue-router.esm.js:2091
qt @ vue-router.esm.js:2095
(anonimo) @ vue-router.esm.js:2397
r @ vue-router.esm.js:2084
(anonimo) @ vue-router.esm.js:2088
(anonimo) @ vue-router.esm.js:2384
(anonimo) @ vue-router.esm.js:2127
(anonimo) @ vue-router.esm.js:2203
Promise.then (asinc)
(anonimo) @ vue-router.esm.js:2150
(anonimo) @ vue-router.esm.js:2171
(anonimo) @ vue-router.esm.js:2171
Gt @ vue-router.esm.js:2170
(anonimo) @ vue-router.esm.js:2106
h @ vue-router.esm.js:2362
r @ vue-router.esm.js:2087
r @ vue-router.esm.js:2091
r @ vue-router.esm.js:2091
qt @ vue-router.esm.js:2095
te.confirmTransition @ vue-router.esm.js:2392
te.transitionTo @ vue-router.esm.js:2260
e.replace @ vue-router.esm.js:2618
(anonimo) @ vue-router.esm.js:3049
_e.replace @ vue-router.esm.js:3048
stop_capture @ capture.vue:50
click @ capture.vue:1
Xe @ vue.runtime.esm.js:3015
n @ vue.runtime.esm.js:1813
Ti.i._wrapper @ vue.runtime.esm.js:7458
vue.runtime.esm.js:3047 TypeError: Cannot read properties of undefined (reading 'split')
at a.r (report.vue:1:3524)
at Re.t._render (vue.runtime.esm.js:2682:28)
at a.r (vue.runtime.esm.js:3873:27)
at t.get (vue.runtime.esm.js:3444:33)
at t.run (vue.runtime.esm.js:3520:30)
at Wn (vue.runtime.esm.js:4119:17)
at Array. (vue.runtime.esm.js:3141:20)
at rn (vue.runtime.esm.js:3063:16)

Failed to create AP

hi,
just tried last version of rpi (update raspbian) always get the same error
"trouble when creating ap"
on rpi i have local ip in green showing that internet conf is ok (wlan/eth0)
any idea how i can fix this? can we hard code the fake ap somewhere?
thank you for your help super felix

Question about config.yaml

Hello,

I would like to know what is the meaning of the following parameters in the config.yaml file: max_ports: 1024.

Does this mean that the ports analyzed by Spyguard range from 0 to 1024? If so, why not set them to the maximum?

Thank you.

Wifi éphémère

Bonjour

Spyguard installé sur un Rasperry Pi.
Network manage activé
Blanchement en ethernet
Choux des réseaux : wlan - eth0

Cependant Spyward ne me génère pas de wifi éphémère

Merci de votre aide

TypeError: t.pcap['First packet time'] is undefined

When i press "Show the full report" button, browser debug console shows error:
TypeError: t.pcap['First packet time'] is undefined. ...................................................................................vue.runtime.esm.js:3047:16
r report.vue:1
VueJS 14
click report.vue:1
VueJS 33

Any ideas how to fix it?

how to install it on a RaspBerry?

Hi guys, i'm a young programmer and i'd like to install Spyguard on a RaspBerry but i don't really know exacly how to it.
someone could help me pls

show full report, doesn't work.

At the moment the existence of moderate alerts appears, there are two options, new capture or show the complete report. The button to show the complete report, no matter how much it is selected, does not lead anywhere. On the other hand, the new capture works perfectly .. :-) .... Does the same thing happen to anyone else?
Raspberry system, with the network interfaces working.

Installation problem

Hi, the installation freezes always generating IOCs:

[+] Creating services
[✔] Creating frontend service
[✔] Creating backend service
[✔] Creating watchers service
[✔] Enabling services
[✔] Starting services
[+] Feeding your SpyGuard instance with fresh IOCs and whitelist, please wait.

Another thing, but I think it should not be failing at this point of installation is that I have two eth interfaces, my idea was to change the sniff command from wlan0 to eth0 (for example).

I have Ubuntu under Vmware, with 8GB ram and 4 cpus.

Thanks,

V2 - TODOLIST

After one year away, stuff that I think about for a new version. Do not hesitate to add your ideas in comment

Add the possibility to create an ethernet bridge from the interface menu ;
Add residential proxies detection with specific alert / banner ;
Top 1M check for some uncategorized FQDNs ;
Add hash-salted indicators ;
IOCs description or tags ;
Switch to VueJS 3 ;
Network communication graphs on the report view for non whitelisted hosts ;
Dark them for the front interface ;
OsmocomBB ?
IOCs importer from command line ;
Private IOCs webserver & api for spyguard fleet ;

Report page - can't select text

On the report page with details it's not possible to select text and copy. It would be beneficial if that become possible, for example when user wants to copy IP address/domain name to further investigate it. I checked at the Developer Tools in the browser, it seems that CSS user-select property is set to none in the app/frontend/src/assets/{custom.css,spectre.min.css}. I don't know if that can be changed, I mean maybe it's intentional.

nl80211 driver interface is not designed to be used with ap_scan=2

Cross referencing issue 10 and post #10 (comment)

git clone as of 2024-01-25,

On generation of the ephemeral network with the onboard M.2 WLAN NIC, syslog shows
nl80211 driver interface is not designed to be used with ap_scan=2

Full text after regeneration from syslog:
2024-01-25T07:57:14.152283+00:00 spyguard generate[11513]: Permissions for /etc/netplan/01-network-manager-all.yaml are too open. Netplan configuration should NOT be accessible by others.

2024-01-25T07:57:14.209261+00:00 spyguard NetworkManager[803]: <info>  [1706169434.2088] audit: op="connection-add" uuid="c2d73882-8b73-4ee8-9f85-9022b200cf38" name="Netgear-a5d4" pid=11507 uid=0 result="success"

2024-01-25T07:57:14.212473+00:00 spyguard python3[11507]: Connection 'Netgear-a5d4' (c2d73882-8b73-4ee8-9f85-9022b200cf38) successfully added.

2024-01-25T07:57:14.234411+00:00 spyguard dbus-daemon[1052]: apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/org/gnome/Mutter/IdleMonitor/Core" interface="org.gnome.Mutter.IdleMonitor" member="GetIdletime" mask="send" name=":1.34" pid=3856 label="snap.firefox.firefox" peer_pid=1211 peer_label="unconfined"

2024-01-25T07:57:14.364342+00:00 spyguard generate[11522]: Permissions for /etc/netplan/01-network-manager-all.yaml are too open. Netplan configuration should NOT be accessible by others.

2024-01-25T07:57:14.420484+00:00 spyguard NetworkManager[803]: <info>  [1706169434.4204] audit: op="connection-update" uuid="c2d73882-8b73-4ee8-9f85-9022b200cf38" name="Netgear-a5d4" args="802-11-wireless.mode,802-11-wireless.band,ipv4.method" pid=11516 uid=0 result="success"

2024-01-25T07:57:14.570172+00:00 spyguard generate[11531]: Permissions for /etc/netplan/01-network-manager-all.yaml are too open. Netplan configuration should NOT be accessible by others.

2024-01-25T07:57:14.622787+00:00 spyguard NetworkManager[803]: <info>  [1706169434.6227] audit: op="connection-update" uuid="c2d73882-8b73-4ee8-9f85-9022b200cf38" name="Netgear-a5d4" args="802-11-wireless-security.psk,802-11-wireless-security.key-mgmt" pid=11525 uid=0 result="success"

2024-01-25T07:57:14.639330+00:00 spyguard NetworkManager[803]: <info>  [1706169434.6392] agent-manager: agent[139c5ee8d1eaceae,:1.161/nmcli-connect/0]: agent registered

2024-01-25T07:57:14.640295+00:00 spyguard NetworkManager[803]: <info>  [1706169434.6402] device (wlp3s0): Activation: starting connection 'Netgear-a5d4' (c2d73882-8b73-4ee8-9f85-9022b200cf38)

2024-01-25T07:57:14.642180+00:00 spyguard NetworkManager[803]: <info>  [1706169434.6403] audit: op="connection-activate" uuid="c2d73882-8b73-4ee8-9f85-9022b200cf38" name="Netgear-a5d4" pid=11534 uid=0 result="success"

2024-01-25T07:57:14.642349+00:00 spyguard NetworkManager[803]: <info>  [1706169434.6403] device (wlp3s0): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed')

2024-01-25T07:57:14.645600+00:00 spyguard NetworkManager[803]: <info>  [1706169434.6413] device (wlp3s0): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')

2024-01-25T07:57:14.645736+00:00 spyguard NetworkManager[803]: <info>  [1706169434.6420] device (wlp3s0): Activation: (wifi) access point 'Netgear-a5d4' has security, but secrets are required.

2024-01-25T07:57:14.645811+00:00 spyguard NetworkManager[803]: <info>  [1706169434.6426] device (wlp3s0): state change: config -> need-auth (reason 'none', sys-iface-state: 'managed')

2024-01-25T07:57:14.645873+00:00 spyguard NetworkManager[803]: <info>  [1706169434.6440] device (wlp3s0): state change: need-auth -> prepare (reason 'none', sys-iface-state: 'managed')

2024-01-25T07:57:14.645941+00:00 spyguard NetworkManager[803]: <info>  [1706169434.6448] device (wlp3s0): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')

2024-01-25T07:57:14.646002+00:00 spyguard NetworkManager[803]: <info>  [1706169434.6451] device (wlp3s0): Activation: (wifi) connection 'Netgear-a5d4' has security, and secrets exist.  No new secrets needed.

2024-01-25T07:57:14.646080+00:00 spyguard NetworkManager[803]: <info>  [1706169434.6452] Config: added 'ssid' value 'Netgear-a5d4'

2024-01-25T07:57:14.646302+00:00 spyguard NetworkManager[803]: <info>  [1706169434.6452] Config: added 'mode' value '2'

2024-01-25T07:57:14.646382+00:00 spyguard NetworkManager[803]: <info>  [1706169434.6452] Config: added 'frequency' value '2437'

2024-01-25T07:57:14.646452+00:00 spyguard NetworkManager[803]: <info>  [1706169434.6453] Config: added 'freq_list' value '2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2484'

2024-01-25T07:57:14.646518+00:00 spyguard NetworkManager[803]: <info>  [1706169434.6453] Config: added 'key_mgmt' value 'WPA-PSK WPA-PSK-SHA256 SAE'

2024-01-25T07:57:14.646578+00:00 spyguard NetworkManager[803]: <info>  [1706169434.6453] Config: added 'psk' value '<hidden>'

2024-01-25T07:57:14.660536+00:00 spyguard wpa_supplicant[804]: Note: nl80211 driver interface is not designed to be used with ap_scan=2; this can result in connection failures

2024-01-25T07:57:14.910014+00:00 spyguard python3[5036]: 127.0.0.1 - - [25/Jan/2024 07:57:14] "GET /api/network/wifi/list HTTP/1.1" 200 -

2024-01-25T07:57:14.976125+00:00 spyguard python3[5036]: 127.0.0.1 - - [25/Jan/2024 07:57:14] "GET /api/misc/config HTTP/1.1" 200 -

2024-01-25T07:57:15.061541+00:00 spyguard wpa_supplicant[804]: wlp3s0: interface state UNINITIALIZED->ENABLED

2024-01-25T07:57:15.061650+00:00 spyguard wpa_supplicant[804]: wlp3s0: AP-ENABLED

2024-01-25T07:57:15.061715+00:00 spyguard wpa_supplicant[804]: wlp3s0: CTRL-EVENT-CONNECTED - Connection to a8:93:4a:72:41:2d completed [id=0 id_str=]

2024-01-25T07:57:15.061784+00:00 spyguard wpa_supplicant[804]: wlp3s0: Reject scan trigger since one is already pending

2024-01-25T07:57:15.061839+00:00 spyguard wpa_supplicant[804]: wlp3s0: Failed to initiate AP scan

2024-01-25T07:57:15.062410+00:00 spyguard NetworkManager[803]: <info>  [1706169435.0623] device (wlp3s0): supplicant interface state: disconnected -> completed

2024-01-25T07:57:15.062514+00:00 spyguard NetworkManager[803]: <info>  [1706169435.0623] device (wlp3s0): Activation: (wifi) Stage 2 of 5 (Device Configure) successful. Started Wi-Fi Hotspot "Netgear-a5d4"

2024-01-25T07:57:15.062607+00:00 spyguard NetworkManager[803]: <info>  [1706169435.0623] device (p2p-dev-wlp3s0): supplicant management interface state: disconnected -> completed

2024-01-25T07:57:15.062682+00:00 spyguard NetworkManager[803]: <info>  [1706169435.0625] device (wlp3s0): state change: config -> ip-config (reason 'none', sys-iface-state: 'managed')

2024-01-25T07:57:15.091570+00:00 spyguard avahi-daemon[751]: Joining mDNS multicast group on interface wlp3s0.IPv4 with address 10.42.0.1.

2024-01-25T07:57:15.093076+00:00 spyguard avahi-daemon[751]: New relevant interface wlp3s0.IPv4 for mDNS.

2024-01-25T07:57:15.093200+00:00 spyguard avahi-daemon[751]: Registering new address record for 10.42.0.1 on wlp3s0.IPv4.

2024-01-25T07:57:15.093882+00:00 spyguard NetworkManager[803]: <info>  [1706169435.0938] dnsmasq-manager: starting dnsmasq...

2024-01-25T07:57:15.097172+00:00 spyguard NetworkManager[803]: <info>  [1706169435.0970] device (wlp3s0): state change: ip-config -> ip-check (reason 'none', sys-iface-state: 'managed')

2024-01-25T07:57:15.098529+00:00 spyguard avahi-daemon[751]: Joining mDNS multicast group on interface wlp3s0.IPv6 with address fe80::af6e:9863:1eee:c09e.

2024-01-25T07:57:15.099086+00:00 spyguard avahi-daemon[751]: New relevant interface wlp3s0.IPv6 for mDNS.

2024-01-25T07:57:15.099166+00:00 spyguard avahi-daemon[751]: Registering new address record for fe80::af6e:9863:1eee:c09e on wlp3s0.*.

2024-01-25T07:57:15.100053+00:00 spyguard dbus-daemon[753]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.12' (uid=0 pid=803 comm="/usr/sbin/NetworkManager --no-daemon" label="unconfined")

2024-01-25T07:57:15.104006+00:00 spyguard dnsmasq[11573]: started, version 2.89 cachesize 150

2024-01-25T07:57:15.104346+00:00 spyguard dnsmasq[11573]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC loop-detect inotify dumpfile

2024-01-25T07:57:15.104412+00:00 spyguard dnsmasq[11573]: chown of PID file /run/nm-dnsmasq-wlp3s0.pid failed: Operation not permitted

2024-01-25T07:57:15.104466+00:00 spyguard dnsmasq-dhcp[11573]: DHCP, IP range 10.42.0.10 -- 10.42.0.254, lease time 1h

2024-01-25T07:57:15.104511+00:00 spyguard dnsmasq[11573]: reading /etc/resolv.conf

2024-01-25T07:57:15.104562+00:00 spyguard dnsmasq[11573]: using nameserver 127.0.0.53#53

2024-01-25T07:57:15.104601+00:00 spyguard dnsmasq[11573]: cleared cache

2024-01-25T07:57:15.130458+00:00 spyguard systemd[1]: Starting NetworkManager-dispatcher.service - Network Manager Script Dispatcher Service...

2024-01-25T07:57:15.137261+00:00 spyguard dbus-daemon[753]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'

2024-01-25T07:57:15.137730+00:00 spyguard systemd[1]: Started NetworkManager-dispatcher.service - Network Manager Script Dispatcher Service.

2024-01-25T07:57:15.138707+00:00 spyguard NetworkManager[803]: <info>  [1706169435.1386] device (wlp3s0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'managed')

2024-01-25T07:57:15.138899+00:00 spyguard NetworkManager[803]: <info>  [1706169435.1388] device (wlp3s0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'managed')

2024-01-25T07:57:15.139775+00:00 spyguard NetworkManager[803]: <info>  [1706169435.1395] device (wlp3s0): Activation: successful, device activated.

2024-01-25T07:57:15.151901+00:00 spyguard python3[5036]: 127.0.0.1 - - [25/Jan/2024 07:57:15] "GET /api/network/ap/start HTTP/1.1" 200 -

2024-01-25T07:57:15.179408+00:00 spyguard python3[5036]: 127.0.0.1 - - [25/Jan/2024 07:57:15] "GET /api/capture/start HTTP/1.1" 200 -

2024-01-25T07:57:15.184919+00:00 spyguard python3[11596]: Capturing on 'wlp3s0'

2024-01-25T07:57:15.185189+00:00 spyguard kernel: [ 1993.361925] rtw89_8852be 0000:03:00.0 wlp3s0: entered promiscuous mode

2024-01-25T07:57:15.189356+00:00 spyguard python3[11597]: i: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode

2024-01-25T07:57:15.209651+00:00 spyguard python3[11596]: File: /tmp/E56D4540/capture.pcap

2024-01-25T07:57:15.234619+00:00 spyguard python3[11595]: Unable to connect to socket /var/run/suricata-command.socket: L177: [Errno 111] Connection refused

2024-01-25T07:57:15.343062+00:00 spyguard python3[5036]: 127.0.0.1 - - [25/Jan/2024 07:57:15] "GET /api/network/status HTTP/1.1" 200 -

2024-01-25T07:57:15.624349+00:00 spyguard python3[11597]: i: threads: Threads created -> W: 4 FM: 1 FR: 1   Engine started.

2024-01-25T07:57:15.792099+00:00 spyguard python3[11596]: #015Packets: 1

2024-01-25T07:57:15.792377+00:00 spyguard python3[5036]: 127.0.0.1 - - [25/Jan/2024 07:57:15] "GET /api/device/get/E56D4540 HTTP/1.1" 200 -

2024-01-25T07:57:15.920248+00:00 spyguard python3[5036]: 127.0.0.1 - - [25/Jan/2024 07:57:15] "GET /api/network/wifi/list HTTP/1.1" 200 -

2024-01-25T07:57:15.975602+00:00 spyguard python3[5036]: 127.0.0.1 - - [25/Jan/2024 07:57:15] "GET /api/misc/config HTTP/1.1" 200 -

2024-01-25T07:57:16.063704+00:00 spyguard wpa_supplicant[804]: wlp3s0: CTRL-EVENT-SCAN-FAILED ret=-95

2024-01-25T07:57:16.064583+00:00 spyguard geoclue[1744]: WiFi scan failed

QR scan will not connect any device.

Can't connect to SpyGuard generated Access Point

SpyGuard generates Access Points, but devices can't connect to it. It usually says that the password is incorrect, otherwise - login failed. I tried with several phones, a laptop, but it didn't work.
SpyGuard tested on laptop with Raspberry Pi Desktop - bullseye 32-bit, ubuntu-20.04.4-desktop-amd64.

Running on PFSense?

I know it is designed to run on debian based machines, but is there plans to expand this to work on other devices/OS's? I would love to use this on my current infrastructure, which has PFSense. While PFSense isn't controlling wifi, all traffic does pass through it.

No Analysis after 27 Minutes

After connecting an recording about 15 seconds and than going to analysis, the process would´t come to an end.
After 10 minutes I stoped the whole process and looked in the console.

There were a lot outputs of the same error:

Error: timeout of 10000ms exceeded
at t.exports (createError.js.16.15)
at d.ontimeout (xhr.jus:111:14)

While installing i switched to the issue solution:
#9

I am on a Raspberry Pi B4 4gb with the current Raspberry PI OS.

Any help will be much appreciated

Wifi connection showing not connected - even when it is

I've successfully installed Spyguard on RaspOs Bookworm on Raspberry Pi 4.

All works fine but it shows as Wifi not connected at the bottom right of the capture screen.

However, it is connected, scans and creates reports correctly.

I've tried swapping round the on board WiFi with usb dongle for AP and Internet link, but it makes no difference in either configuration.

Everything looks correct in the new network manager for bookworm sudo nmtui

Anyone else seen this issue and found a solution ?

plan to upgrade to vue3?

Thanks

Jinja2

Hello,

When i update/install Spyguard on RPI4 i have error on lauch :
#####################################################
service spyguard-frontend status

● spyguard-frontend.service - Spyguard frontend service
Loaded: loaded (/lib/systemd/system/spyguard-frontend.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2023-05-05 20:58:22 CEST; 5min ago
Process: 411 ExecStart=/usr/bin/python3 /usr/share/spyguard/server/frontend/main.py (code=exited, status=1/FAILURE)
Main PID: 411 (code=exited, status=1/FAILURE)
CPU: 533ms

May 05 20:58:20 spyguard systemd[1]: Started Spyguard frontend service.
May 05 20:58:22 spyguard python3[411]: Traceback (most recent call last):
May 05 20:58:22 spyguard python3[411]: File "/usr/share/spyguard/server/frontend/main.py", line 4, in
May 05 20:58:22 spyguard python3[411]: from flask import Flask, render_template, send_from_directory, redirect, abort
May 05 20:58:22 spyguard python3[411]: File "/usr/local/lib/python3.9/dist-packages/flask/init.py", line 14, in
May 05 20:58:22 spyguard python3[411]: from jinja2 import escape
May 05 20:58:22 spyguard python3[411]: ImportError: cannot import name 'escape' from 'jinja2' (/usr/local/lib/python3.9/dist-packages/jinja2/init.py)
May 05 20:58:22 spyguard systemd[1]: spyguard-frontend.service: Main process exited, code=exited, status=1/FAILURE
May 05 20:58:22 spyguard systemd[1]: spyguard-frontend.service: Failed with result 'exit-code'.

##########################################

pip install jinja2

Looking in indexes: https://pypi.org/simple, https://www.piwheels.org/simple
Requirement already satisfied: jinja2 in /usr/local/lib/python3.9/dist-packages (3.1.2)
Requirement already satisfied: MarkupSafe>=2.0 in /usr/local/lib/python3.9/dist-packages (from jinja2) (2.1.2)

Install failing on Ubuntu 22.04/23.10 Desktop x86_64

Using newest git clone as of 2024-01-23. Virgin Ubuntu 22.04 and 23.10.

Install completes, error as follows:

pi@spyguard:~/$ service spy* status

× spyguard-frontend.service - Spyguard frontend service
     Loaded: loaded (/lib/systemd/system/spyguard-frontend.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Tue 2024-01-23 09:59:17 GMT; 9min ago
   Main PID: 4797 (code=exited, status=1/FAILURE)
        CPU: 20ms

Jan 23 09:59:17 spyguard systemd[1]: Started Spyguard frontend service.
Jan 23 09:59:17 spyguard python3[4797]: Traceback (most recent call last):
Jan 23 09:59:17 spyguard python3[4797]:   File "/usr/share/spyguard/server/frontend/main.py", line 4, in <module>
Jan 23 09:59:17 spyguard python3[4797]:     from flask import Flask, render_template, send_from_directory, redirect, abort
Jan 23 09:59:17 spyguard python3[4797]: ModuleNotFoundError: No module named 'flask'
Jan 23 09:59:17 spyguard systemd[1]: spyguard-frontend.service: Main process exited, code=exited, status=1/FAILURE
Jan 23 09:59:17 spyguard systemd[1]: spyguard-frontend.service: Failed with result 'exit-code'.

× spyguard-watchers.service - spyguard watchers service
     Loaded: loaded (/lib/systemd/system/spyguard-watchers.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Tue 2024-01-23 10:00:40 GMT; 8min ago
   Main PID: 4814 (code=exited, status=1/FAILURE)
        CPU: 15ms

Jan 23 10:00:40 spyguard systemd[1]: Started spyguard watchers service.
Jan 23 10:00:40 spyguard python3[4814]: Traceback (most recent call last):
Jan 23 10:00:40 spyguard python3[4814]:   File "/usr/share/spyguard/server/backend/watchers.py", line 4, in <module>
Jan 23 10:00:40 spyguard python3[4814]:     from app.utils import get_watchers
Jan 23 10:00:40 spyguard python3[4814]:   File "/usr/share/spyguard/server/backend/app/__init__.py", line 4, in <module>
Jan 23 10:00:40 spyguard python3[4814]:     from sqlalchemy import create_engine, MetaData, Table
Jan 23 10:00:40 spyguard python3[4814]: ModuleNotFoundError: No module named 'sqlalchemy'
Jan 23 10:00:40 spyguard systemd[1]: spyguard-watchers.service: Main process exited, code=exited, status=1/FAILURE
Jan 23 10:00:40 spyguard systemd[1]: spyguard-watchers.service: Failed with result 'exit-code'.

× spyguard-backend.service - Spyguard backend service
     Loaded: loaded (/lib/systemd/system/spyguard-backend.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Tue 2024-01-23 09:59:17 GMT; 9min ago
   Main PID: 4800 (code=exited, status=1/FAILURE)
        CPU: 18ms

Jan 23 09:59:17 spyguard systemd[1]: Started Spyguard backend service.
Jan 23 09:59:17 spyguard python3[4800]: Traceback (most recent call last):
Jan 23 09:59:17 spyguard python3[4800]:   File "/usr/share/spyguard/server/backend/main.py", line 4, in <module>
Jan 23 09:59:17 spyguard python3[4800]:     from flask import Flask, render_template, send_from_directory, jsonify, redirect
Jan 23 09:59:17 spyguard python3[4800]: ModuleNotFoundError: No module named 'flask'
Jan 23 09:59:17 spyguard systemd[1]: spyguard-backend.service: Main process exited, code=exited, status=1/FAILURE
Jan 23 09:59:17 spyguard systemd[1]: spyguard-backend.service: Failed with result 'exit-code'.

Analysis takes forever

As already described in a previous issue, after setting up a wifi and recording traffic, the analysis takes forever and no results are produced. Also the update to the latest version did not solve the problem.

System: Raspberry Pi 3 / Rasbian Bullseye

Android connecting to Ephemeral Network but iPhone not connecting?

Scans on android devices are working well, just tried an iPhone and it fails to connect to Ephemeral Network.

I've checked the wifi in terminal : iwlist scan | egrep -i 'ssid|cipher|chan'

The only difference between SSIDs the iPhone connect to and those it can't ( ie Spyguard hotspot) is Spyguard has TKIP security enabled .

To test this theory can I set up the Spyguard emphemeral networks to drop the TKIP protocol ?

I've checked backend options but cant see its an option to change it or in the config.yaml file.

(This install of Spyguard is running on Linux Mint 21.3 Distro - which has installed without any problems apart from the issue with the iPhone connection issue).

Add "net-tools" to requirements if installing on Ubuntu and Linux Mint.

Some versions of Ubuntu and Linux Mint don't include net-tools by default which contains arp. The installer doesn't check for this and the error only appears in system logs when you first try to connect a mobile device. SpyGuard will then hang until you exit or install net-tools manually.

Raspbian 5.1 / Ubuntu 23 - pip no works without venv

https://www.reddit.com/r/Python/comments/1338oge/you_cant_use_pip_on_ubuntu_2304_anymore/ refers - pip can no longer be used to install systemwide and therefore SpyGuard cannot be installed as currently stands

Whilst some modules are installable from apt, eg sqlalchemy (using python3-sqlalchemy) and weasyprint without the prefix, the following have no apt installable modules:
ipwhois
pydig
pymisp
pyyaml
flask_httpauth
pyjwt
python-whois
pyOpenSSL

USB Automount on Kiosk Mode

I don't know if it's just my problem, but from a clean installation of both Raspberry and SpyGuard, in Kiosk mode, it doesn't detect the usb when it asks me to save the report ... I tried to change all the ports and various USB sticks , I also tried to install USBAutomount, but nothing...

Over comsuption on RPI4

Hello on my rpi4 the frontend is slow. where can i debug ? I Use 32bit raspios

IOCs external source MISP

Hi.
I have a problem with synchronizing MISP IOCs on the local server. Some time ago, when I was making SpyGuard, it synchronized beautifully - I had over 600k IOCs. Today I made a new one and it doesn't sync. After calling python3 /usr/share/spyguard/server/backend/watchers.py
I have something like this
/usr/share/spyguard/server/backend/app/classes/misp.py:71: SAWarning: Dialect sqlite+pysqlite does *not* support Decimal objects natively, and SQLAlchemy must convert from floating point - rounding errors and other issues may occur. Please consider storing Decimal numbers as strings or integers on this platform for lossless storage. for misp in db.session.query(MISPInst).all():

Previously there was a problem with the version
The version of PyMISP recommended by the MISP instance (2.4.183) is newer than the one you're using now (2.4.165.1). Please upgrade PyMISP.
But now it's upgraded.

And
python3 /usr/share/spyguard/server/backend/app/blueprints/update.py
Traceback (most recent call last): File "/usr/share/spyguard/server/backend/app/blueprints/update.py", line 5, in <module> from app.classes.update import Update ModuleNotFoundError: No module named 'app'

Any ideas?

DOH

Hi,
i'm not understanding why of this into ICO
{
"type": "ip4addr",
"tag": "doh",
"tlp": "white",
"value": "1.1.1.1"
},
{
"type": "ip4addr",
"tag": "doh",
"tlp": "white",
"value": "8.8.4.4"
},
{
"type": "ip4addr",
"tag": "doh",
"tlp": "white",
"value": "1.0.0.1"
},
{
"type": "ip4addr",
"tag": "doh",
"tlp": "white",
"value": "8.8.8.8"
},
{
"type": "ip4addr",
"tag": "doh",
"tlp": "white",
"value": "149.112.112.112"
},
{
"type": "ip4addr",
"tag": "doh",
"tlp": "white",
"value": "9.9.9.9"
},

this are DNS over TLS and i do not understand why are "ICO", could you please make light on it ?

https:localhost:8443 doesn't show anything

I've tried the following commands on ubuntu and raspberry pi3b

cd /tmp/ && git clone https://github.com/SpyGuard/spyguard
cd spyguard && sudo bash install.sh

but just looks like there is nothing