This menubar app for OS X will notify you via Notifcation Center (or Growl) when various security events occur (see list).

It's very useful if you're paranoid about people trying to hack into your computer. Or... if you simply like having information about people using your computer's resources.

It's extremely lightweight, the app is 3MB including the icon, with <0.01% CPU and <15MB of RAM used when running. It's easily extensible in Python, you can add parsers that detect new TCP connetions or poll logfiles. You can even forward alerts as push notifications to your iOS devices using Prowl.

1. Download and run Security Growler.app >> (dark mode)
2. Click on the menubar icon once to start detecting events.

Download Security Growler Light.app if you don't use OS X Dark Mode. If you prefer Growl to the OS X Notification Center, run sudo easy_install gntp in Terminal and relaunch to switch.

Alert you of attempted and succesfull SSH logins:

Notify you of incoming & outgoing TCP connections: FTP, VNC, SMB, MySQL, etc.:

(using less RAM than Little Snitch)

Notify you whenever a command is run with sudo:

Let you know when you're being portscanned:

More Screenshots...

The currently working alert types are:

• SSH
• FTP
• SMB
• AFP
• MySQL
• PostgreSQL
• iTunes Sharing
• sudo commands
• port-scans (e.g. if you're on the receiving end of nmap)
• VNC (detailed alerts require app is run as root)

TODO:

• keychain auth events (/var/log/authd.log, /var/log/accountpolicy.log)
• new listening sockets under port 1000 opened
• Wifi events?

Settings are changed by editing a text file settings.py, accesible via the menubar dropdown item 'Settings...'.

To enable or disable alert types:

You can enable and disable certain alerts by editing the WATCHED_SOURCES section of the file. Simply add or remove event sources on the left (either port numbers or logfile paths), and put the parser names you want to enable for each source on the right. Parser names can by found by looking at the filenames in the parsers/ folder.

# e.g. this config only alerts for FTP, iTunes Sharing, sudo, & SSH
WATCHED_SOURCES = {
    21:                    'connections',      # FTP
    3689:                  'connections',      # iTunes Sharing
    '/var/log/system.log': ('sudo', 'ssh'),    # sudo & ssh
}

To enable or disable alert methods, such as Notifcation Center or Growl:

Change the LOGGERS section to suit your needs.

LOGGERS = [
    'stdout',
    'logfile',
    'growl',
    # 'osxnotifications',  # prepend a hash to disable a certain method
]

To change notification preferences:

Change POLLING_SPEED to make the app update more or less frequently (2-10 seconds is recommended).

Change the INFO_ and ALERT_ items to modify properties such as alert sounds, icons, and text.

This app is composed of 3 main parts: sources, parsers, and loggers.

• sources are either file paths or port numbers, e.g. /var/log/system.log or 5900
• parsers e.g. ssh or sudo are fed new logfile lines yielded from sources, and parse out various alerts
• loggers are output methods for alerts, e.g. stdout, osxnotifications, or growl

The main runloop is in growler.py, it reads lines out of the sources, passes them through parsers, then dispatches alerts before waiting a short delay and then looping.

The menubar app is a simple wrapper compiled using Platypus. Security Growler.app is packaged with copies of growler.py and all the other files it needs. To make changes to the app, change the files you need, test using sudo python growler.py and sudo ./menubar.sh, then re-run Platypus to generate a new app.

The menubar app works by simply running growler.py (which writes to a log file), then cating the contents of the logfile to show in the dropdown. See menubar.sh for more details.

I was tired of not being able to find an app that would quell my paranoia about open ports, so I made one myself. Now I can relax whenever I'm in a seedy internet cafe or connected to free Boingo airport wifi because I know if anyone is trying to connect to my computer.

Little Snitch is still hands-down the best connection-alerting software available for Mac, I highly suggest you check it out if you want a comprehensive firewall/alerting system, and are willing to pay a few bucks to get it. Security Growler is centered around parsing logfiles for any kind of generic pattern, not just monitoring the TCP connection table like Little Snitch. For example, my app can alert you of sudo events, keychain auth events, and anything else you can think of that's reported to a logfile. This app is significantly more lightweight than Little Snitch, it comes in at <15mb of RAM used, simply because it aims to solve a simpler problem than Little Snitch. This app is not designed to prevent malicious connections, that's what firewalls are for, it's just meant to keep an unobtrusive log, and alert you whenever important security events are happening. The more informed you are, the better you can protect yourself.

This app is meant for developers who frequenly run services that are open to their LAN, and just want to keep tabs on usage to make sure they aren't being abused by some local script kiddie. Since the target audience is developers, I opted to leave some parts a little less user-friendly, such as the settings.py config system.

Feel free to submit a pull-request and add a new parser (e.g. try writing one for nginx http-auth)!

A similar project written by @benjojo is available for Linux users: PushAlotAuth, it uses the PushALot push-notification platform.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, pulverize, distribute, synergize, compost, defenestrate, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

If the Author of the Software (the "Author") needs a place to crash and you have a sofa available, you should maybe give the Author a break and let him sleep on your couch.

If you are caught in a dire situation wherein you only have enough time to save one person out of a group, and the Author is a member of that group, you must save the Author.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO BLAH BLAH BLAH ISN'T IT FUNNY HOW UPPER-CASE MAKES IT SOUND LIKE THE LICENSE IS ANGRY AND SHOUTING AT YOU.