User profile for user: Cole Tierney
Cole Tierney Author
User level: Level 4
1,380 points

intrusion detection/prevention software?

Hello,

I have reason to believe that I've got a host on my LAN that's is spoofing local ip numbers and attempting to connect to offsite hosts (more than likely one of our PCs!). Specifically my mail server (MacOS 8.6) and a seldomly used MacOS 10.3 workstation both appear to have attempted to access the same offsite host on port 53 within a 25 minutes of each other last night around 8:15 EDT (off hours). Only my dns server is allowed out on that port. Worst case is I fear something is trying to map internal trust relationships with my router. But maybe it's just a dumb worm periodically probing random hosts.

So my question is two part:
1.) Can anyone recommend intrusion detection/prevention software? Ideally I'd like a command line solution so that I can access it remotely. I've heard a lot about snort but haven't tried it.

2.) I've got an underutilized mac mini running tiger that I use for testing and as a smart backup drive. 🙂 I'm considering it as a candidate for this software. As long as I'm not running hd intensive services, should I worry about not having a 24/7 rated drive? I envision using it only as a an ssh gateway and for the intrusion software.

Ok, a three part question: Should I worry?

Thanks for any advice.

--
Cole

Posted on Oct 5, 2005 10:23 AM

Reply
8 replies
User profile for user: Gary Kerbaugh
Gary Kerbaugh
User level: Level 6
18,040 points

Oct 5, 2005 9:18 PM in response to Cole Tierney

Hi Cole,
The only reason Macs should attempt to access port 53 on a remote host is if they've been configured to look to that host for DNS resolution. Execute the following on each machine:

cat /etc/resolv.conf

If the remote host in question is not listed as a nameserver, then someone would have actually had to initiate the connection. (if you can say "connection" in conjunction with UDP) That would seem to be a serious problem. Of course the source of packets can be spoofed.

I think very highly of Snort. As far as I know, it only checks packets in and out of the machine on which it's running but it checks for a tremendous variety of interesting traffic patterns. You can install snort via Fink or download HenWen, which is a nice GUI for configuring snort.

You might find another utility to be useful, p0f. That is a versatile passive OS fingerprinting tool. It's triggered by the establishment of a connection and logs information about the remote host, including information about the host's ISP. If anyone is logging onto your Mac surreptitiously, p0f might help you track them down.

The other excellent IDS is Tripwire. This takes a completely different approach from the above apps, having nothing to do with the network. It keeps a database of of important files -- ones an intruder might change to cover his tracks or gain further access -- and every time you run it, it tells you if the files have changed in any way. It computes a checksum of the contents so it can tell you if the contents of a file have changed. It has to be run at least once to create the database but once it's been run, assuming the machine was clean to begin with, I would think you could be pretty confident in the integrity of any machine that it gave a clean bill-of-health!

Finally, don't forget the tools that Apple provides. The accounting mechanism comes with OS X and you can download auditing tools with the Common Criteria Tools.
--
Gary
~~~~
The real reason psychology is hard is that psychologists
are trying to do the impossible.
Reply
User profile for user: Rachel Anasteli
Rachel Anasteli
User level: Level 2
250 points

Oct 6, 2005 12:53 AM in response to Cole Tierney

I once downloaded something called henwen from Apple's dowload links. I really enjoyed it- it was very effective but I noticed that 90% of my messages were 'spoofs'(which meant nothing to me) I would still use it if I didn't upgrade to Tiger. I will look for the link, in the meantime, I believe the website is snort.com

ps- Fink is awesome, for many many reasons... thats a good one too... I just thought of henwen because it was so simple to use and I aquired many spoof-related warnings.
Reply
User profile for user: Cole Tierney
Cole Tierney Author
User level: Level 4
1,380 points

Oct 6, 2005 8:38 AM in response to Gary Kerbaugh

Hi Gary,

>The only reason Macs should attempt to access port 53 on a remote host is if they've been configured to look to that host for DNS resolution.

All our computers are configured to query our internal name servers. In addition the target host was from an ISP in Dallas, TX and didn't appear to be a name server.

Thanks for all the good info! I think I'll check out snort. I've got a port on one of my switches that can see all the packets crossing our network.

--
Cole
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

intrusion detection/prevention software?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up