Want to highlight a helpful answer? Upvote!
Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >
Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >
I'm new to Macs, but log time Security Guy. I'm running Suricata on my PFsense firewall and there are connections being blocked as malicious. I want to know what process on my Mac Mini made these connections by a log that associates IP connections with processes. I've looked in Console>/var/log>appfirewall.log and other places to no avail. Does anyone know were to look or how to turn on logging for this information?
Mac mini 2018 or later
The sky is perpetually falling for some people. Excerpted from Effective defenses against malware and other threats:
"With this technique it is possible to run whitelisted software without user intervention even if the system is set to disallow unknown applications downloaded from the internet.":
Downloading unknown applications from the Internet happens all the time. That's what people do. It's also the reason Apple incorporated Gatekeeper. A user has to explicitly permit installing such things by providing Admin credentials. One day Apple will lock down macOS to the same degree they do iOS, and we will all be nice and safe inside their walled garden. What a lovely thought. Right?
"TAU has obtained new samples of this malware and observed downloads of the malware from multiple sites, primarily disguised as an Adobe Flash software update."
As a self-proclaimed "Security Guy" I suggest you familiarize yourself with bogus Adobe Flash "installers". Today it's Flash Player. Tomorrow it will be something else.
The subject has exactly nothing to do with the macOS Application Firewall, which can do exactly nothing to protect users from willfully succumbing to phony "Flash Player Update" scams. Examining logs will do exactly nothing to help a user once he or she explicitly bypasses macOS's Gatekeeper warning. Third party "anti-virus" products won't help, because these exploits are not viruses. They are programs a user willfully installs, for whatever reason he or she may choose to do that.
Enjoy the ability to do that while it lasts. In the future Macs will be as hack-proof as a microwave oven, and about as useful.
Have a stumped everyone? Am I the only security person out there interested in this?
I'm running Suricata on my PFsense firewall ...
It's more likely that no one knows what that is. To learn about the Mac's application firewall read OS X: About the application firewall. To learn about the daemon that controls it, man socketfilterfw or /usr/libexec/ApplicationFirewall/socketfilterfw -h
In addition to the ability to enable or disable logs, there are three logging options available. I assume you would want to select "detailed".
Since Macs are by far the most secure consumer-grade connected appliances that have ever been developed, self-proclaimed "Security Guys" quickly grow disinterested in the platform.
Unlike you I am not new to Macs, and I have been hearing your stories since the equivalent of their Paleolithic era. They never change and they never will.
If Macs (hopefully) one day are more popular then Windows, the number of vulnerabilities will likely increase.
That will never happen. As macOS continues to resemble iOS, the number of new vulnerabilities can only diminish, and Macs will never be more popular than Windows anyway. Both platforms are going away as iOS and its imitators supplant the need for them.
My point being if you are not running antivirus on your Mac, you should.
Your recommendations are going to fall on deaf ears. macOS already incorporates everything it needs to protect itself from viruses and malware, and I prohibit any such non-Apple products on any of the Macs I own or control. That is the way I and everyone else within my employment or supervision have using Macs since the inception of OS X. Non-Apple "anti-virus" products prevent them from working. That's not surprising since there is no company, organization or individual in possession of Apple's proprietary operating systems or hardware knowledge.
I subjected all the popular products to my own extensive tests. Their effectiveness ranged from benign but useless to malicious, and differed only in their degree to which they would prevent a Mac and macOS from working the way Apple designed those products to work.
Do as you please though... because you're new to Macs. To keep yourself apprised of current developments consider subscribing to Apple's Security-announce list server.
Hi John Galt,
I sincerely do appreciate the feedback and more locations to research. I'm seeking the application to IP logs because Suricata keeps blocking traffic from my Mac Mini (sometimes in the middle of the night or when I'm not home). Some of the IPs are located in countries like China and Russia. I do not run software that should be making these connections so I'm concerned. I've run scans by a couple of different AV vendors and although they found some minor things, the communications continue to happen.
From a security perspective, I don't know any security folks that have ever become "disinterested" in Macs. They certainly run cleaner and better software with more security features built into the OS; but, they are in no way invincible. For example, the popular Common Vulnerability and Exposures (CVE) data shows that MacOS X has 169 vulnerabilities. This is far less than the 1036 for Windows 7. Also, Microsoft is at a disadvantage since they own the market share of the personal computing market so miscreants are incentivized to look for vulnerabilities on software that can compromise more computers. If Macs (hopefully) one day are more popular then Windows, the number of vulnerabilities will likely increase. My point being if you are not running antivirus on your Mac, you should. The Macs at work get infected too.
Researcher discovers MacOS keychain vulnerability but will not disclose to Apple due to low bug bounty:
"With this technique it is possible to run whitelisted software without user intervention even if the system is set to disallow unknown applications downloaded from the internet.":
https://securityaffairs.co/wordpress/81112/malware/shlayer-mac-malware.html
I can type lsof -i and see the data I'm looking for so I know the system is tracking it. Have a stumped everyone? Am I the only security person out there interested in this?
Where are the Firewall logs????
