Detecting Intrusions

With intrusion detection, vigilance is the name of the game,but when you're trying to figure out whether someone has been on your network or computer, others are likely to accuse you of attempting to get into their system.

To help you watch your network, you can turn to several tools, such as a network intrusion detection system (NIDS), intrusion detection system (IDS), or heuristic packet sniffer. Attack tools send out known patterns of packets; an IDS listening silently on the network can detect these patterns and warn the administrator. However, these tools cannot warn of brand-new types of attacks until the library of known patterns is updated. Still, intrusion detection software will often point out weaknesses in the entire system.

Let's take a look at two of the detection tools available for Mac OS X: Network Mapper (nmap) and HenwWen. Both systems rely on the network administrators of the network to be aware of the detection methods in progress, so that they are not mistaken for additional attacks.

Using nmap

Open ports are often the first casualties in the assault against systems, since open ports and the associated processes that run on them are open doors and thus vulnerable to attacks. An attacker can send packets to your open FTP port (port 21) and possibly trick the process into accepting it. One tool for watching these ports is Network Mapper (nmap), an open-source application designed to detect various types of information about systems on your network. While nmap can be considered attack software, it is a useful tool when the administrator uses it to discover holes in a network. It's important to be careful when using nmap with an organization's network, because some NIDS tools will see nmap activity as an attack and report it thusly.

Using HenWen

Another detection tool is HenWen, a GUI for the Mac OS X that is derived from the popular open -source tool is Snort, which has a GUI version available for Mac OS X called HenWen. HenWen is based on rules and can be used in various modes, such as:

• Sniffer mode: This is the basic mode that collects packets on the network and continually displays them in the window. Similar to the basic tcpdump.

• Inline mode: A more advanced mode, this mode collects packets from iptables.

• Packet-logger mode: Logs all packets to the disk of your choice.

• NIDS mode: The most advanced mode, NIDS allows you to capture traffic and filter it based on rules you've set up. Post-capture macros or scripts can manipulate and compare the data captured.

Like nmap, HenWen is often considered attack software, as it can show passwords sent in the clear, unauthorized access attempts to servers, and open ports on systems. Use caution when rolling out HenWen on a network.

Monitoring the System Using UNIX Commands

It is important to familiarize yourself with the list of processes that commonly run on Mac OS X and Mac OS X Server to be able to identify those processes that do not belong to a normal Mac OS X configuration. UNIX has a wealth of command-line features and utilities that show you what is currently running on a system. In addition to the command line, Mac OS X and Mac OS X Server provide an excellent graphical tool, the Activity Monitor, to access those same powerful resources.

Note

Some of the UNIX techniques explained in this lesson assume your prior knowledge of the UNIX command-line interface.

Using ps

The ps command enables you to identify processes that are running and processes that other users are running. When it is executed, ps takes a snapshot of the running processes at that moment in time.

If you don't add any arguments to the command, ps returns all of the processes that you are running within the current shell. For example:

powerbook:~ localuser$ ps PID     TT     STAT     TIME         COMMAND 575     p1     S+       0:00.05      -bash 1471    p4     S        0:00.03      -bash

In this example, you don't receive much information. All you see is that the localuser user is running two interactive CLI bash shells. You know that more processes are running, but using ps doesn't display thatyou need more information!

Adding arguments to the ps command will provide more information about what is actually running on the system. There are many arguments available to ps, but an excerpt from the output from one of the most popular sets of arguments, -auxww, can be seen here:

[View full width]
powerbook:~ localuser$ ps -auxww USER      PID   %CPU   %MEM  VSZ     RSS     TT  STAT  STARTED  TIME      COMMAND localuser 1799  12.8   7.2   289696  75636   ??  S     5:35AM   14:18.54  /Applications                                        local/Microsoft Office X/Microsoft Word /Applications/                                     local/Microsoft Office X/Microsoft Word -psn_0_17694721 localuser 184   6.6    11.4  327132  119880  ??  Ss    Sat07PM  46:59.47  /System/                               library/Frameworks/ApplicationServices.framework/Frameworks/                                  CoreGraphics.framework/Resources/WindowServer -daemon localuser 1394  4.9    6.1   248684  64336   ??  S     Sun08PM  16:44.85  /Applications                           local/Acrobat 6.0 Professional/Acrobat 6.0.1 Professional.app /Contents/                                     MacOS/Acrobat /Applications/local/Acrobat 6.0  Professional/                        Acrobat 6.0.1 Professional.app/Contents/MacOS/Acrobat -psn_0_10485761 localuser 698   4.5    2.4   233192  25496   ??  S     Sat08PM  39:26.15  /Applications                                         iTunes.app/Contents/MacOS/iTunes -psn_0_2752513 localuser 811   1.1    1.6   174020  17188   ??  S     Sat11PM  3:03.64   /Applications                              local/RBrowser.app/Contents/MacOS/RBrowser -psn_0_3538945 localuser 573   0.6    0.9   160232  9288    ??  S     Sat08PM  2:20.93   /Applications                              Utilities/Terminal.app/Contents/MacOS/Terminal -psn_0_2097153 localuser 1296  0.3    9.0   308440  94860   ??  S     Sun04PM  17:15.86  /Applications                                iWork/Keynote.app/Contents/MacOS/Keynote -psn_0_8781825 root      117   0.0    0.0   27672   352     ??  Ss    Sat07PM  0:01.40   netinfod -s local root      119   0.0    0.0   18056   100     ??  Ss    Sat07PM  0:22.11   update root      122   0.0    0.0   18080   108     ??  Ss    Sat07PM  0:00.03   dynamic_pager                                                                -F /private/var/vm/swapfile

This set of arguments tells ps to output all processes (in this case, you see the processes run by users root and localuser), to include the full path to the executable, and to not truncate the output of the line (that's what the ww does). The columns show the owner of the process, the process ID, the percentage of the CPU processing currently being used by that process, some memory statistics, the time the process was started, and the full path to the command that was executed to start the process.

If you don't need the entire path to the executable, which saves a lot of screen real estate and scrolling, you may give the argument -aucxww to ps and receive a result that looks like this:

powerbook:~ localuser$ ps -aucxww USER      PID   %CPU   %MEM     VSZ     RSS    TT STAT   STARTED   TIME      COMMAND localuser 1394  16.5   6.1      248684  64316  ?? S      Sun08PM   17:17.06  Acrobat localuser 1799  16.1   7.6      290892  79284  ?? S      5:35AM    15:46.90  Microsoft Word localuser 1296  9.9    9.0      308440  94860  ?? S      Sun04PM   18:12.78  Keynote localuser 184   6.5    11.5     328504  120952 ?? Ss     Sat07PM   47:43.31  WindowServer localuser 698   4.1    2.5      233224  25948  ?? S      Sat08PM   40:38.55  iTunes localuser 338   0.7    2.7      264472  27872  ?? S      Sat07PM   18:55.44  Finder root      93    0.0    0.0      18676   232    ?? Ss     Sat07PM   0:00.67   notifyd root      117   0.0    0.0      27672   352    ?? Ss     Sat07PM   0:01.40   netinfod root      119   0.0    0.0      18056   100    ?? Ss     Sat07PM   0:22.17   update root      122   0.0    0.0      18080   108    ?? Ss     Sat07PM   0:00.03   dynamic_pager

It will take a little time, but do some research on each of the processes using man pages or a Web-based search engine. It's good to learn more about what your Mac OS X is doing. After you've familiarized yourself with typical processes running on your system, it will be easier to spot rogue processes.

Note

To view all the arguments that can be used with ps, open Terminal and enter man ps.

Using ps and grep

Sometimes seeing all the information available from ps is a little overwhelming. A common technique used to search for specific processes without scrolling through them is to use a UNIX pipe to combine the ps command with grep i (this finds matches that are not case-sensitive).

powerbook:~ localuser$ ps -auxww | grep i httpd root      2003 0.0     0.3      31456    2844   ??   Ss    9:00AM   0:00.04   /usr/sbin/httpd www       2012 0.0     0.0      31456    320    ??   S     9:00AM   0:00.01   /usr/sbin/httpd localuser 2024 0.0     0.0      18644    100    std  R+    9:00AM   0:00.00   grep httpd

Notice how you not only found the two Apache (httpd) Web-server processes, but you also found the process running your grep search. (It was running as you ran ps!)

If you are looking for a specific rogue process (for instance, seen on a security page that you actively peruse), you can enter that process name instead. Below is a search for a process called trojanhorse:

powerbook:~ localuser$ ps -auxww | grep i trojanhorse localuser 2024 0.0    0.0     18644    100     std   R+   9:00AM   0:00.00   grep trojanhorse

In this example, you see only the grep itself, so you know that trojanhorse is not running.

Using top

The top command is similar to the ps command, but instead of taking a "process snapshot" in time, top checks the running processes and dynamically outputs their names to the screen.

Without any arguments, top sorts its output based on process ID (PID), with the highest process ID (the most recently launched process) listed first:

powerbook:~ localuser$ top Processes: 95 total, 2 running, 93 sleeping... 283 threads   09:10:36 Load Avg: 0.65, 0.94, 0.77  CPU usage: 36.6% user, 16.8% sys, 46.6% idle SharedLibs: num = 123, resident = 50.9M code, 3.02M data, 13.4M LinkEdit MemRegions: num = 14690, resident = 369M + 17.8M private, 292M shared PhysMem: 106M wired, 579M active, 304M inactive, 990M used, 33.6M free VM: 7.68G + 85.2M 108983(0) pageins, 72106(0) pageouts PID  COMMAND    %CPU  TIME     #TH #PRTS #MREGS RPRVT  RSHRD  RSIZE  VSIZE 2164 top        11.7% 0:08.12  1   16    26     420K   440K   796K   27.1M 1817 QuickTime  0.0%  0:20.05  3   276   249    3.34M  23.0M  11.2M  169M 1800 Microsoft  0.0%  0:07.26  1   65    134    1.86M  8.76M  4.41M  138M 1799 Microsoft  14.8% 18:11.02 1   92    445    62.0M  64.1M  83.4M  287M 1689 lookupd    0.0%  0:00.32  2   34    60     356K   884K   1.12M  28.5M 1681 Mail       0.0%  2:35.43  6   128   292    10.1M  29.0M  29.6M  177M 1475 bash       0.0%  0:00.18  1   12    19     172K   836K   812K   18.2M 1474 su         0.0%  0:00.01  1   14    41     84K    732K   636K   27.2M 1471 bash       0.0%  0:00.03  1   12    19     120K   864K   804K   18.2M 1470 login      0.0%  0:00.02  1   13    38     124K   440K   488K   26.9M 1394 Acrobat    0.6%  17:41.50 4   81    354    31.4M  57.8M  62.5M  242M 1353 RealPlayer 0.0%  28:58.16 9   398   611    15.7M  28.9M  23.1M  216M 1296 Keynote    5.5%  19:50.65 5   325   563    90.4M  47.5M  92.5M  301M 1177 writeconfi 0.0%  0:00.30  1   26    31     348K   784K   1.58M  27.6M 1148 NetCfgTool 0.0%  0:00.28  1   22    25     424K   660K   1016K  27.4M 1146 System Pre 0.0%  1:27.43  7   457   472    10.1M  31.1M  17.1M  232M

When using top, it is usually more useful to sort the output based on percentage of CPU being utilized by each process, rather than process ID. You can do this by adding the argument -u.

powerbook:~ localuserlocal$ top -u Processes: 95 total, 2 running, 93 sleeping... 283 threads   09:12:31 Load Avg: 1.08, 0.96, 0.79   CPU  usage:  62.3%  user, 31.4% sys, 6.3% idle SharedLibs: num = 123, resident = 50.9M code, 3.02M data, 13.4M LinkEdit MemRegions: num = 14686, resident = 370M + 17.8M private, 292M shared PhysMem: 106M wired, 579M active, 305M inactive, 992M used, 31.8M free VM: 7.68G + 85.2M 109013(30) pageins, 72106(0) pageouts

PID   COMMAND    %CPU  TIME     #TH #PRTS #MREGS RPRVT  RSHRD RSIZE  VSIZE  573  Terminal   28.0% 2:50.25  7   96    270    7.38M- 17.5M 11.8M- 160M  1799 Microsoft  12.6% 18:29.13 1   92    447    62.8M  64.2M 84.3M  287M  0    kernel_tas 9.7%  28:22.48 43  2     2784   20.9M  0K    91.3M  846M  2165 top        6.5%  0:01.04  1   16    26     420K   440K  796K   27.1M  184  WindowServ 6.1%  48:37.69 2   489   1281   15.3M+ 126M- 121M+  322M+  1296 Keynote    6.1%  19:59.78 5   325   563    90.4M  47.5M 92.5M  301M  698  iTunes     4.0%  42:27.73 8   252   692    16.0M  34.9M 25.0M  227M  1394 Acrobat    1.6%  17:42.39 4   81    354    31.4M  57.8M 62.5M  242M  338  Finder     0.8%  19:48.39 6   318   520    18.2M  43.0M 26.8M  258M  467  UniversalA 0.4%  3:18.68  1   58    96     804K   4.88M 2.25M  143M  189  loginwindo 0.4%  2:23.07  5   224   166    1.67M  8.06M 3.70M  136M  1048 TextEdit   0.4%  1:48.07  2   119   207    5.12M+ 17.7M 9.14M+ 167M  119  update     0.4%  0:22.41  1   9     16     40K    336K  100K   17.6M  1353 RealPlayer 0.0%  28:58.59 9   398   611    15.7M  28.9M 23.1M  216M  937  Safari     0.0%  12:25.63 9   279   374    14.7M  35.4M 29.7M  258M  811  RBrowser   0.0%  3:06.65  5   234   257    4.23M  23.8M 16.8M  169M

More Info

For more information on top and its arguments, open Terminal and enter man top.