With intrusion detection, vigilance is the name of the game,but when you're trying to figure out whether someone has been on your network or computer, others are likely to accuse you of attempting to get into their system. To help you watch your network, you can turn to several tools, such as a network intrusion detection system (NIDS), intrusion detection system (IDS), or heuristic packet sniffer. Attack tools send out known patterns of packets; an IDS listening silently on the network can detect these patterns and warn the administrator. However, these tools cannot warn of brand-new types of attacks until the library of known patterns is updated. Still, intrusion detection software will often point out weaknesses in the entire system. Let's take a look at two of the detection tools available for Mac OS X: Network Mapper (nmap) and HenwWen. Both systems rely on the network administrators of the network to be aware of the detection methods in progress, so that they are not mistaken for additional attacks. Using nmapOpen ports are often the first casualties in the assault against systems, since open ports and the associated processes that run on them are open doors and thus vulnerable to attacks. An attacker can send packets to your open FTP port (port 21) and possibly trick the process into accepting it. One tool for watching these ports is Network Mapper (nmap), an open-source application designed to detect various types of information about systems on your network. While nmap can be considered attack software, it is a useful tool when the administrator uses it to discover holes in a network. It's important to be careful when using nmap with an organization's network, because some NIDS tools will see nmap activity as an attack and report it thusly. Using HenWenAnother detection tool is HenWen, a GUI for the Mac OS X that is derived from the popular open -source tool is Snort, which has a GUI version available for Mac OS X called HenWen. HenWen is based on rules and can be used in various modes, such as:
Like nmap, HenWen is often considered attack software, as it can show passwords sent in the clear, unauthorized access attempts to servers, and open ports on systems. Use caution when rolling out HenWen on a network. Monitoring the System Using UNIX CommandsIt is important to familiarize yourself with the list of processes that commonly run on Mac OS X and Mac OS X Server to be able to identify those processes that do not belong to a normal Mac OS X configuration. UNIX has a wealth of command-line features and utilities that show you what is currently running on a system. In addition to the command line, Mac OS X and Mac OS X Server provide an excellent graphical tool, the Activity Monitor, to access those same powerful resources. Note Some of the UNIX techniques explained in this lesson assume your prior knowledge of the UNIX command-line interface. Using psThe ps command enables you to identify processes that are running and processes that other users are running. When it is executed, ps takes a snapshot of the running processes at that moment in time. If you don't add any arguments to the command, ps returns all of the processes that you are running within the current shell. For example: powerbook:~ localuser$ ps PID TT STAT TIME COMMAND 575 p1 S+ 0:00.05 -bash 1471 p4 S 0:00.03 -bash In this example, you don't receive much information. All you see is that the localuser user is running two interactive CLI bash shells. You know that more processes are running, but using ps doesn't display thatyou need more information! Adding arguments to the ps command will provide more information about what is actually running on the system. There are many arguments available to ps, but an excerpt from the output from one of the most popular sets of arguments, -auxww, can be seen here:
This set of arguments tells ps to output all processes (in this case, you see the processes run by users root and localuser), to include the full path to the executable, and to not truncate the output of the line (that's what the ww does). The columns show the owner of the process, the process ID, the percentage of the CPU processing currently being used by that process, some memory statistics, the time the process was started, and the full path to the command that was executed to start the process. If you don't need the entire path to the executable, which saves a lot of screen real estate and scrolling, you may give the argument -aucxww to ps and receive a result that looks like this: powerbook:~ localuser$ ps -aucxww USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND localuser 1394 16.5 6.1 248684 64316 ?? S Sun08PM 17:17.06 Acrobat localuser 1799 16.1 7.6 290892 79284 ?? S 5:35AM 15:46.90 Microsoft Word localuser 1296 9.9 9.0 308440 94860 ?? S Sun04PM 18:12.78 Keynote localuser 184 6.5 11.5 328504 120952 ?? Ss Sat07PM 47:43.31 WindowServer localuser 698 4.1 2.5 233224 25948 ?? S Sat08PM 40:38.55 iTunes localuser 338 0.7 2.7 264472 27872 ?? S Sat07PM 18:55.44 Finder root 93 0.0 0.0 18676 232 ?? Ss Sat07PM 0:00.67 notifyd root 117 0.0 0.0 27672 352 ?? Ss Sat07PM 0:01.40 netinfod root 119 0.0 0.0 18056 100 ?? Ss Sat07PM 0:22.17 update root 122 0.0 0.0 18080 108 ?? Ss Sat07PM 0:00.03 dynamic_pager It will take a little time, but do some research on each of the processes using man pages or a Web-based search engine. It's good to learn more about what your Mac OS X is doing. After you've familiarized yourself with typical processes running on your system, it will be easier to spot rogue processes. Note To view all the arguments that can be used with ps, open Terminal and enter man ps. Using ps and grepSometimes seeing all the information available from ps is a little overwhelming. A common technique used to search for specific processes without scrolling through them is to use a UNIX pipe to combine the ps command with grep i (this finds matches that are not case-sensitive). powerbook:~ localuser$ ps -auxww | grep i httpd root 2003 0.0 0.3 31456 2844 ?? Ss 9:00AM 0:00.04 /usr/sbin/httpd www 2012 0.0 0.0 31456 320 ?? S 9:00AM 0:00.01 /usr/sbin/httpd localuser 2024 0.0 0.0 18644 100 std R+ 9:00AM 0:00.00 grep httpd Notice how you not only found the two Apache (httpd) Web-server processes, but you also found the process running your grep search. (It was running as you ran ps!) If you are looking for a specific rogue process (for instance, seen on a security page that you actively peruse), you can enter that process name instead. Below is a search for a process called trojanhorse: powerbook:~ localuser$ ps -auxww | grep i trojanhorse localuser 2024 0.0 0.0 18644 100 std R+ 9:00AM 0:00.00 grep trojanhorse In this example, you see only the grep itself, so you know that trojanhorse is not running. Using topThe top command is similar to the ps command, but instead of taking a "process snapshot" in time, top checks the running processes and dynamically outputs their names to the screen. Without any arguments, top sorts its output based on process ID (PID), with the highest process ID (the most recently launched process) listed first: powerbook:~ localuser$ top Processes: 95 total, 2 running, 93 sleeping... 283 threads 09:10:36 Load Avg: 0.65, 0.94, 0.77 CPU usage: 36.6% user, 16.8% sys, 46.6% idle SharedLibs: num = 123, resident = 50.9M code, 3.02M data, 13.4M LinkEdit MemRegions: num = 14690, resident = 369M + 17.8M private, 292M shared PhysMem: 106M wired, 579M active, 304M inactive, 990M used, 33.6M free VM: 7.68G + 85.2M 108983(0) pageins, 72106(0) pageouts PID COMMAND %CPU TIME #TH #PRTS #MREGS RPRVT RSHRD RSIZE VSIZE 2164 top 11.7% 0:08.12 1 16 26 420K 440K 796K 27.1M 1817 QuickTime 0.0% 0:20.05 3 276 249 3.34M 23.0M 11.2M 169M 1800 Microsoft 0.0% 0:07.26 1 65 134 1.86M 8.76M 4.41M 138M 1799 Microsoft 14.8% 18:11.02 1 92 445 62.0M 64.1M 83.4M 287M 1689 lookupd 0.0% 0:00.32 2 34 60 356K 884K 1.12M 28.5M 1681 Mail 0.0% 2:35.43 6 128 292 10.1M 29.0M 29.6M 177M 1475 bash 0.0% 0:00.18 1 12 19 172K 836K 812K 18.2M 1474 su 0.0% 0:00.01 1 14 41 84K 732K 636K 27.2M 1471 bash 0.0% 0:00.03 1 12 19 120K 864K 804K 18.2M 1470 login 0.0% 0:00.02 1 13 38 124K 440K 488K 26.9M 1394 Acrobat 0.6% 17:41.50 4 81 354 31.4M 57.8M 62.5M 242M 1353 RealPlayer 0.0% 28:58.16 9 398 611 15.7M 28.9M 23.1M 216M 1296 Keynote 5.5% 19:50.65 5 325 563 90.4M 47.5M 92.5M 301M 1177 writeconfi 0.0% 0:00.30 1 26 31 348K 784K 1.58M 27.6M 1148 NetCfgTool 0.0% 0:00.28 1 22 25 424K 660K 1016K 27.4M 1146 System Pre 0.0% 1:27.43 7 457 472 10.1M 31.1M 17.1M 232M When using top, it is usually more useful to sort the output based on percentage of CPU being utilized by each process, rather than process ID. You can do this by adding the argument -u. powerbook:~ localuserlocal$ top -u Processes: 95 total, 2 running, 93 sleeping... 283 threads 09:12:31 Load Avg: 1.08, 0.96, 0.79 CPU usage: 62.3% user, 31.4% sys, 6.3% idle SharedLibs: num = 123, resident = 50.9M code, 3.02M data, 13.4M LinkEdit MemRegions: num = 14686, resident = 370M + 17.8M private, 292M shared PhysMem: 106M wired, 579M active, 305M inactive, 992M used, 31.8M free VM: 7.68G + 85.2M 109013(30) pageins, 72106(0) pageouts PID COMMAND %CPU TIME #TH #PRTS #MREGS RPRVT RSHRD RSIZE VSIZE 573 Terminal 28.0% 2:50.25 7 96 270 7.38M- 17.5M 11.8M- 160M 1799 Microsoft 12.6% 18:29.13 1 92 447 62.8M 64.2M 84.3M 287M 0 kernel_tas 9.7% 28:22.48 43 2 2784 20.9M 0K 91.3M 846M 2165 top 6.5% 0:01.04 1 16 26 420K 440K 796K 27.1M 184 WindowServ 6.1% 48:37.69 2 489 1281 15.3M+ 126M- 121M+ 322M+ 1296 Keynote 6.1% 19:59.78 5 325 563 90.4M 47.5M 92.5M 301M 698 iTunes 4.0% 42:27.73 8 252 692 16.0M 34.9M 25.0M 227M 1394 Acrobat 1.6% 17:42.39 4 81 354 31.4M 57.8M 62.5M 242M 338 Finder 0.8% 19:48.39 6 318 520 18.2M 43.0M 26.8M 258M 467 UniversalA 0.4% 3:18.68 1 58 96 804K 4.88M 2.25M 143M 189 loginwindo 0.4% 2:23.07 5 224 166 1.67M 8.06M 3.70M 136M 1048 TextEdit 0.4% 1:48.07 2 119 207 5.12M+ 17.7M 9.14M+ 167M 119 update 0.4% 0:22.41 1 9 16 40K 336K 100K 17.6M 1353 RealPlayer 0.0% 28:58.59 9 398 611 15.7M 28.9M 23.1M 216M 937 Safari 0.0% 12:25.63 9 279 374 14.7M 35.4M 29.7M 258M 811 RBrowser 0.0% 3:06.65 5 234 257 4.23M 23.8M 16.8M 169M More Info For more information on top and its arguments, open Terminal and enter man top. |