It's midnight on a Monday. A quick look at the logs (covered in Chapter 19, "Logs and User Activity Accounting") on your Mac OS X computer shows the following lines occurring within the span of 15 minutes:
SHELLCODE x86 inc ebx NOOP ICMP Destination Unreachable (Host Unreachable) NETBIOS NT NULL session [arachnids 204] [cve CVE-2000-0347] [bugtraq 1163] ICMP Destination Unreachable (Undefined Code!) ICMP Destination Unreachable (Port Unreachable) SNMP public access udp [cve CAN-2002-0013] [cve CAN-2002-0012] WEB-IIS fpcount access [bugtraq 2252] WEB-CGI calendar access Portscan detected from 184.108.40.206: 21 targets 21 ports in 8 seconds Portscan detected from 220.127.116.11: 6 targets 6 ports in 2 seconds Portscan detected from 18.104.22.168: 21 targets 21 ports in 7 seconds Portscan detected from 22.214.171.124: 6 targets 6 ports in 1 seconds Portscan detected from 126.96.36.199: 20 targets 21 ports in 9 seconds Portscan detected from 188.8.131.52: 1 targets 21 ports in 3 seconds WEB-FRONTPAGE shtml.dll access [arachnids 292]
What's happening? Is this the launch of a massive attack on your network? Possibly, but not necessarily . In fact, the previous lines were taken from my machine logs at midnight on a Monday, but they are typical of what one might see on a low-traffic public network.
While your computer goes about its business every day, it is being subjected to poking and prodding by external machines. Even though many of these attacks have little meaning on Mac OS X, the ability to log and react to them can mean increased protection for your entire network ”even those legacy Windows machines you keep around for solitaire.
Intrusion Detection Systems (IDSs) enable you to detect and react to attacks as they are occurring ”and before they take down your systems. By recognizing how various attacks are constructed , intrusion detection software can classify the attack type, risk, and, if necessary, dynamically build firewall rules to block any further communications with the attacker.
THIS SOUNDS TOO GOOD TO BE TRUE ”WHY AREN'T IDSS USED INSTEAD OF TRADITIONAL FIREWALLS?
Intrusion Detection is not an exact process; it relies on matching known attack signatures against incoming activity ”the equivalent of criminal profiling. Unfortunately, signatures can match both malicious and benign activity, resulting in false positives. Running an effective IDS requires tweaking and fine-tuning to minimize the number of false alerts.
IDS development is still in its infancy, but is proving to be a promising new area of network technology development. Whereas commercial systems sell for thousands of dollars, we'll take a look at a few different Open Source solutions for Mac OS X that can be deployed on your network for free.