Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Create a basic realtime intrusion detection system UNIX
Some of the guys on IRC channel #macintosh helped me to get this working. I wanted to find a way to view my firewall logs in realtime, without having to leave Console open and without using tail -f /pathto/log in a cramped Terminal window. Since BrickHouse (or just plain old ipfw) allows you to turn on logging for firewall rules, I wanted to put those specific entries into a separate logfile other than system.log, which captures other unrelated things. If I could output this new logfile to DesktopConsole, then I would have something close to a realtime intrusion alert system.

Read the rest of the hint to see how I accomplished this...

What I did is add a line to /etc/syslogd.conf which reads:
authpriv,remoteauth,ftp.none;kern.debug     /var/log/Firewall.log
That will redirect any ipfw hits to output to Firewall.log. Note that you can name the file whatever you like; just make sure the filenames match in all entries. I then did:
 % sudo touch /var/log/Firewall.log
That creates a blank logfile which syslogd will write its entries to. You will need to kill -HUP the syslogd process for this to take effect. Remember to add some firewall rules, with logging enabled, if you want to see anything appear.

Now download DesktopConsole, which is an old app, but allows you to view logfiles right on top of your Desktop! Tell DesktopConsole to read /var/log/Firewall.log and voila, you can see possible intruders, SSH logins, etc., in realtime! While you're working on your Mac, you can see right away if anyone is trying to access your computer's services or if you're being portscanned. Example of my logfile:
Jun 26 13:57:42 47ronin mach_kernel: ipfw: 52040 Deny UDP 17.254.0.27:123 68.8.39.46:123 in via en0
Jul 1 15:39:24 47ronin mach_kernel: ipfw: 2008 Accept TCP 66.192.2.55:51353 68.8.39.46:22 in via en0
Jul 1 23:50:08 47ronin mach_kernel: ipfw: 52040 Deny TCP 205.158.183.111:36964 68.8.39.46:21 in via en0
Here is a portion of a screenshot showing what the hack and DesktopConsole can do for you. Notice the messages; they appear whenever someone triggers the firewall. Note: The logfile will grow in size over time, so you may need to delete it, and recreate it (using touch, see above). When you do so, you also need to restart syslogd for it to keep logging entries.

[Editor's note: With some work, you could probably create a cron task that rotates the logs automatically. Use the "daily" script in /etc as a starting point, as that's where the normal system logs are rotated.]
    •    
  • Currently 4.50 / 5
  You rated: 5 / 5 (2 votes cast)
 
[19,870 views]  

Create a basic realtime intrusion detection system | 10 comments | Create New Account
Click here to return to the 'Create a basic realtime intrusion detection system' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
HenWen NIDS?
Authored by: Mad Hatter on Jul 10, '02 08:58:20AM

I was looking around and found "HenWen" which seems to address some of the needs and concerns for helping monitor network traffic in addition to what ipfw and MacAnalysis or FireWalk X do.

It uses Snort (Network Intrusion Detection System - NIDS) to scan network traffic for suspecious activity.



[ Reply to This | # ]
HenWen is good
Authored by: mrgerbek on Jul 10, '02 11:18:54AM

Although your system works great, HenWen also works great, and can be used in conjunction with Guardian and other packages that can block 'evil doers' at the firewall if they are doing bad stuff. HenWen is just a repackaged version of Snort, and its quite nice. You may have trouble getting to sleep after seeing what people are doing on your network.



[ Reply to This | # ]
A Lot of Work, But Free
Authored by: Spencerian on Jul 10, '02 12:33:19PM

Great hint for the hacker in all of us, but I'm still a "Mac app" guy at heart.

I've used NetBarrier from Intego (www.intego.com) on my Mac OS 9 system as a firewall before I moved to OS X. (OS 9 hasn't a firewall in its OS, as you may know.) Works great, and includes similar logging and intrusion features as in the tip, including sending an e-mail when it has been attacked. It maintains its own logs and archives them by your preferences.

Although BrickHouse is versatile, I'll probably get the Mac OS X version (available now) for two primary reasons: (1) BrickHouse is a bit more propellerhead in its configuration than I care for--NetBarrier was easier to configure, and (2) NetBarrier X does not use the ipfw of OS X, but its own code. In the unlikely event that someone learns to violate the OS X firewall, NetBarrier will not be as susceptible.



[ Reply to This | # ]
other firewalls (not ipfw)
Authored by: hayne on Jul 10, '02 01:16:39PM

I believe that 'ipfw' itself is merely an interface to the code that actually does the work - which is in the kernel. So, unless these other firewall utilities (that say they don't use 'ipfw') introduce their own kernel extension, the protection you get would be the same and would stand or fall with all others in the (extremely unlikely) event that the kernel firewall code was compromised. And if these other firewall utilities do introduce their own kernel extensions, that would be a cause for concern in itself as such code would likely be far less reliable than the standard kernel code.



[ Reply to This | # ]
other firewalls (not ipfw)
Authored by: Spencerian on Jul 11, '02 03:24:58PM

Thanks for the clarification. With that, I should say that NetBarrier is its own firewall code, independent of the OS X firewall code.



[ Reply to This | # ]
I use...
Authored by: scaryfish on Jul 10, '02 04:58:17PM
I use portsentry to watch for port scanning, in conjunction with logcheck/logsentry. Logcheck is basically a shell script that cron runs every hour which checks any log files you set it up to watch, and emails you a report of any suspicious activity. The nice bit is, if you're getting portscanned, portsentry will pick it up, add their ip to ipfw deny, and write it to a log file. Then logcheck will check the log file and email you to let you know what happened. You can get them both free from Psionic

[ Reply to This | # ]
I use...
Authored by: bluehz on Apr 06, '03 12:56:50AM

I use all the psionic stuff too and it works great!



[ Reply to This | # ]
I use...
Authored by: amacaulay on Jul 14, '03 07:39:29AM

That link now redirects to the Cisco web site <sigh>



[ Reply to This | # ]
sentrytools
Authored by: gatorparrots on Feb 03, '04 03:38:31AM

http://sourceforge.net/projects/sentrytools/



[ Reply to This | # ]
DesktopConsole 2.0 is available
Authored by: cactusjack on Jul 11, '02 08:56:27AM
DesktopConsole 2.0 is available at http://www.matthewdrayton.com/desktopconsole/. It has strong AppleScript integration ( both scriptable and recordable ). This, when combined with osascript & cron would make it really easy to rotate the logs.

[ Reply to This | # ]