# Intrusion detection



## bbloke (May 9, 2006)

I'm sure many will have heard of Network Intrusion Detection Systems (NIDS), the most famous of which is probably Snort.  Many may also have heard of HenWen, which is a front end for running Snort on OS X.  Well, I've now come across a different NIDS, named "serverM."

I was wondering if anyone had any experiences with any of the above, and which looks the better setup.  This thread may only be for the truly paranoid, of course!


----------



## Amie (May 9, 2006)

bbloke said:
			
		

> I'm sure many will have heard of Network Intrusion Detection Systems (NIDS), the most famous of which is probably Snort.  Many may also have heard of HenWen, which is a front end for running Snort on OS X.  Well, I've now come across a different NIDS, named "serverM."
> 
> I was wondering if anyone had any experiences with any of the above, and which looks the better setup.  This thread may only be for the truly paranoid, of course!



"Greetings, and thank you for posting this!," said one paranoid Mac user to another. 

I, too, am curious to read the replies.


----------



## Amie (May 9, 2006)

P.S. I guess I don't really need to worry about needing any of said spyware programs, since I never have any ports open. I always have my firewall on and sharing turned off. So, these programs aren't necessary for me, right?


----------



## Amie (May 9, 2006)

There also another similar program called SAM Jr.: http://macupdate.com/info.php/id/17837.


----------



## bbloke (May 9, 2006)

Amie said:
			
		

> "Greetings, and thank you for posting this!," said one paranoid Mac user to another.
> 
> I, too, am curious to read the replies.


 Hi, Amie.  

I'm always happy to add to the discussion on security.  I had a bit of a shock a few years ago at work when seeing how the usual "out of sight, out of mind" attitude didn't negate the fact that there were often attempts where people tried to get into our machines (which weren't Macs, by the way).



			
				Amie said:
			
		

> P.S. I guess I don't really need to worry about needing any of said spyware programs, since I never have any ports open. I always have my firewall on and sharing turned off. So, these programs aren't necessary for me, right?


 I think spyware is not such a risk right now, but, if you're concerned, have a look at the SecureMac.com web site, and, in particular, you can try MacScan.

Not having ports open is a good thing.  As a general rule, if you don't need a service (eg. FTP, ssh, etc.) don't switch it on!  Having your firewall switched on is also a good thing.  If you want to test what your computer looks like to hackers, you can visit sites such as Shields UP!, although there are others too.  Also, if you can use your machine behind a router, preferably one that does network address translation (NAT) and uses port forwarding, that would be even better.

The NIDS programs listed above are basically like burglar alarms.  They're not necessarily about spyware, they're about looking for important files being changed in a way it shouldn't be, or signs of people trying to get in.

If you're really concerned, it is also possible to restrict which users are allowed access to your machine, what they can access, and which IP addresses they can contact you from.  This all requires a bit of fiddling using the Terminal, though, so it depends on how happy you are doing that.


----------



## Amie (May 11, 2006)

bbloke said:
			
		

> Hi, Amie.
> 
> I'm always happy to add to the discussion on security.  I had a bit of a shock a few years ago at work when seeing how the usual "out of sight, out of mind" attitude didn't negate the fact that there were often attempts where people tried to get into our machines (which weren't Macs, by the way).
> 
> ...



I just went to the Shields UP! link that you posted above. I was so interested and intrigued about doing such a test. And then I changed my mind after I read the Web page. It, in and of itself, scares me and makes me paranoid. "Probing your computer system ... gathering information about your IP and computer ... you give formal permission for us to probe ..." Oh, heck no. I don't know these people. lol


----------



## nixgeek (May 11, 2006)

Huh-huh-huh....you said..."probe"...

Sorry, I couldn't resist.

Yeah, after seeing this thread and following the link to ShieldsUp on my Ubuntu laptop, I realized that I'm pretty much OK according to them.  The only thing that came up was SMTP and POP3, but I believe that's because it's only running the mail service internally to inform me about system changes or anything like that (typical in Linux and other Unix operating systems).  It's probably running for localhost on my end.

Just thought I would share that.


----------



## Amie (May 11, 2006)

nixgeek said:
			
		

> Huh-huh-huh....you said..."probe"...
> 
> Sorry, I couldn't resist.
> 
> ...



But ... but ... but I was quoting THEM. THEY said "probe," not me! 

Did you run their tests on your computer? In other words, did you let them probe you? lol Is your computer infected now? 

I would like to run the tests, but I don't know these people. Could be a bogus Web site. I nothing about this person/company. Does their tests leave any "residue" on your computer? Do you have to worry about uninstalling stuff after the test is complete?


----------



## bbloke (May 12, 2006)

Amie said:
			
		

> But ... but ... but I was quoting THEM. THEY said "probe," not me!


Don't worry Amie, I think you're very wise for not letting random strangers probe you!   Hehehehe   

Erm, back to the plot!



> Did you run their tests on your computer? In other words, did you let them probe you? lol Is your computer infected now?
> 
> I would like to run the tests, but I don't know these people. Could be a bogus Web site. I nothing about this person/company. Does their tests leave any "residue" on your computer? Do you have to worry about uninstalling stuff after the test is complete?


I can understand your wariness, and think that is not a bad thing.  Shields UP! seems to be quite a well known site, and I have used them in the past when I've changed things.  I've not had any problems afterwards.

If you want more information in general, InformationWeek wrote an article on computer security that mentions Shields UP!, and Wikipedia has an article on computer security which mentions Shields UP! as well.  There is another "Security Check" page which lists some URLs for other online security audits, which include groups such as Symantec, which you have most likely heard of.

Hopefully some of this might be useful!


----------



## Amie (May 12, 2006)

Thanks so much for the info. Much appreciated. I will check into that later. Right now, I have bigger fish to fry. See my recent post on Mozilla Add-ons and Flash Player problems. Sucks. I don't know what to do.


----------



## bbloke (May 17, 2006)

I'm glad I could be of help.   It also occurred to me that, if you're worried, you might also be interested in a little AppleScript (if you don't like checking things in the Terminal or Console) which quickly checks for failed attempts to login to your machine:

http://homepage.mac.com/jonn8/as/html/FailedPWAttempts.html

Sorry to hear about your Flash issues.  I hope you get them sorted soon.


----------



## Amie (May 17, 2006)

Oh, I'm not worried about failed attempts to login to my computer. I have a laptop, and it's always with me.


----------

