Host-based IDS/IPS for MAC OSX?

Paul Boz · August 2010

Does anyone know of a host-based IDS for MAC OSx, either open-source or commercial? I know about OSSEC but it doesn't have integrated AV, firewall, or anything like that. Ideally I'd like a centrally managed endpoint protection suite with host-based IDS and anti-virus at a minimum. host firewall would be ideal.

BTW I got a new job, so I'll have to make a thread about that sooner than later.

veritas_libertas · August 2010

Yeah, I saw that on LinkedIn. I'm very interested in hearing about it

NightShade03 · August 2010

Paul Boz wrote: »

Does anyone know of a host-based IDS for MAC OSx, either open-source or commercial? I know about OSSEC but it doesn't have integrated AV, firewall, or anything like that. Ideally I'd like a centrally managed endpoint protection suite with host-based IDS and anti-virus at a minimum. host firewall would be ideal.

You want all this....for a MAC ?!

You probably aren't likely to find such a setup as the OSX dept is lacking when it comes to security and security software. You could use a few different technologies for UNIX and "roll your own", but that throws central management out the window.

Michael.J.Palmer · August 2010

Your first mistake was buying a MAC,

. My experience with Macs through the years are that they're overpriced pieces of junk, sorry for you Apple fanboys, but even you know it's true deep down. I don't think there's much of a choice when it comes to central function with Macs, let us know if you do come across something though.

Paul Boz · August 2010

I didn't buy a mac, doofus. It's a work question. I wouldn't need a host based IDS if it was my computer because I have a NIDS at home.

Michael.J.Palmer · August 2010

Thought you were like me and had some home projects that might require such questions,

.

veritas_libertas · August 2010

Paul Boz wrote: »

I didn't buy a mac, doofus. It's a work question. I wouldn't need a host based IDS if it was my computer because I have a NIDS at home.

Ouch, LOL!

Hyper-Me · August 2010

That kind of tech on a Mac? Security on OSX?

LOL

dynamik · August 2010

You might want to check out something like this to help you with centralized management: Active Directory Integration for Mac OS X

I actually used this previously: Active Directory Integration for Mac OS X, but it was at a very high level and security wasn't the focus at the time. I just found that first one while Googling. It looks like a more robust product, but honestly, I haven't played with the latter one in years, so it might be comparable.

It looks like you're stuck with OSSEC as far as HIDS go. Doofus.

Paul Boz · August 2010

I'm just going to put them on a shared segment and put a NIPS in front of it, problem solved. Doofus.

MentholMoose · August 2010

Hyper-Me wrote: »

That kind of tech on a Mac? Security on OSX?

LOL

I know! Macs are inherently secure and thus need no added security.

Ahriakin · August 2010

MentholMoose wrote: »

I know! Macs are inherently secure and thus need no added security.

Ah yes, the semi-geek equivalent of a redneck saying "Hey Y'all, watch this!"

Michael.J.Palmer · August 2010

Ahriakin wrote: »

Ah yes, the semi-geek equivalent of a redneck saying "Hey Y'all, watch this!"

This is by far the quote of the day for me,

.

TiggerzMac · February 2014

I got a good chuckle from reading this thread, clearly you guy's dont have a Mac!
Or you would know that these firewall rule's, stop everything bad from happening!

add 01000 allow ip from any to any via lo*
add 01100 deny ip from 127.0.0.0/8 to any in
add 01200 deny ip from any to 127.0.0.0/8 in
add 01300 deny ip from 224.0.0.0/3 to any in
add 01400 deny tcp from any to 224.0.0.0/3 in
add 01500 allow tcp from any to any out
add 01600 allow tcp from any to any established
add 01700 allow icmp from any to any icmptypes 0,3,8,11
add 01800 deny icmp from any to any
add 01900 deny tcp from any to any tcpflags syn,fin
add 01910 deny tcp from any to any tcpflags syn,rst
add 01920 deny tcp from any 0 to any
add 01930 deny tcp from any to any dst-port 0
add 01940 deny udp from any 0 to any
add 01950 deny udp from any to any dst-port 0
add 01960 deny ip from 224.0.0.0/4 to any in
add 01970 deny ip from 0.0.0.0/8 to any
add 33300 deny icmp from any to me in icmptypes 8
add 65534 deny tcp from any to any
add 65535 allow ip from any to any

A tool for serious / experienced network administrators.

Mac OSX is a Server not just a Desktop!

Although in some respects it proprietry crap because you have to hack your own upgrades with developer options if you want stuff to be up-to date. But it's based on the Berkley Secure Daemon and allow's Kerberos extensions with the Kernel or heart of the Operating System if you will. BSD & Linux firewall's Rock and the Upgrades are free because there Open Source!

And you Guys have a great deal to Learn! LOL

docrice · February 2014

Wow, a 3.5 year old thread resurrected. I think the original question was for a host-based IDS, not just a host-based firewall.

TiggerzMac · February 2014

In answer to that it Runs Honeyd... LMAO

That would be availble via Mac ports but you need the XCode developer toolkit installed to install Mac Ports.

I couldnt resist necroin this thread from the dead when I realised how little you know about IDS - IPS

I imagine it probably runs acidbase too! If your really that interested in Learning!

Windows proprietary you can't do anything with it, it really is crap!

Mac proprietary you can do something with it though, because they stole bits of it from freeBSD.
Early versions 10.4 to 10.5 use the IPFW - Later versions dropped this and replaced it with something else...

Which I dont and wont use because I dont like it when developers go changing features to replace them with something I have never heard of. That's how things get Broken & Borked!

Linux Open Source do what you want with it. BSD Open Source do what you want with it.
BSD Kernel uses IPFW (+Chroot Jail Cells) - Linux Kernel uses IPTABLES (+Security Enhanced)
Windows NTKernel use's - erm yeah! (Nothing!)

On Windows it's kind of bolted on! Plug & Pray!

Recently with all the stuff in the news about how Spy Agencies subvert technology to breach it's security, you should have realised a long time ago what your PKI - Public Key Infrastructure is actually for.

That's why Open Source maintainers distribute there platforms with there own Security Keys & Why your hardware vendor is Closed source, so you dont know what that device is going to really do when you plug it in!

Why did you think the Standard of 64bit suddenly dropped to 32bit Windows?! Then years later it changes and morph's as if by Magic back into 64Bit!

Hackers the Movie "Yeah RISC Chips are awesome!" - That would be Sun SPARC or Sun Blade RISC Hardware.. all 64Bit!

PATA - SATA - Screw that how about Duel Channel Fiber Optic transfer FC-AL - RAID Storage!

Theres the Hackers Gibson Baby!

If your looking for absolutely disgusting power and speed, a Windows 32bit i386 - i686 with a closed source nVidia graphics card wont give it to you, although they'll lie to you and tell you it can!

"Wait a moment, what is this pile of Crud I see before me with Glowing Lights and closed Source GPU? Is this your Alienware!?"
"Isnt it cool how your Xeon processor does exactly what my Blade does with four CPU modules, not one consolidated down into one Processor!"

TiggerzMac · February 2014

Want me to really blow your mind in terms of security, well heres what you do you host all your Cloud Data internally on your server, then you host the DNS relay on this old Games Console hacked running Slackware with IPTABLES and Bind9 then you feed all the internal traffic to your internal apache server configured to run in Chroot and host your active server pages or your dynamic content.

Then you distribute windows to every workstation everywhere else and have no external connection to the internet, removing all the CA-Cert certificates implanted by other neferious organisations. Replacing them with your own signed private and public keys.

Now everybody on the network can use Windows & Kerberos, an send little messages and viruses to each other with my Blessings!

And nobody else can get into the Server to fudge it all up!

Want Facebook, twit-face and the latest Gossip, play with your Spy Phone on your lunch break or at home, thats what it's for!

Here you are, this Windows Workstation was made for you, these are your Authentication Tickets and your OTP (One Time Password) do enjoy yourselves, this level is all for you.. The Server Rack is off limit's and thats all "MINE!"

Because as far as I am concerned too many people have gotten away with there blagging and bullshit in this industry for far too Long... SEO - Search engine optimisation! Biggest load of bullshit you'll ever hear, do you know how you optimise your website with a search engine??? With META-TAG's that's what those DO!

You see them everyday, in Suit's and tie's when every geek worth there salt is walking around in Jeans and trainers... then you attend there seminar and listen to some guy repudiate the bullshit he heard from someone else equally clueless who attended another seminar run by another money grabbing twat!

I've been inside tier 1 and tier 4 providers and one place I worked was for an ISP pulling support for the telephones.. whilst walking over ethernet cables, ducking under them too... An the whole setup was three towers... Not Rack Space I mean desktop Towers with IDE Disk's running the entire show behind a cisco firewall and load of ethernet switches with it all backed onto windows XP! Integrated System's security.. LoL yeah, that must have been why they had so many customers right before they went Bust!

TiggerzMac · February 2014

All the crap and crud coming into your PC is coming straight from the Advertising Providers...Lets have a look at those security certificates shall we..America online.. No dont need you so why are you in here? Turk's Trust.. No dont need you so why are you in here? DoD Department of Defence.. No dont need you either so why the fsck are you in here? Delete.. Delete.. Delete.. Problem solved, not attached to any external rubbish.. No viruses.. email and egress handling all taken care of by the Stack and swept for viruses before it reaches there inbox. Antivirus? what do i need that on a workstation not attached to the internet for? When you go online and your PKI is filled with certificates to other providers, then of course those providers will distribute malware and lock you into there restrictive licence agreement! But I am ok with that, because there's nothing in there Licence that says I may not completely delete them out of the system afterwards! Not content with people getting wise to it and trying to block there advertising they devise a new more insidious method. Behold, the marvel of Android, locked into one of the biggest Advertising Conglomerates in the World, coupled in tandem with the government at the hip, so if you thought you'd taken care of all that invasive intrusive advertising, think again! Because now they're targetting children and everyone else with smart-phones to do exactly the same thing! An what all these money grabbing idiots fail to understand is you dont need to take a course on how to learn about Computer Science or Computer Security, not if your a developer because what they FAIL to understand is, we, all, open a book and start reading from page one!An just so we're all clear, I can't stream a movie to you or copy my latest CD to disk, because thats in Violation of the EULA and DMCA but it's perfectly ok for the rest of these butt-holes to shovel there sh** in our face 24/7!

Google = Sh** shoveller
Microsoft = Sh** shoveller
Yahoo = Sh** shoveller
AOL = Sh** shoveller
Amazon = Sh** shoveller

An for anyone I happened to leave out (Like eBay & Paypal).. Here's looking at you!

I AM LOOKING AND I SEE YOU ARE NAKED, I AM GOING TO **** YOU!

EngRob · February 2014

Shia LaBeouf?

TiggerzMac · February 2014

what about him, yes he's a good actor but that doesnt mean i want to see his ball's and ego streached out on my technology! this is tech stuff if you dont get it then go play with the children on the swings there more your speed! Hollywood proliferates there wisdom, there technical know how... But something far greater is waiting for you! it's called Kid's pissed off with the Status quo! they're anonymous and legion and there crawling in your pipe!Are you a Government Stool Pidgeon?Are you a twat with a Hyper-technology threaded CPu?Don't know how to benchmark your own Crap? then perhaps you need to learn!?! All your tech come's from a single source that blames you when problems happen.. AriN oh yeah a tCP/ip that never does a ping back but there fine with a whois...Your a cheeky fucker that need's a face palm!