Re: detecting "intrusion detection"

[barcajax () gmail com]

The monitoring interfaces on IDSs are running promiscuously so pinging or scanning them won't work. You have to look 
for promiscuous interfaces in the network but finding the existence of them does not necessarily confirm the presence 
of an IDS. It could be some other device that also has its interface in promiscuous mode.
Alternatively, you might want to try discovering the management interface of the IDS. This however might be difficult 
as some deployments have their management interfaces in a separate isolated management segment that might not have 
Internet access. Even if you do have access to the management segment, you need to know the port numbers used by every 
single IDS vendor out there in the market to correctly guess which IDS product is present.

barcajax

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------