Re: Fingerprinting IDS sensors?

[Jamie Riden <jamie.riden () gmail com>]

2009/6/8 Chen, Hao <chenhao927 () gmail com>:
> Hi,
>
> I'm wondering if it is possible for an attacker to know/aware that a
> target site has already had IDS products deployed? If yes, how? An
> example would help, Thanks a lot!
>
> Regards

Typically an IDS would be running in completely passive mode and thus
should be undetectable - at least it should properly be called an
Intrusion *Prevention* System if it's not.

I can't think of any way of fingerprinting the last snort IDS I
configured except by observing the actions of the analyst who checks
the alerts :)

It should be easy to fingerprint an IPS by seeing what kind of attacks
get blocked, e.g. sp_respond on snort can send some fake TCP RST
packets which you could check for. snort_inline you could also
potentially fingerprint  by trying various attacks that should get
blocked using the default rulebase and then seeing if variations get
blocked. You may need access to a range of different IPS systems to
write your fingerprints with though, and modification from the factory
settings might invalidate the fingerprinting technique.

cheers,
 Jamie
-- 
Jamie Riden / jamesr () europe com / jamie () honeynet org uk
http://www.ukhoneynet.org/members/jamie/