IDS mailing list archives
Re: Fingerprinting IDS sensors?
From: Jamie Riden <jamie.riden () gmail com>
Date: Mon, 8 Jun 2009 15:48:00 +0100
2009/6/8 Chen, Hao <chenhao927 () gmail com>:
Hi, I'm wondering if it is possible for an attacker to know/aware that a target site has already had IDS products deployed? If yes, how? An example would help, Thanks a lot! Regards
Typically an IDS would be running in completely passive mode and thus should be undetectable - at least it should properly be called an Intrusion *Prevention* System if it's not. I can't think of any way of fingerprinting the last snort IDS I configured except by observing the actions of the analyst who checks the alerts :) It should be easy to fingerprint an IPS by seeing what kind of attacks get blocked, e.g. sp_respond on snort can send some fake TCP RST packets which you could check for. snort_inline you could also potentially fingerprint by trying various attacks that should get blocked using the default rulebase and then seeing if variations get blocked. You may need access to a range of different IPS systems to write your fingerprints with though, and modification from the factory settings might invalidate the fingerprinting technique. cheers, Jamie -- Jamie Riden / jamesr () europe com / jamie () honeynet org uk http://www.ukhoneynet.org/members/jamie/
Current thread:
- Fingerprinting IDS sensors? Chen, Hao (Jun 08)
- Re: Fingerprinting IDS sensors? Jamie Riden (Jun 08)
- Re: Fingerprinting IDS sensors? Jeremy Bennett (Jun 08)
- RE: Fingerprinting IDS sensors? Ondrej Krehel (Jun 08)
- Re: Fingerprinting IDS sensors? Ron Gula (Jun 08)
- Re: Fingerprinting IDS sensors? Stephen Mullins (Jun 09)