Re: Fingerprinting IDS sensors?

[Jeremy Bennett <jeremyfb () mac com>]

It is always possible to determine if a site is protected by any kind  
of active defense, whether it is human or electronic. You do so by  
tickling it and eliciting a response. The nature of the response will  
tell you the nature of the defenses.

Now, can you determine if a site has an IDS? That depends on if the  
IDS is monitored or not. If, like most IDS deployments, it is logging  
and only analyzed on rare occasions then you probably won't be able to  
tell. If it is monitored actively then you may be able to determine  
based on tracking responses to probes over time.

If you mean IPS instead of IDS the answer is easier. An IPS will  
actively interfere with traffic patterns and you can find it by  
launching sample attacks at a target and watching for a response. An  
IPS that is blocking an attack will often send a TCP RST to both the  
attacker and the victim as part of blocking the traffic. Even if the  
IPS does not send you a RST you can find it by the fact that you get  
no response at all from the victim.
With sufficient profiles of a set of IPS it would be possible to craft  
a tool that could identify which IPS is inline based on which attacks  
are blocked and how.

-J

On Jun 8, 2009, at 7:15 AM, Chen, Hao wrote:

> Hi,
>
> I'm wondering if it is possible for an attacker to know/aware that a
> target site has already had IDS products deployed? If yes, how? An
> example would help, Thanks a lot!
>
> Regards

Attachment: smime.p7s
Description: