IDS mailing list archives

Re: detecting "intrusion detection"

From: Krzysztof Cabaj <kcabaj () gmail com>
Date: Wed, 5 Oct 2005 22:43:27 +0200

Hi,

Is there any technique to detect if a particular machine is running an IDS or if a network
has implemented IDS.

It depends how IDS is configured. For e.g. if IDS check suspicious
machine name using DNS or send RST packet, you could send packet with
forged address and look for potential IDS response. You could also
check if machine has network adapter in promisious mode (send forged
packet with IP of sensor and other MAC address).

But those are only some evidences that this machine is running IDS.
Sometimes this could be very hard or even impossible.

Best regards,
Krzysztof (Christopher) Cabaj

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Current thread:

detecting "intrusion detection" sumit . siddharth (Oct 05)
- Re: detecting "intrusion detection" Krzysztof Cabaj (Oct 06)
- Re: detecting "intrusion detection" Ron Gula (Oct 06)
- <Possible follow-ups>
- RE: detecting "intrusion detection" Biswas, Proneet (Oct 06)
- Re: detecting "intrusion detection" barcajax (Oct 06)