IDS mailing list archives

Re: detecting "intrusion detection"

From: Ron Gula <rgula () tenablesecurity com>
Date: Wed, 05 Oct 2005 17:09:02 -0400

At 08:01 AM 10/3/2005, sumit.siddharth () gmail com wrote:

Hi list,
Is there any technique to detect if a particular machine is running an IDSor if a network has implemented IDS.
Thanks
Sid


There are several ways:

On the host side, if you have access to the system, you
may be able to find running processes, running daemons
and possibly evidence on the file system. Some Windows
'IDS/IPS' register their software just like other tools.

On the Network side:

- there have been several tools (anti-sniff) that you
  can use to see if a host is sniffing as compared to
  the performance in response times from other systems
  around it.

- if the IDS/IPS is in TCP session 'kill' mode, you
  may see packets come from the device which can be
  fingerprinted. Intrusheild TCP resets look different
  than ISS ones.

- The management consoles of various products can be
  fingerprinted. Nessus can detect Cisco RDEP, Enterasys
  Dragon and some other NIDS management protocols.

- If you really look at some in-line sessions, you
  can see how TCP sessions which contain "/cgi-bin/phf"
  just seem to vanish. Many NIPS will just drop the session
  so you sniff two TCP sessions at the same time and
  if one with the odd traffic gets silently dropped,
  you may be able to see if it an IPS. Of course, this
  could be the result of a web or firewall proxy.

- And lastly (we've had this problem with some of our
  Lightning Console customers) some of the IPSes out there
  have honeypot services. These are not true services,
  but they ping like a real IP, have open ports like a
  real web server, but fingerprint like some unknown
  OS. I haven't cataloged these yet, but my guess is
  the guys who don't expose their own TCP stack can be
  fingerprinted.

I'm sure there are others ....

Ron Gula, CTO
Tenable Network Security




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.

------------------------------------------------------------------------

Current thread:

detecting "intrusion detection" sumit . siddharth (Oct 05)
- Re: detecting "intrusion detection" Krzysztof Cabaj (Oct 06)
- Re: detecting "intrusion detection" Ron Gula (Oct 06)
- <Possible follow-ups>
- RE: detecting "intrusion detection" Biswas, Proneet (Oct 06)
- Re: detecting "intrusion detection" barcajax (Oct 06)