IDS mailing list archives
Re: detecting "intrusion detection"
From: Ron Gula <rgula () tenablesecurity com>
Date: Wed, 05 Oct 2005 17:09:02 -0400
At 08:01 AM 10/3/2005, sumit.siddharth () gmail com wrote:
Hi list,Is there any technique to detect if a particular machine is running an IDS or if a network has implemented IDS.Thanks Sid
There are several ways: On the host side, if you have access to the system, you may be able to find running processes, running daemons and possibly evidence on the file system. Some Windows 'IDS/IPS' register their software just like other tools. On the Network side: - there have been several tools (anti-sniff) that you can use to see if a host is sniffing as compared to the performance in response times from other systems around it. - if the IDS/IPS is in TCP session 'kill' mode, you may see packets come from the device which can be fingerprinted. Intrusheild TCP resets look different than ISS ones. - The management consoles of various products can be fingerprinted. Nessus can detect Cisco RDEP, Enterasys Dragon and some other NIDS management protocols. - If you really look at some in-line sessions, you can see how TCP sessions which contain "/cgi-bin/phf" just seem to vanish. Many NIPS will just drop the session so you sniff two TCP sessions at the same time and if one with the odd traffic gets silently dropped, you may be able to see if it an IPS. Of course, this could be the result of a web or firewall proxy. - And lastly (we've had this problem with some of our Lightning Console customers) some of the IPSes out there have honeypot services. These are not true services, but they ping like a real IP, have open ports like a real web server, but fingerprint like some unknown OS. I haven't cataloged these yet, but my guess is the guys who don't expose their own TCP stack can be fingerprinted. I'm sure there are others .... Ron Gula, CTO Tenable Network Security ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- detecting "intrusion detection" sumit . siddharth (Oct 05)
- Re: detecting "intrusion detection" Krzysztof Cabaj (Oct 06)
- Re: detecting "intrusion detection" Ron Gula (Oct 06)
- <Possible follow-ups>
- RE: detecting "intrusion detection" Biswas, Proneet (Oct 06)
- Re: detecting "intrusion detection" barcajax (Oct 06)