Re: Fingerprinting IDS sensors?

[Ron Gula <rgula () tenablesecurity com>]

On 6/8/2009 10:15 AM, Chen, Hao wrote:
> Hi,
>
> I'm wondering if it is possible for an attacker to know/aware that a
> target site has already had IDS products deployed? If yes, how? An
> example would help, Thanks a lot!
>
> Regards
>   

We've had a few users ask for this feature in Nessus. There are a variety of
methods people can use:

- If you have access to sniff the traffic to/from the site, you can wait
to see if someone does a signature update. For example, our PVS product
identifies Snort sensors that emit SYSLOG alerts.
- You may be able to perform an active scan and see that some hosts are
sniffing. This won't tell you they are a NIDS, but it will tell you
someone is sniffing. A NIDS might be tapped and 100% out of band.
- If the IDS is actually in IPS mode, and you know what they are
blocking, you might be able to send a few attacks and based on what is
dropped fingerprint the IPS.
- If you do an active scan of the site, you might be able to fingerprint
the management console of the IDS (if there is one).
- You target logo might be on the home page of a major NIDS vendor.

I'm sure there are other methods.

Ron Gula, CTO
Tenable Network Security