IDS mailing list archives
Re: Fingerprinting IDS sensors?
From: Ron Gula <rgula () tenablesecurity com>
Date: Mon, 08 Jun 2009 13:14:30 -0400
On 6/8/2009 10:15 AM, Chen, Hao wrote:
Hi, I'm wondering if it is possible for an attacker to know/aware that a target site has already had IDS products deployed? If yes, how? An example would help, Thanks a lot! Regards
We've had a few users ask for this feature in Nessus. There are a variety of methods people can use: - If you have access to sniff the traffic to/from the site, you can wait to see if someone does a signature update. For example, our PVS product identifies Snort sensors that emit SYSLOG alerts. - You may be able to perform an active scan and see that some hosts are sniffing. This won't tell you they are a NIDS, but it will tell you someone is sniffing. A NIDS might be tapped and 100% out of band. - If the IDS is actually in IPS mode, and you know what they are blocking, you might be able to send a few attacks and based on what is dropped fingerprint the IPS. - If you do an active scan of the site, you might be able to fingerprint the management console of the IDS (if there is one). - You target logo might be on the home page of a major NIDS vendor. I'm sure there are other methods. Ron Gula, CTO Tenable Network Security
Current thread:
- Fingerprinting IDS sensors? Chen, Hao (Jun 08)
- Re: Fingerprinting IDS sensors? Jamie Riden (Jun 08)
- Re: Fingerprinting IDS sensors? Jeremy Bennett (Jun 08)
- RE: Fingerprinting IDS sensors? Ondrej Krehel (Jun 08)
- Re: Fingerprinting IDS sensors? Ron Gula (Jun 08)
- Re: Fingerprinting IDS sensors? Stephen Mullins (Jun 09)