Re: Firewall and IDS, (the second way).

["Zow" Terry Brugger <zow () llnl gov>]

> Hi,

Hello!

> I'm "walking" by the internet finding about paper/techniques that can be
> used to detect systemn with IDS installed. Try to detect
> snort/snort+aide/quinds/.../ somebody know something like it ??

I recall Munge giving a talk at BlackHat Las Vegas in 2000 about something 
they were doing at @stake/l0ft for detecting sniffers. The idea was to allow 
sysadmins to detect if one of their machines had been hacked and was acting as 
a sniffer. The idea was that by putting the interface into promiscuous mode, 
the machine would take longer to respond to ping packets because there was 
more traffic for the kernel's IP stack to analyze (whereas usually it'll be 
filtered out by the NIC). The same should hold true for NIDS, with a couple 
caviots:

1. You'd need to know what ping time to expect if the NIC wasn't running in 
promiscuous mode in order to calculate a delta,

2. A popular technique to secure NIDS is to not allow them to respond to 
traffic on the network that they're listening to (that is, bring up, but don't 
configure) the interface. Doing so will pretty much eliminate the ability to 
use this technique.

In other words, I wouldn't go around trying to use such a technique to detect 
NIDS - it'll probably have just the opposite effect of allowing them to detect 
you.

-"Zow"

from StandardDisclaimer import *