Vulnerability Development mailing list archives
Re: Firewall and IDS, (the second way).
From: "Timothy J. Miller" <cerebus () sackheads org>
Date: 16 Mar 2002 12:52:20 -0600
On Fri, 2002-03-15 at 12:41, sekure () hadrion com br wrote:
I'm "walking" by the internet finding about paper/techniques that can be used to detect systemn with IDS installed. Try to detect snort/snort+aide/quinds/.../ somebody know something like it ??
There's only two ways of detecting an IDS that I know. 1) Look for the data stream from a remote sensor (sniffer) to wherever it's stored and/or analyzed, or look for the alerts generated by the IDS. This isn't very useful, since it presupposes some measure of access to the network in question. And if you've already got that, the IDS has probably already alerted on you unless you're very, very paranoid and very, very skilled. 2) Timing detection. AntiSniff from l0pht uses this method. The theory goes like this: a network card usually discards ethernet frames not destined for it, without passing those frames into software processing. A card in promiscuous mode will process and forward up the stack *all* frames. So, you spend time pinging all systems on a network and collect the average timing. Then you flood the network with garbage packets. NICs not in promiscuous mode will ignore the trash, but any operating sniffer will process them all, slowing the system some (hopefully) measurable mount. In the middle of the flood, you ping everything again. Any system that shows a statistically significant deviation from previous timings is likely running a sniffer. This also isn't very useful for remote sniffer detection. You need access to the local network to inject all the garbage packets, and it's noisy as hell. (Attempting to do this from *outside* the local segment fails because normal variation in RTTs in the wild internet makes the collected ping timing statistics useless to begin with.) Additionally, varying load on other non-sniffer systems can lead to false positives. This is primarily useful for a network admin to check a segment and see if any *un*authorized sniffers have been installed. Both methods are completely useless against sniffers that have no IP address, or have out-of-band monitoring/alerting. Which is how they all should be installed anyway. 8)
Current thread:
- Firewall and IDS, (the second way). sekure (Mar 15)
- Re: Firewall and IDS, (the second way). Zow (Mar 15)
- RE: Firewall and IDS, (the second way). Benjamin P. Grubin (Mar 16)
- Re: Firewall and IDS, (the second way). Bryan Burns (Mar 16)
- RE: Firewall and IDS, (the second way). Dom De Vitto (Mar 16)
- Re: Firewall and IDS, (the second way). Michel Arboi (Mar 16)
- Re: Firewall and IDS, (the second way). Timothy J. Miller (Mar 19)
- Re: Firewall and IDS, (the second way). Anthony Stevens (Mar 20)
- <Possible follow-ups>
- Re: Firewall and IDS, (the second way). Marco Ivaldi (Mar 18)
- RE: Firewall and IDS, (the second way). PJD (Mar 19)
- Re: Firewall and IDS, (the second way). Zow (Mar 20)
- RE: Firewall and IDS, (the second way). Pedro Quintanilha (Mar 19)
- RE: Firewall and IDS, (the second way). Bojan Zdrnja (Mar 20)
- RE: Firewall and IDS, (the second way). Pedro Quintanilha (Mar 20)
- RE: Firewall and IDS, (the second way). Bojan Zdrnja (Mar 20)
- Re: Firewall and IDS, (the second way). Zow (Mar 15)