Vulnerability Development mailing list archives

Re: Firewall and IDS, (the second way).

From: "Timothy J. Miller" <cerebus () sackheads org>
Date: 16 Mar 2002 12:52:20 -0600

On Fri, 2002-03-15 at 12:41, sekure () hadrion com br wrote:

I'm "walking" by the internet finding about paper/techniques that can be
used to detect systemn with IDS installed. Try to detect
snort/snort+aide/quinds/.../ somebody know something like it ??


There's only two ways of detecting an IDS that I know.

1) Look for the data stream from a remote sensor (sniffer) to wherever
it's stored and/or analyzed, or look for the alerts generated by the
IDS.

This isn't very useful, since it presupposes some measure of access to
the network in question.  And if you've already got that, the IDS has
probably already alerted on you unless you're very, very paranoid and
very, very skilled.

2) Timing detection.  AntiSniff from l0pht uses this method.  

The theory goes like this:  a network card usually discards ethernet
frames not destined for it, without passing those frames into software
processing.  A card in promiscuous mode will process and forward up the
stack *all* frames.  

So, you spend time pinging all systems on a network and collect the
average timing.  Then you flood the network with garbage packets.  NICs
not in promiscuous mode will ignore the trash, but any operating sniffer
will process them all, slowing the system some (hopefully) measurable
mount.  In the middle of the flood, you ping everything again.  Any
system that shows a statistically significant deviation from previous
timings is likely running a sniffer.

This also isn't very useful for remote sniffer detection.  You need
access to the local network to inject all the garbage packets, and it's
noisy as hell.  (Attempting to do this from *outside* the local segment
fails because normal variation in RTTs in the wild internet makes the
collected ping timing statistics useless to begin with.)  Additionally,
varying load on other non-sniffer systems can lead to false positives. 
This is primarily useful for a network admin to check a segment and see
if any *un*authorized sniffers have been installed.

Both methods are completely useless against sniffers that have no IP
address, or have out-of-band monitoring/alerting.  Which is how they all
should be installed anyway.  8)

Current thread:

Firewall and IDS, (the second way). sekure (Mar 15)
- Re: Firewall and IDS, (the second way). Zow (Mar 15)
  - RE: Firewall and IDS, (the second way). Benjamin P. Grubin (Mar 16)
  - Re: Firewall and IDS, (the second way). Bryan Burns (Mar 16)
  - RE: Firewall and IDS, (the second way). Dom De Vitto (Mar 16)
- Re: Firewall and IDS, (the second way). Michel Arboi (Mar 16)
- Re: Firewall and IDS, (the second way). Timothy J. Miller (Mar 19)
  - Re: Firewall and IDS, (the second way). Anthony Stevens (Mar 20)
- <Possible follow-ups>
- Re: Firewall and IDS, (the second way). Marco Ivaldi (Mar 18)
- RE: Firewall and IDS, (the second way). PJD (Mar 19)
  - Re: Firewall and IDS, (the second way). Zow (Mar 20)
- RE: Firewall and IDS, (the second way). Pedro Quintanilha (Mar 19)
  - RE: Firewall and IDS, (the second way). Bojan Zdrnja (Mar 20)
- RE: Firewall and IDS, (the second way). Pedro Quintanilha (Mar 20)
  - RE: Firewall and IDS, (the second way). Bojan Zdrnja (Mar 20)