Focus on IDS
Fingerprinting IDS sensors? Jun 08 2009 02:15PM
Chen, Hao (chenhao927 gmail com) (4 replies)
Re: Fingerprinting IDS sensors? Jun 08 2009 05:14PM
Ron Gula (rgula tenablesecurity com) (1 replies)
Re: Fingerprinting IDS sensors? Jun 09 2009 04:26PM
Stephen Mullins (steve mullins work gmail com)
RE: Fingerprinting IDS sensors? Jun 08 2009 04:03PM
Ondrej Krehel (OKrehel StrozFriedberg com)
Re: Fingerprinting IDS sensors? Jun 08 2009 03:11PM
Jeremy Bennett (jeremyfb mac com)
Re: Fingerprinting IDS sensors? Jun 08 2009 02:48PM
Jamie Riden (jamie riden gmail com)
2009/6/8 Chen, Hao <chenhao927 (at) gmail (dot) com [email concealed]>:
> Hi,
>
> I'm wondering if it is possible for an attacker to know/aware that a
> target site has already had IDS products deployed? If yes, how? An
> example would help, Thanks a lot!
>
> Regards

Typically an IDS would be running in completely passive mode and thus
should be undetectable - at least it should properly be called an
Intrusion *Prevention* System if it's not.

I can't think of any way of fingerprinting the last snort IDS I
configured except by observing the actions of the analyst who checks
the alerts :)

It should be easy to fingerprint an IPS by seeing what kind of attacks
get blocked, e.g. sp_respond on snort can send some fake TCP RST
packets which you could check for. snort_inline you could also
potentially fingerprint by trying various attacks that should get
blocked using the default rulebase and then seeing if variations get
blocked. You may need access to a range of different IPS systems to
write your fingerprints with though, and modification from the factory
settings might invalidate the fingerprinting technique.

cheers,
Jamie
--
Jamie Riden / jamesr (at) europe (dot) com [email concealed] / jamie (at) honeynet.org (dot) uk [email concealed]
http://www.ukhoneynet.org/members/jamie/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus