Focus on IDS
Fingerprinting IDS sensors? Jun 08 2009 02:15PM
Chen, Hao (chenhao927 gmail com) (4 replies)
Re: Fingerprinting IDS sensors? Jun 08 2009 05:14PM
Ron Gula (rgula tenablesecurity com) (1 replies)
Re: Fingerprinting IDS sensors? Jun 09 2009 04:26PM
Stephen Mullins (steve mullins work gmail com)
RE: Fingerprinting IDS sensors? Jun 08 2009 04:03PM
Ondrej Krehel (OKrehel StrozFriedberg com)
Re: Fingerprinting IDS sensors? Jun 08 2009 03:11PM
Jeremy Bennett (jeremyfb mac com)
It is always possible to determine if a site is protected by any kind
of active defense, whether it is human or electronic. You do so by
tickling it and eliciting a response. The nature of the response will
tell you the nature of the defenses.

Now, can you determine if a site has an IDS? That depends on if the
IDS is monitored or not. If, like most IDS deployments, it is logging
and only analyzed on rare occasions then you probably won't be able to
tell. If it is monitored actively then you may be able to determine
based on tracking responses to probes over time.

If you mean IPS instead of IDS the answer is easier. An IPS will
actively interfere with traffic patterns and you can find it by
launching sample attacks at a target and watching for a response. An
IPS that is blocking an attack will often send a TCP RST to both the
attacker and the victim as part of blocking the traffic. Even if the
IPS does not send you a RST you can find it by the fact that you get
no response at all from the victim.
With sufficient profiles of a set of IPS it would be possible to craft
a tool that could identify which IPS is inline based on which attacks
are blocked and how.

-J

On Jun 8, 2009, at 7:15 AM, Chen, Hao wrote:

> Hi,
>
> I'm wondering if it is possible for an attacker to know/aware that a
> target site has already had IDS products deployed? If yes, how? An
> example would help, Thanks a lot!
>
> Regards
>
>

0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?t0?-0??  ª:§wÔУ§Ç+i?´O}0
 *?H?÷
0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080929165059Z
090929165059Z0?10UBennett10
U*Jeremy10UJeremy Bennett1!0 *?H?÷
 jeremy (at) deities (dot) org1 [email concealed]0 *?H?÷
 jeremyfb (at) mac (dot) com0 [email concealed]?"0
 *?H?÷
?0?
?Å]?!f¦¾ïaW??"`.oß WX#WCõ
1Äk_åàì×|
<µäTRn0?(ÕZh+8ØÓéåkï&Ëêáoõ[gç ¨º=,Á
¶0ªAâ
XéâÎã?½A$Bj±¯d?oß?·âWO©¢ý?A?¼*a?ènӝ££°^ð?ágÝ?ÇO]]?èÖ;?NBv;<ÐÞPL\»À?
K?Pk ?67 b-ltÖzÆ0¼î$ó$`)ð}?NhÓ.cZìK?¨ ««Wû?Ñùð­];hz??CØÎ-LQ
¦K?¼\º}ØEos«;®?g±LZ?ُ£A0?0/U(0&jeremy (at) deities (dot) org [email concealed]jere
myfb (at) mac (dot) com0 [email concealed] Uÿ00
 *?H?÷
`ÿp`ª6?ù8?¥z?[w*¨äáY½. Å[rF³ *º³-áþb`½/Vñ/??@¬æø-¢{=Шà¢kqf¶K´^¼b+Ç¢?zÐfÂÞ'@?üM
Ãýå?ê¤bM×/Q¬Æq?7˧º3?hj?Iá~õèøh)*à0??0?¨ 
0
 *?H?÷
0Ñ1 0 UZA10U Western Cape10U Cape Town10U
Thawte Consulting1(0&U Certification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷
 personal-freemail (at) thawte (dot) com0 [email concealed]
030717000000Z
130716235959Z0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0?0
 *?H?÷
0?Ä¦<UsUûN¹Ê?ZhÀupßéÿ£ì½Íõ[òv½ :aò¿QÎÔåP
0×cZ,?p?ÝÉð+?Zª?qV˯< çñ?6$*Ï+Õó?w=¾+þ»>¿@?dק¦»?eÑÅ*T?H§¶Ñ<
a@dr`·û£?0?0Uÿ0ÿ0CU<0:08 6 4?2http://crl.tha
wte.com/ThawtePersonalFreemailCA.crl0 U0)U"0 ¤010UPrivateLabel2-1380
 *?H?÷
H?ÑP?ê .Ì
£f¬g¯¬¾Â¡C??L!¸ø6ª-?6/ÀôP ?p<ý­áabÃÙ:~?±?Å ?t?%P?bÇÛ'qW%Ý©?9?? Oe_?Ú÷÷?ÖÆN®öê4å[5MwãV!x?Ü!5Þ$±ÓFÿ]_eO1?0? 0v0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA ª:§wÔУ§Ç+i?´O}0 + ?o0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
090608151156Z0# *?H?÷
 1G¡?Xé þßY?(?Æs*IL30? +?71x0v0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA ª:§wÔУ§Ç+i?´O}0? *?H?÷
  1x v0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA ª:§wÔУ§Ç+i?´O}0
 *?H?÷
?xoÏP?fP9ůûIBRÃ*?>¤W>F<ü°?¼é©g M£Ågªãø ó°¹µkó¸\§ìú£vº 3°?÷;?ûrÏû?t??÷@2¯Þ\­A??Äø!¸Û¬üä?ê?¾1,: ß4ñkèӝÍÚ?_?1²Y}e)=?0?
ð?3d(ÎW³T?>A²ÐM?Îq©DàAæâ'ÎÅB,+VG64q%gQ?u$7.c&?µBÛX¾ý?b¼?¢,>erù
ÒéåÄXy°eҍl\É?ï ?/o êI!Ü?Õç±_½bÜÊì?Û

[ reply ]
Re: Fingerprinting IDS sensors? Jun 08 2009 02:48PM
Jamie Riden (jamie riden gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus