It is always possible to determine if a site is protected by any kind
of active defense, whether it is human or electronic. You do so by
tickling it and eliciting a response. The nature of the response will
tell you the nature of the defenses.

Now, can you determine if a site has an IDS? That depends on if the
IDS is monitored or not. If, like most IDS deployments, it is logging
and only analyzed on rare occasions then you probably won't be able to
tell. If it is monitored actively then you may be able to determine
based on tracking responses to probes over time.

If you mean IPS instead of IDS the answer is easier. An IPS will
actively interfere with traffic patterns and you can find it by
launching sample attacks at a target and watching for a response. An
IPS that is blocking an attack will often send a TCP RST to both the
attacker and the victim as part of blocking the traffic. Even if the
IPS does not send you a RST you can find it by the fact that you get
no response at all from the victim.
With sufficient profiles of a set of IPS it would be possible to craft
a tool that could identify which IPS is inline based on which attacks
are blocked and how.

-J

On Jun 8, 2009, at 7:15 AM, Chen, Hao wrote:

> Hi,
>
> I'm wondering if it is possible for an attacker to know/aware that a
> target site has already had IDS products deployed? If yes, how? An
> example would help, Thanks a lot!
>
> Regards
>
>

0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?t0?-0?? 
 ª:§wÔУ§Ç+i?´O}0
 *?H?÷


0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080929165059Z
090929165059Z0?10UBennett10
U*Jeremy10UJeremy Bennett1!0 *?H?÷


jeremy (at) deities (dot) org1 [email concealed]0 *?H?÷


jeremyfb (at) mac (dot) com0 [email concealed]?
"0
 *?H?÷



?
0?

?

Å]?!f¦¾ïaW??"`.oß WX#WCõ
1Äk_åàì×|
<µäTRn0?(ÕZh+8ØÓéåkï&Ëêáoõ[g稺=,Á
¶0ªAâ
XéâÎã?½A$Bj±¯d?oß?·âWO©¢ý?A?¼*a?ènӝ££°^ð?ágÝ?ÇO]]?èÖ;?NBv;<ÐÞPL\»À?
K?Pk ?67b-ltÖzÆ0¼î$ó$`)ð}?NhÓ.cZìK?¨««Wû?Ñùð­];hz??CØÎ-LQ
¦K?¼\º}ØEos«;®?g±LZ?ُ

£A0?0/U(0&jeremy (at) deities (dot) org [email concealed]jere
myfb (at) mac (dot) com0 [email concealed]U

ÿ00
 *?H?÷


`ÿp`ª6?ù8?¥z?[w*¨äáY½. Å[rF³ *º³-áþb`½/Vñ/??@¬æø-¢{=Шà¢kqf¶K´^¼b+Ç¢?zÐfÂÞ'@?üM
Ãýå?ê¤bM×/Q¬Æq?7˧º3?hj?Iá~õèøh)*à0??0?¨ 


0
 *?H?÷


0Ñ10 UZA10UWestern Cape10U Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷


personal-freemail (at) thawte (dot) com0 [email concealed]
030717000000Z
130716235959Z0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0?0
 *?H?÷



0?Ä¦<UsUûN¹Ê?ZhÀupßéÿ£ì½Íõ[òv½:aò¿QÎ
ÔåP
0×cZ,?p?ÝÉð+?Zª?qV˯<çñ?6$*Ï+Õó?w=¾+þ»>¿@?dק¦»?eÑÅ*T?H§¶Ñ<
a@dr`·û

£?0?0U

ÿ0

ÿ
0CU<0:08 6 4?2http://crl.tha
wte.com/ThawtePersonalFreemailCA.crl0U
0)U"0 ¤010UPrivateLabel2-1380
 *?H?÷


H?ÑP?ê.Ì
£f¬g¯¬¾Â¡C??L!¸ø6ª-?6/ÀôP ?p<ý­áabÃÙ:~?±?Å?t?%P?bÇÛ'qW%Ý©?9?? Oe_?Ú÷÷?ÖÆN®öê4å[5MwãV!x?Ü!5Þ$±ÓFÿ]_eO1?0?

0v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA ª:§wÔУ§Ç+i?´O}0 + ?
o0 *?H?÷

1 *?H?÷


0 *?H?÷

1
090608151156Z0# *?H?÷

1G¡?XéþßY?(?Æs*IL30? +

?71x0v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA ª:§wÔУ§Ç+i?´O}0?*?H?÷

1x v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA ª:§wÔУ§Ç+i?´O}0
 *?H?÷



?
xoÏP?fP9ůûIBRÃ*?>¤W>F<ü°?¼é©g M£Ågªãø ó°¹µkó¸\§ìú£vº 3°?÷;?ûrÏû?t??÷@2¯Þ\­A??Äø!¸Û¬üä?ê?¾1,: ß4ñkèӝÍÚ?_?1²Y}e)=?0?
ð?3d(ÎW³T?>A²ÐM?Îq©DàAæâ'ÎÅB,+VG64q%gQ?u$7.c&?µBÛX¾ý?b¼?¢,>erù
ÒéåÄXy°eҍl\É?ï ?/o êI!Ü?Õç±_½bÜÊì?Û

[ reply ]