Focus on IDS
Fingerprinting IDS sensors? Jun 08 2009 02:15PM
Chen, Hao (chenhao927 gmail com) (4 replies)
Re: Fingerprinting IDS sensors? Jun 08 2009 05:14PM
Ron Gula (rgula tenablesecurity com) (1 replies)
Re: Fingerprinting IDS sensors? Jun 09 2009 04:26PM
Stephen Mullins (steve mullins work gmail com)
RE: Fingerprinting IDS sensors? Jun 08 2009 04:03PM
Ondrej Krehel (OKrehel StrozFriedberg com)
Hi,

if the IDS interface is only listening, not having an IP address, then most likely not. The NIC is still registered via MAC address on a switch, but that would require having access to it.

Attacker could know your IDS, let me give you some examples: if the management interface is accessible from outside with logo of the IDS vendor (believe me, I've seen few of them), has an IP address and TTL is different then all other hosts (windows shop with one ping-bale Linux machine in DMZ), has a dns/host name with IDS in it (reverse dns of the company can reveal it), network admin posted on few forums that he needs with help of IDS in the DMZ/Internet, someone called and offered a new IDS solutions, but network security personal told him that IDS is deployed and how.

Attacker could get creative, above are just few examples. Good security practice should make this type of information hard to get.

Regards,

Ondrej Krehel, CISSP, CEH

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Chen, Hao
Sent: Monday, June 08, 2009 10:16 AM
To: focus-ids (at) securityfocus (dot) com [email concealed]
Subject: Fingerprinting IDS sensors?

Hi,

I'm wondering if it is possible for an attacker to know/aware that a
target site has already had IDS products deployed? If yes, how? An
example would help, Thanks a lot!

Regards

[ reply ]
Re: Fingerprinting IDS sensors? Jun 08 2009 03:11PM
Jeremy Bennett (jeremyfb mac com)
Re: Fingerprinting IDS sensors? Jun 08 2009 02:48PM
Jamie Riden (jamie riden gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus