Focus on IDS
Fingerprinting IDS sensors? Jun 08 2009 02:15PM
Chen, Hao (chenhao927 gmail com) (4 replies)
Re: Fingerprinting IDS sensors? Jun 08 2009 05:14PM
Ron Gula (rgula tenablesecurity com) (1 replies)
On 6/8/2009 10:15 AM, Chen, Hao wrote:
> Hi,
>
> I'm wondering if it is possible for an attacker to know/aware that a
> target site has already had IDS products deployed? If yes, how? An
> example would help, Thanks a lot!
>
> Regards
>

We've had a few users ask for this feature in Nessus. There are a variety of
methods people can use:

- If you have access to sniff the traffic to/from the site, you can wait
to see if someone does a signature update. For example, our PVS product
identifies Snort sensors that emit SYSLOG alerts.
- You may be able to perform an active scan and see that some hosts are
sniffing. This won't tell you they are a NIDS, but it will tell you
someone is sniffing. A NIDS might be tapped and 100% out of band.
- If the IDS is actually in IPS mode, and you know what they are
blocking, you might be able to send a few attacks and based on what is
dropped fingerprint the IPS.
- If you do an active scan of the site, you might be able to fingerprint
the management console of the IDS (if there is one).
- You target logo might be on the home page of a major NIDS vendor.

I'm sure there are other methods.

Ron Gula, CTO
Tenable Network Security

[ reply ]
Re: Fingerprinting IDS sensors? Jun 09 2009 04:26PM
Stephen Mullins (steve mullins work gmail com)
RE: Fingerprinting IDS sensors? Jun 08 2009 04:03PM
Ondrej Krehel (OKrehel StrozFriedberg com)
Re: Fingerprinting IDS sensors? Jun 08 2009 03:11PM
Jeremy Bennett (jeremyfb mac com)
Re: Fingerprinting IDS sensors? Jun 08 2009 02:48PM
Jamie Riden (jamie riden gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus