Re: detecting "intrusion detection"
From: Ron Gula (rgula_at_tenablesecurity.com)
Date: 10/05/05
- Previous message: Krzysztof Cabaj: "Re: detecting "intrusion detection""
- In reply to: sumit.siddharth_at_gmail.com: "detecting "intrusion detection""
- Next in thread: barcajax_at_gmail.com: "Re: detecting "intrusion detection""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 05 Oct 2005 17:09:02 -0400 To: focus-ids@securityfocus.com
At 08:01 AM 10/3/2005, sumit.siddharth@gmail.com wrote:
>Hi list,
>Is there any technique to detect if a particular machine is running an IDS
>or if a network has implemented IDS.
>Thanks
>Sid
There are several ways:
On the host side, if you have access to the system, you
may be able to find running processes, running daemons
and possibly evidence on the file system. Some Windows
'IDS/IPS' register their software just like other tools.
On the Network side:
- there have been several tools (anti-sniff) that you
can use to see if a host is sniffing as compared to
the performance in response times from other systems
around it.
- if the IDS/IPS is in TCP session 'kill' mode, you
may see packets come from the device which can be
fingerprinted. Intrusheild TCP resets look different
than ISS ones.
- The management consoles of various products can be
fingerprinted. Nessus can detect Cisco RDEP, Enterasys
Dragon and some other NIDS management protocols.
- If you really look at some in-line sessions, you
can see how TCP sessions which contain "/cgi-bin/phf"
just seem to vanish. Many NIPS will just drop the session
so you sniff two TCP sessions at the same time and
if one with the odd traffic gets silently dropped,
you may be able to see if it an IPS. Of course, this
could be the result of a web or firewall proxy.
- And lastly (we've had this problem with some of our
Lightning Console customers) some of the IPSes out there
have honeypot services. These are not true services,
but they ping like a real IP, have open ports like a
real web server, but fingerprint like some unknown
OS. I haven't cataloged these yet, but my guess is
the guys who don't expose their own TCP stack can be
fingerprinted.
I'm sure there are others ....
Ron Gula, CTO
Tenable Network Security
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
- Previous message: Krzysztof Cabaj: "Re: detecting "intrusion detection""
- In reply to: sumit.siddharth_at_gmail.com: "detecting "intrusion detection""
- Next in thread: barcajax_at_gmail.com: "Re: detecting "intrusion detection""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
