RE: Fingerprinting IDS sensors?



Hi,

if the IDS interface is only listening, not having an IP address, then most likely not. The NIC is still registered via MAC address on a switch, but that would require having access to it.

Attacker could know your IDS, let me give you some examples: if the management interface is accessible from outside with logo of the IDS vendor (believe me, I've seen few of them), has an IP address and TTL is different then all other hosts (windows shop with one ping-bale Linux machine in DMZ), has a dns/host name with IDS in it (reverse dns of the company can reveal it), network admin posted on few forums that he needs with help of IDS in the DMZ/Internet, someone called and offered a new IDS solutions, but network security personal told him that IDS is deployed and how.

Attacker could get creative, above are just few examples. Good security practice should make this type of information hard to get.

Regards,

Ondrej Krehel, CISSP, CEH


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Chen, Hao
Sent: Monday, June 08, 2009 10:16 AM
To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: Fingerprinting IDS sensors?

Hi,

I'm wondering if it is possible for an attacker to know/aware that a
target site has already had IDS products deployed? If yes, how? An
example would help, Thanks a lot!

Regards



Relevant Pages

  • RE: Active response... some thoughts.
    ... Subject: Active response... ... Netscreen IDS features TCP reset as a major feature of their ... between your attacker and your IDS, ... The attacker could modify his IP-stack such that resets are being ignored ...
    (Focus-IDS)
  • Re: Active response... some thoughts.
    ... It is good to remember that many IDS implementations send ... TCP RST to the two endpoints in the communication. ... the attacker can just simply hack his stack to igno ... stack such that resets are being ...
    (Focus-IDS)
  • Re: Active response... some thoughts.
    ... Subject: Active response... ... > drops the packet on the wire before it gets past the in-line IDS. ... Active-response is great if you have a signature for it ... the attacker can just simply hack his stack to ignore the ...
    (Focus-IDS)
  • RE: Active response... some thoughts.
    ... between your attacker and your IDS, ... of the IDS you have. ... Subject: AW: Active response... ... The attacker could modify his IP-stack such that resets are being ignored ...
    (Focus-IDS)
  • Re: Appeal for Help. NOT Code Red But Is It?
    ... our server immediately responds back to the prober ... What is happening is that the IDS is becomming confused about who the ... each worm that is still on its way from the attacker. ... > and outbound port was 2913. ...
    (Incidents)