Re: Fingerprinting IDS sensors?
- From: Jeremy Bennett <jeremyfb@xxxxxxx>
- Date: Mon, 08 Jun 2009 08:11:55 -0700
It is always possible to determine if a site is protected by any kind of active defense, whether it is human or electronic. You do so by tickling it and eliciting a response. The nature of the response will tell you the nature of the defenses.
Now, can you determine if a site has an IDS? That depends on if the IDS is monitored or not. If, like most IDS deployments, it is logging and only analyzed on rare occasions then you probably won't be able to tell. If it is monitored actively then you may be able to determine based on tracking responses to probes over time.
If you mean IPS instead of IDS the answer is easier. An IPS will actively interfere with traffic patterns and you can find it by launching sample attacks at a target and watching for a response. An IPS that is blocking an attack will often send a TCP RST to both the attacker and the victim as part of blocking the traffic. Even if the IPS does not send you a RST you can find it by the fact that you get no response at all from the victim.
With sufficient profiles of a set of IPS it would be possible to craft a tool that could identify which IPS is inline based on which attacks are blocked and how.
-J
On Jun 8, 2009, at 7:15 AM, Chen, Hao wrote:
Hi,
I'm wondering if it is possible for an attacker to know/aware that a
target site has already had IDS products deployed? If yes, how? An
example would help, Thanks a lot!
Regards
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- References:
- Fingerprinting IDS sensors?
- From: Chen, Hao
- Fingerprinting IDS sensors?
- Prev by Date: Re: Fingerprinting IDS sensors?
- Next by Date: RE: Fingerprinting IDS sensors?
- Previous by thread: Re: Fingerprinting IDS sensors?
- Next by thread: RE: Fingerprinting IDS sensors?
- Index(es):
Relevant Pages
|
