IDS mailing list archives

Re: Fingerprinting IDS sensors?


From: Stephen Mullins <steve.mullins.work () gmail com>
Date: Tue, 9 Jun 2009 12:26:16 -0400

- You target logo might be on the home page of a major NIDS vendor.

I like that one the best.

From what I can tell the real answer is, it doesn't matter if they
have a NIDS or not.

Steve Mullins

On Mon, Jun 8, 2009 at 1:14 PM, Ron Gula<rgula () tenablesecurity com> wrote:
On 6/8/2009 10:15 AM, Chen, Hao wrote:
Hi,

I'm wondering if it is possible for an attacker to know/aware that a
target site has already had IDS products deployed? If yes, how? An
example would help, Thanks a lot!

Regards


We've had a few users ask for this feature in Nessus. There are a variety of
methods people can use:

- If you have access to sniff the traffic to/from the site, you can wait
to see if someone does a signature update. For example, our PVS product
identifies Snort sensors that emit SYSLOG alerts.
- You may be able to perform an active scan and see that some hosts are
sniffing. This won't tell you they are a NIDS, but it will tell you
someone is sniffing. A NIDS might be tapped and 100% out of band.
- If the IDS is actually in IPS mode, and you know what they are
blocking, you might be able to send a few attacks and based on what is
dropped fingerprint the IPS.
- If you do an active scan of the site, you might be able to fingerprint
the management console of the IDS (if there is one).
- You target logo might be on the home page of a major NIDS vendor.

I'm sure there are other methods.

Ron Gula, CTO
Tenable Network Security










Current thread: