Penetration Testing mailing list archives
Re: [PEN-TEST] IDS identification and a personal cry for help :)
From: Pedro Quintanilha <quinta () CERTBR COM BR>
Date: Tue, 22 Aug 2000 23:41:10 -0300
There's a *lot* of reactions that can be much more efficient and much more "obscure" (from the attacker point of view) than simply break a connection via RST or hardening a fw rule... I think that the "market contamination" over the admin's minds is the great guilty about this lack of vision. Some "stealth" reactions as bandwidth-reduction, attack re-routing, deception, and so on, are simply rejected or interpreted as "legends" when, on the real word, are very useful. I think that the most sec-admins tend to only "accept" what the "market culture" says, and forget what they really *can* do to react on attack situations. Well... I exceed on my opinions sometimes... so, what you think about it?? []'s Pedro Quintanilha quinta () certbr com br Bill Pennington wrote:
Yes this is why I stated a "hyperactive" NID at work (or maybe a hyperactive admin ). Unfortunately I have run into a lot more of these lately as people seem to think it is a cool thing to do. Until I shun them from there next hop :-) ----- Original Message ----- From: Talisker <Talisker () NETWORKINTRUSION CO UK> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Saturday, August 19, 2000 11:12 AM Subject: Re: IDS identification and a personal cry for help :)Bill - Comment belowOne way to detect a NIDS is to launch attacks and see if you are then shunned from the network. This is a good indication that a hyperactiveNIDis at work. Also if your connection gets reset when you attempt anexploitthat is another tip-off. As far as fingerprinting goes, if you where knowledgeable about default rulesets you might be able to determine aNIDbyits reactions, or lack of action, to certain attacks.I think think you'll find that most IDS have the auto response facility turned off Andy www.networkintrusion.co.uk ''' (0 0) ----oOO----(_)---------- | The geek shall | | Inherit the earth | -----------------oOO---- |__|__| || || ooO Ooo
Current thread:
- Re: [PEN-TEST] IDS identification and a personal cry for help :) Domenico De Vitto (Aug 21)
- <Possible follow-ups>
- Re: [PEN-TEST] IDS identification and a personal cry for help :) Dragos Ruiu (Aug 21)
- Re: [PEN-TEST] IDS identification and a personal cry for help :) Dragos Ruiu (Aug 21)
- Re: [PEN-TEST] IDS identification and a personal cry for help :) Talisker (Aug 21)
- Re: [PEN-TEST] IDS identification and a personal cry for help :) Bill Pennington (Aug 22)
- Re: [PEN-TEST] IDS identification and a personal cry for help :) Pedro Quintanilha (Aug 23)
- Re: [PEN-TEST] IDS identification and a personal cry for help :) Bill Pennington (Aug 22)