Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: detecting "intrusion detection"

from [Ron Gula] Network Security [Permanent Link]
Subject: Re: detecting "intrusion detection"
Date: Wed, 05 Oct 2005 17:09:02 -0400
At 08:01 AM 10/3/2005, sumit.siddharth@gmail.com wrote:
Hi list,
Is there any technique to detect if a particular machine is running an IDS or if a network has implemented IDS.
Thanks
Sid 

There are several ways:

On the host side, if you have access to the system, you
may be able to find running processes, running daemons
and possibly evidence on the file system. Some Windows
'IDS/IPS' register their software just like other tools.

On the Network side:

- there have been several tools (anti-sniff) that you
  can use to see if a host is sniffing as compared to
  the performance in response times from other systems
  around it.

- if the IDS/IPS is in TCP session 'kill' mode, you
  may see packets come from the device which can be
  fingerprinted. Intrusheild TCP resets look different
  than ISS ones.

- The management consoles of various products can be
  fingerprinted. Nessus can detect Cisco RDEP, Enterasys
  Dragon and some other NIDS management protocols.

- If you really look at some in-line sessions, you
  can see how TCP sessions which contain "/cgi-bin/phf"
  just seem to vanish. Many NIPS will just drop the session
  so you sniff two TCP sessions at the same time and
  if one with the odd traffic gets silently dropped,
  you may be able to see if it an IPS. Of course, this
  could be the result of a web or firewall proxy.

- And lastly (we've had this problem with some of our
  Lightning Console customers) some of the IPSes out there
  have honeypot services. These are not true services,
  but they ping like a real IP, have open ports like a
  real web server, but fingerprint like some unknown
  OS. I haven't cataloged these yet, but my guess is
  the guys who don't expose their own TCP stack can be
  fingerprinted.

I'm sure there are others ....

Ron Gula, CTO
Tenable Network Security




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: detecting "intrusion detection", Krzysztof Cabaj
Next by Date:  RE: HIDS solution for NT4 machines, Jason
Previous by Thread:  Re: detecting "intrusion detection", Krzysztof Cabaj
Next by Thread:  RE: detecting "intrusion detection", Biswas, Proneet
Indexes:  [Date] [Thread] [Top] [All Lists]