IDS detection
Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: IDS detection

  1. #1
    Senior Member
    Join Date
    Jun 2004
    Posts
    379

    IDS detection

    How do you detect of some one is running an IDS?

  2. #2
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Nmap their network and see if the cops show up at your door or your ISP cut's you off. Seriously, I donít think that there is a reliably way to tell. It is a good question though.

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Really... Unless you are inside his network in the first place he should have made it impossible for you to detect it. But then that might also depend upon the sysadmins choice of IDS and his rules. In Snort for example I can use the "react" keyword.... It sends an RST to one or both ends of the conversation when it alerts.... But that would tell you I'm watching you..... So I don't use "reacts".... I just log you, block you or otherwise defeat you or wait for you to make a mistake..... which, if your intentions for asking the question are dishonorable you will surely make if you need to ask the question in the first place...... nuff said?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    It depends on how the IDS is setup. Quite often today we see IDS, like Snort, run on "Stealth" ports. One way might be to look for a default administrative port that specific IDSes use. Alternatively, listening for packets that might be sent back and forth (assuming you have access to the network to do so).

    Certainly it's not unusual to see an attacker attempt to "flood" what might be an IDS network/IP. IDS are vulnerable to having too much data.

    I did take a look around because I have to admit I haven't looked into this issue specifically (although I suspected that many of the existing problems with firewalls would also fall over to IDSes). Take a look at this article. While not detailed on specifics it should give you some ideas.

    I do suspect that with the advent of combos (firewall + IDS) it may be easier for attackers to detect them (finding fingerprints of these applications) and thus make it easier for attackers to break these down. I'm personally a big fan of layers of security (have a seperate box for an IDS, one for firewall, another for another firewall, etc.)
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    I would think that if the admins are looking at the IDS logs they will detect your probing for what IDS they have before you get a chance to use said information. Makes it somewhat pointless, either they are looking at their logs and see your probes for what IDS they use, or there arenít paying attention to what their IDS reports so it does not matter anyway. Still, interesting to know about Snort and "reacts".

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Then there's Stick and Snot that they'll use to try to flood your IDS by using it's own rules against it..... It might confuse the admin... It might drop the important packets.... But, oh, I forgot.... Snort has been hardened against such attacks since 1.8 or 9 I believe it was... Oh well.... another little avenue of pleasure cut off.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member
    Join Date
    Jun 2004
    Posts
    379
    Ok thank you for the information i was just wornding about idses and one more thing what kind of places usualy run idses.

  8. #8
    Any places that have smart IT staff.

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    How you secure you assets, (specifically digital assets), is determined entirely by a risk assessment. The risk assessment places a "value" on your assets. From that value you determine the cost and the suitable tools you should use to defend those assets.

    Thus, if your risk assessment indicates that it would be of value to protect the assets an IDS is a very useful tool when you consider that, for the largest part, nothing is secure.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    AO Łbergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    for the largest part, nothing is secure
    Especially when your security admins are away on vacation/holidays...
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •