Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: IDS detection

  1. #11
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by phishphreek80
    Especially when your security admins are away on vacation/holidays...
    Vaction/holidays ......what the hell are those.


    Cheers:
    DjM

  2. #12
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Especially when your security admins are away on vacation/holidays...
    They don't have to be on holidays. Poor configurations lead to a lot of holes and vulnerabilities. It's a lack of attention to detail and lack of desire to pay attention to that detail. Many have been trained to administrate their networks but few are trained to think security from the get go. As long as that exists, there will always be those that can by-pass firewalls, IDSes, pick out the honeypots and go to the bank with your data. As long as people assume they are secure, they will never be secure.

    Better to be paranoid and think of all the possibilities than to get lax. The attackers aren't.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #13
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    Of course rather then trying to detect the IDS, which as has been said is not very practical from the outside, an attacker can try to avoid it, various methods exist for doing this. Which is why defense in depth is such a good idea. Make sure boxes are patched are locked down, logs are being monitored, AV is running etc...
    Quis custodiet ipsos custodes

  4. #14
    Senior Member
    Join Date
    Jun 2004
    Posts
    379
    ok so places like schools, web servers, and small bussiness would not usualy have one but places like banks, large bussiness, and sights with valuable information stored on them for bussiness men away from the office would have IDSes.

  5. #15
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    ok so places like schools, web servers, and small bussiness would not usualy have one but places like banks, large bussiness, and sights with valuable information stored on them for bussiness men away from the office would have IDSes.
    Not always true. Schools, webservers and small businesses also have valuable information to protect (e.g., client information, personal privacy of students, grades, exams, etc.) It's often a question of budget, admin's knowledge and how important it is to them.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #16
    Senior Member
    Join Date
    Jun 2004
    Posts
    379
    o ok. thank you all for the help.

  7. #17
    Junior Member
    Join Date
    Oct 2005
    Posts
    1
    There are several methods. I've described some in this thread:

    http://marc.theaimsgroup.com/?l=vuln...8483927663&w=2

  8. #18
    Member
    Join Date
    Sep 2005
    Posts
    77
    Saw that there was another thread here with almost the same question, but it was geared a bit more towards detecting snort:
    http://www.antionline.com/showthread...hreadid=270550

    I found this little blurb about detecting if someone is running a NIDS (Network IDS) on another site:

    "A NIDS is essentially a sniffer, so therefore standard sniffer detection techniques can be used. Such techniques are explained in http://www.robertgraham.com/pubs/sni...q.html#detect.
    An example would be to do a traceroute against the victim. This will often generate a low-level event in the IDS. Traceroutes are harmless and frequent on the net, so they don't indicate an attack. However, since many attacks are preceded by traceroutes, IDSs will log them anyway. As part of the logging system, it will usually do a reverse-DNS lookup. Therefore, if you run your own DNS server, then you can detect when somebody is doing a reverse-DNS lookup on your IP address in response to your traceroute. "
    -Snippet taken from www.ticm.com/kb/faq/idsfaq.html

    Interesting site, lots of useful faq's pertaining to IDS's
    %42%75%75%75%75%72%70%21%00

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •