IDS detection

[Riot]

How do you detect of some one is running an IDS?

[Irongeek]

Nmap their network and see if the cops show up at your door or your ISP cut's you off. Seriously, I don’t think that there is a reliably way to tell. It is a good question though.

[Tiger Shark]

Really... Unless you are inside his network in the first place he should have made it impossible for you to detect it. But then that might also depend upon the sysadmins choice of IDS and his rules. In Snort for example I can use the "react" keyword.... It sends an RST to one or both ends of the conversation when it alerts.... But that would tell you I'm watching you..... So I don't use "reacts".... I just log you, block you or otherwise defeat you or wait for you to make a mistake..... which, if your intentions for asking the question are dishonorable you will surely make if you need to ask the question in the first place...... nuff said?

[MrLinus]

It depends on how the IDS is setup. Quite often today we see IDS, like Snort, run on "Stealth" ports. One way might be to look for a default administrative port that specific IDSes use. Alternatively, listening for packets that might be sent back and forth (assuming you have access to the network to do so).

Certainly it's not unusual to see an attacker attempt to "flood" what might be an IDS network/IP. IDS are vulnerable to having too much data.

I did take a look around because I have to admit I haven't looked into this issue specifically (although I suspected that many of the existing problems with firewalls would also fall over to IDSes). Take a look at this article. While not detailed on specifics it should give you some ideas.

I do suspect that with the advent of combos (firewall + IDS) it may be easier for attackers to detect them (finding fingerprints of these applications) and thus make it easier for attackers to break these down. I'm personally a big fan of layers of security (have a seperate box for an IDS, one for firewall, another for another firewall, etc.)

[Irongeek]

I would think that if the admins are looking at the IDS logs they will detect your probing for what IDS they have before you get a chance to use said information. Makes it somewhat pointless, either they are looking at their logs and see your probes for what IDS they use, or there aren’t paying attention to what their IDS reports so it does not matter anyway. Still, interesting to know about Snort and "reacts".

[Tiger Shark]

Then there's Stick and Snot that they'll use to try to flood your IDS by using it's own rules against it..... It might confuse the admin... It might drop the important packets.... But, oh, I forgot.... Snort has been hardened against such attacks since 1.8 or 9 I believe it was... Oh well.... another little avenue of pleasure cut off.....

[Riot]

Ok thank you for the information i was just wornding about idses and one more thing what kind of places usualy run idses.

[AngelicKnight]

Any places that have smart IT staff.

[Tiger Shark]

How you secure you assets, (specifically digital assets), is determined entirely by a risk assessment. The risk assessment places a "value" on your assets. From that value you determine the cost and the suitable tools you should use to defend those assets.

Thus, if your risk assessment indicates that it would be of value to protect the assets an IDS is a very useful tool when you consider that, for the largest part, nothing is secure.

[phishphreek]

for the largest part, nothing is secure

Especially when your security admins are away on vacation/holidays...