Fingerprinting IDS sensors?

Hi,

I'm wondering if it is possible for an attacker to know/aware that a
target site has already had IDS products deployed? If yes, how? An
example would help, Thanks a lot!

Regards

2009/6/8 Chen, Hao <chenhao927@...>:
> Hi,
>
> I'm wondering if it is possible for an attacker to know/aware that a
> target site has already had IDS products deployed? If yes, how? An
> example would help, Thanks a lot!
>
> Regards

Typically an IDS would be running in completely passive mode and thus
should be undetectable - at least it should properly be called an
Intrusion *Prevention* System if it's not.

I can't think of any way of fingerprinting the last snort IDS I
configured except by observing the actions of the analyst who checks
the alerts :)

It should be easy to fingerprint an IPS by seeing what kind of attacks
get blocked, e.g. sp_respond on snort can send some fake TCP RST
packets which you could check for. snort_inline you could also
potentially fingerprint  by trying various attacks that should get
blocked using the default rulebase and then seeing if variations get
blocked. You may need access to a range of different IPS systems to
write your fingerprints with though, and modification from the factory
settings might invalidate the fingerprinting technique.

cheers,
 Jamie
--
Jamie Riden / jamesr@... / jamie@...
http://www.ukhoneynet.org/members/jamie/

It is always possible to determine if a site is protected by any kind  
of active defense, whether it is human or electronic. You do so by  
tickling it and eliciting a response. The nature of the response will  
tell you the nature of the defenses.

Now, can you determine if a site has an IDS? That depends on if the  
IDS is monitored or not. If, like most IDS deployments, it is logging  
and only analyzed on rare occasions then you probably won't be able to  
tell. If it is monitored actively then you may be able to determine  
based on tracking responses to probes over time.

If you mean IPS instead of IDS the answer is easier. An IPS will  
actively interfere with traffic patterns and you can find it by  
launching sample attacks at a target and watching for a response. An  
IPS that is blocking an attack will often send a TCP RST to both the  
attacker and the victim as part of blocking the traffic. Even if the  
IPS does not send you a RST you can find it by the fact that you get  
no response at all from the victim.
With sufficient profiles of a set of IPS it would be possible to craft  
a tool that could identify which IPS is inline based on which attacks  
are blocked and how.

-J

On Jun 8, 2009, at 7:15 AM, Chen, Hao wrote:

> Hi,
>
> I'm wondering if it is possible for an attacker to know/aware that a
> target site has already had IDS products deployed? If yes, how? An
> example would help, Thanks a lot!
>
> Regards
>
>

Hi,

if the IDS interface is only listening, not having an IP address, then most likely not. The NIC is still registered via MAC address on a switch, but that would require having access to it.

Attacker could know your IDS, let me give you some examples: if the management interface is accessible from outside with logo of the IDS vendor (believe me, I've seen few of them), has an IP address and TTL is different then all other hosts (windows shop with one ping-bale Linux machine in DMZ), has a dns/host name with IDS in it (reverse dns of the company can reveal it), network admin posted on few forums that he needs with help of IDS in the DMZ/Internet, someone called and offered a new IDS solutions, but network security personal told him that IDS is deployed and how.
 
Attacker could get creative, above are just few examples. Good security practice should make this type of information hard to get.

Regards,

Ondrej Krehel, CISSP, CEH


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of Chen, Hao
Sent: Monday, June 08, 2009 10:16 AM
To: focus-ids@...
Subject: Fingerprinting IDS sensors?

Hi,

I'm wondering if it is possible for an attacker to know/aware that a
target site has already had IDS products deployed? If yes, how? An
example would help, Thanks a lot!

Regards

On 6/8/2009 10:15 AM, Chen, Hao wrote:
> Hi,
>
> I'm wondering if it is possible for an attacker to know/aware that a
> target site has already had IDS products deployed? If yes, how? An
> example would help, Thanks a lot!
>
> Regards
>  

We've had a few users ask for this feature in Nessus. There are a variety of
methods people can use:

- If you have access to sniff the traffic to/from the site, you can wait
to see if someone does a signature update. For example, our PVS product
identifies Snort sensors that emit SYSLOG alerts.
- You may be able to perform an active scan and see that some hosts are
sniffing. This won't tell you they are a NIDS, but it will tell you
someone is sniffing. A NIDS might be tapped and 100% out of band.
- If the IDS is actually in IPS mode, and you know what they are
blocking, you might be able to send a few attacks and based on what is
dropped fingerprint the IPS.
- If you do an active scan of the site, you might be able to fingerprint
the management console of the IDS (if there is one).
- You target logo might be on the home page of a major NIDS vendor.

I'm sure there are other methods.

Ron Gula, CTO
Tenable Network Security

>>- You target logo might be on the home page of a major NIDS vendor.

I like that one the best.

From what I can tell the real answer is, it doesn't matter if they
have a NIDS or not.

Steve Mullins

On Mon, Jun 8, 2009 at 1:14 PM, Ron Gula<rgula@...> wrote: