On 6/8/2009 10:15 AM, Chen, Hao wrote: > Hi, > > I'm wondering if it is possible for an attacker to know/aware that a > target site has already had IDS products deployed? If yes, how? An > example would help, Thanks a lot! > > Regards >
We've had a few users ask for this feature in Nessus. There are a variety of methods people can use: - If you have access to sniff the traffic to/from the site, you can wait to see if someone does a signature update. For example, our PVS product identifies Snort sensors that emit SYSLOG alerts. - You may be able to perform an active scan and see that some hosts are sniffing. This won't tell you they are a NIDS, but it will tell you someone is sniffing. A NIDS might be tapped and 100% out of band. - If the IDS is actually in IPS mode, and you know what they are blocking, you might be able to send a few attacks and based on what is dropped fingerprint the IPS. - If you do an active scan of the site, you might be able to fingerprint the management console of the IDS (if there is one). - You target logo might be on the home page of a major NIDS vendor. I'm sure there are other methods. Ron Gula, CTO Tenable Network Security
