>>- You target logo might be on the home page of a major NIDS vendor.
I like that one the best. >From what I can tell the real answer is, it doesn't matter if they have a NIDS or not. Steve Mullins On Mon, Jun 8, 2009 at 1:14 PM, Ron Gula<[email protected]> wrote: > On 6/8/2009 10:15 AM, Chen, Hao wrote: >> Hi, >> >> I'm wondering if it is possible for an attacker to know/aware that a >> target site has already had IDS products deployed? If yes, how? An >> example would help, Thanks a lot! >> >> Regards >> > > We've had a few users ask for this feature in Nessus. There are a variety of > methods people can use: > > - If you have access to sniff the traffic to/from the site, you can wait > to see if someone does a signature update. For example, our PVS product > identifies Snort sensors that emit SYSLOG alerts. > - You may be able to perform an active scan and see that some hosts are > sniffing. This won't tell you they are a NIDS, but it will tell you > someone is sniffing. A NIDS might be tapped and 100% out of band. > - If the IDS is actually in IPS mode, and you know what they are > blocking, you might be able to send a few attacks and based on what is > dropped fingerprint the IPS. > - If you do an active scan of the site, you might be able to fingerprint > the management console of the IDS (if there is one). > - You target logo might be on the home page of a major NIDS vendor. > > I'm sure there are other methods. > > Ron Gula, CTO > Tenable Network Security > > > > > > >
