2009/6/8 Chen, Hao <[email protected]>: > Hi, > > I'm wondering if it is possible for an attacker to know/aware that a > target site has already had IDS products deployed? If yes, how? An > example would help, Thanks a lot! > > Regards
Typically an IDS would be running in completely passive mode and thus should be undetectable - at least it should properly be called an Intrusion *Prevention* System if it's not. I can't think of any way of fingerprinting the last snort IDS I configured except by observing the actions of the analyst who checks the alerts :) It should be easy to fingerprint an IPS by seeing what kind of attacks get blocked, e.g. sp_respond on snort can send some fake TCP RST packets which you could check for. snort_inline you could also potentially fingerprint by trying various attacks that should get blocked using the default rulebase and then seeing if variations get blocked. You may need access to a range of different IPS systems to write your fingerprints with though, and modification from the factory settings might invalidate the fingerprinting technique. cheers, Jamie -- Jamie Riden / [email protected] / [email protected] http://www.ukhoneynet.org/members/jamie/
