Results 1 to 10 of 12

Thread: find if there is an IDS on the network

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Feb 2006
    Posts
    12

    Default find if there is an IDS on the network

    it can be in two situations:
    1. real hack to a network
    2. blackbox pentest.

    How can we discover if there is any sort of IDS on the network?

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    A properly implemented IDS system means you'll never be able to detect it, the only way you'd know it's there is to physically see the box sitting there.

    Of course mine is even hidden from view.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    Member The_Denv's Avatar
    Join Date
    Nov 2006
    Posts
    364

    Default

    Quote Originally Posted by streaker69 View Post
    A properly implemented IDS system means you'll never be able to detect it, the only way you'd know it's there is to physically see the box sitting there.

    Of course mine is even hidden from view.
    Yeh thats very true, on the other hand if the IDS was misconfigured or setup by an amature you could use cindy [lol, been reading about BASE a lot recently]. Of course if I am wrong streaker69 will correct me as he knows far more about BASE than I do.

    Thats just my $0.02

  4. #4
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by The_Denv View Post
    Yeh thats very true, on the other hand if the IDS was misconfigured or setup by an amature you could use cindy [lol, been reading about BASE a lot recently]. Of course if I am wrong streaker69 will correct me as he knows far more about BASE than I do.

    Thats just my $0.02
    The best way to do it is with a passive tap where the TX and RX lines are separated and sometimes run into different NIC's. If all you're concerned about is monitoring inbound traffic, then you only monitor the RX lines, and don't even have the TX lines connected to your sensor nic. If someone attempts to ARP the sensor nic, it might try to reply, but it can't because it's not physically connected on the TX to the network.

    I don't think there's really anyway to detect an IDS that's installed in that manner.

    Of course, your IDS sensor NIC should never have IPv4 or IPv6 bound to it either.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #5
    Just burned his ISO
    Join Date
    Jan 2008
    Posts
    2

    Default

    imo there are 2 ways to discover an ids: from documentation (network topology or policy requirements) or by seeing it logging. In either case you would need to have a pretty good access to the network/org.

  6. #6
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by windo View Post
    imo there are 2 ways to discover an ids: from documentation (network topology or policy requirements) or by seeing it logging. In either case you would need to have a pretty good access to the network/org.
    "seeing it logging" you mean by sniffing the traffic and seeing it connecting to a remote database?

    You'd never detect my IDS system by this method or by documentation as I don't have mine technically documented. It's sensor NIC doesn't respond to probes, it logs all it's information to itself.

    The only way to know it's there would to be physically sitting on the box and looking at the processes that are running.

    IMO, an IDS should be a self contained system that can just be plugged in wherever it's needed. The general populace of the network should not even know it's there as that prevents tampering by them. It should be placed in a secured location as well.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •