Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: find if there is an IDS on the network

  1. #11
    Just burned his ISO
    Join Date
    Jul 2008
    Posts
    15

    Default

    I'm testing width snort to. Are there any other open-source IDS available?

    IMO i think it's possible to find an IDS because if there's more network trafic it should work harder. Even if the IDS is writing to an other system and it's hidden from the process list the IO should grow his CPU. If it doesn't write on a network blok you can detect file's that are fast growing, just as fast (or a standard factor) as the network trafic you're generating.

    Both cases you already should have access to the netwerk but it looks' possible to me.
    Two things are infinite: the universe and human stupidity;

  2. #12
    Just burned his ISO
    Join Date
    Apr 2007
    Posts
    16

    Default

    Quote Originally Posted by shad0w_crash View Post
    I'm testing width snort to. Are there any other open-source IDS available?

    IMO i think it's possible to find an IDS because if there's more network trafic it should work harder. Even if the IDS is writing to an other system and it's hidden from the process list the IO should grow his CPU. If it doesn't write on a network blok you can detect file's that are fast growing, just as fast (or a standard factor) as the network trafic you're generating.

    Both cases you already should have access to the netwerk but it looks' possible to me.
    This statement is somewhat incorrect.

    Depending on the overall architecture of your network and how you have configured the IDS/IPS system you will not be able to determine the presence based on performance degradation. Most systems are set up so that traffic is mirrored to the IDS/IPS port and do not sit in-line of data flows between host client and service offered. Degradation of service due to a properly implemented IDS is highly unlikely.

    BUT there is one way to detect whether an IDS/IPS system is in place if it contains a specific feature... Run a sniffer trace alongside of your scan and focus on a specific aspect in TCP - window size. Once detected certain IDS/IPS systems will negotiate a small window size to tar pit your session to render your scan useless. I have my IDS system to negotiate a 1 byte window size

    So... if you're scanning a network and evasion is your goal, you tailor the scan to come in below the suspected thresholds. You have time on your side, so why the rush

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •