Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: How to detect an IDS/IPS like Snort?

  1. #1
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    7

    Question How to detect an IDS/IPS like Snort?

    If someone were to install an snort box on the network how does one go about finding it? I'm sure someone knows a way to trip it up and in the process reveal itself

    Thanks in advance for your help.

  2. #2
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Not really a simple task, you will probably need a lot of network reconnaissance experience to be able to do this effectively.

    If the IDS performs active response (where connections are reset in response to detected intrusions) you can identify the presence of the IDS by the packets it sends in order to terminate a session, which from memory are TCP RST packets for TCP connections and ICMP Error Port Unreachable for UDP connections.

    The the IDS is running inline in IPS mode, you can identify its presence by something like traceroute, if firewall rules cooperate and the IP is routing the traffic as opposed to transparently bridging it. You probably wont be able to determine just from the appearance of the box in a traceroute that it is a IPS however.

    Otherwise, you could identify the presence of a box running an IDS by standard discovery techniques (ping scans, port scans, etc - again dependant on firewall rule configuration), although again you may not immediately be able to determine that the host is an IDS based on this information alone.

    Detecting a properly configured passive IDS sensor would be difficult, because they are generally setup to not have an IP address bound to the interface which is monitoring traffic. In this case, alerts and configuration changes would be sent via a seperate interface, which might be connected to a seperate network (perhaps to a network designated for monitoring only).

    Hope that helped.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  3. #3
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by lupin View Post
    Detecting a properly configured passive IDS sensor would be difficult, because they are generally setup to not have an IP address bound to the interface which is monitoring traffic. In this case, alerts and configuration changes would be sent via a seperate interface, which might be connected to a seperate network (perhaps to a network designated for monitoring only).

    Hope that helped.
    The snort boxes I've built could only ever listen on the interface they were monitoring and never ever transmit because I would only connect the receive lines to it. I was only concerned with inbound traffic at the time and not with outbound. If you really wanted to have fun, you could have three nics in the machine. 1 for inbound traffic, one for outbound traffic with the transmit wires disconnected on each one. The third of course is for looking at BASE.

    In that configuration, it should be impossible to detect it in IDS mode as it can never transmit in response to anything. I would also never bind IP to the monitored interfaces.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  4. #4
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by streaker69 View Post
    The snort boxes I've built could only ever listen on the interface they were monitoring and never ever transmit because I would only connect the transmit lines to it. I was only concerned with inbound traffic at the time and not with outbound. If you really wanted to have fun, you could have three nics in the machine. 1 for inbound traffic, one for outbound traffic with the transmit wires disconnected on each one. The third of course is for looking at BASE.

    In that configuration, it should be impossible to detect it in IDS mode as it can never transmit in response to anything. I would also never bind IP to the monitored interfaces.
    See what you are up against when trying to detect an IDS OP?

    Some of these IDS deployers are downright paranoid
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  5. #5
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by lupin View Post
    See what you are up against when trying to detect an IDS OP?

    Some of these IDS deployers are downright paranoid
    Not paranoid, just thorough.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  6. #6
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by streaker69 View Post
    Not paranoid, just thorough.
    You say potato...
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  7. #7
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by lupin View Post
    You say potato...
    And you say potato. So both of you are saying "potato".

    Hmm

    If the IDS has streaker at the helm, it's probably not detectable (unless you figure out there's a live switch port that doesn't have anything attached - but ACID will probably have picked you up well before this).

    There are some briefly interesting things to note though, in no particular order:
    • Snort has had some vulnerabilities that crash it which don't require interaction.
    • You can port-blast mirror ports to breakage and cause the host to start responding correctly.
    • It used to be possible to detect promiscuous packets on the network in certain conditions (probably still is).
    • A change in routing loops can cause the snort units to be bypassed.
    By no means is it easy, and you nearly need to know that the unit is there to figure it out, but there are some points.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  8. #8

    Default

    If the system installer did a poor job of setting up the IDS (as opposed to how streaker sets his up) and included a web interface such as ACID, BASE or SQUIL that they could connect to or if they have other sensors connecting to the main IDS, you could try a port scan for the known ports that are used for the sensor connections, ACID, BASE or SQUIL interfaces. I don't have a list of them handy, google should answer that.

    There are some tools out there that may be able to detect promiscuous mode as has been pointed out in the thread.

    That being said, if the IDS is installed properly, the easiest way to find one, is to gain access to the Network admin's box and find their network drawings. (assuming a legal pentest of course).

    Good Luck...

    cybrsnpr

  9. #9
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by cybrsnpr View Post
    If the system installer did a poor job of setting up the IDS (as opposed to how streaker sets his up) and included a web interface such as ACID, BASE or SQUIL that they could connect to or if they have other sensors connecting to the main IDS, you could try a port scan for the known ports that are used for the sensor connections, ACID, BASE or SQUIL interfaces. I don't have a list of them handy, google should answer that.
    Or the person could be really mean and have their BASE interface on yet another machine other than the one running Snort, and that machine could be heavily secured from curious eyes.

    You can really have some fun with multiple Snort sensors scattered throughout a LAN/WAN all connecting back to a central collection database.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  10. #10
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    7

    Default

    Wow...so many variables? I guess I will have to study up on snort to get a solid understanding of how it works. So it would seem that if it is in passive mode it would be very difficult to detect but if it is actively responding with resets and icmp unreachables then I should be able to see that with a program like wireshark

    Thanks for all the info guys

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •