How to detect an IDS/IPS like Snort?

[t-alla]

If someone were to install an snort box on the network how does one go about finding it? I'm sure someone knows a way to trip it up and in the process reveal itself

Thanks in advance for your help.

[lupin]

Not really a simple task, you will probably need a lot of network reconnaissance experience to be able to do this effectively.

If the IDS performs active response (where connections are reset in response to detected intrusions) you can identify the presence of the IDS by the packets it sends in order to terminate a session, which from memory are TCP RST packets for TCP connections and ICMP Error Port Unreachable for UDP connections.

The the IDS is running inline in IPS mode, you can identify its presence by something like traceroute, if firewall rules cooperate and the IP is routing the traffic as opposed to transparently bridging it. You probably wont be able to determine just from the appearance of the box in a traceroute that it is a IPS however.

Otherwise, you could identify the presence of a box running an IDS by standard discovery techniques (ping scans, port scans, etc - again dependant on firewall rule configuration), although again you may not immediately be able to determine that the host is an IDS based on this information alone.

Detecting a properly configured passive IDS sensor would be difficult, because they are generally setup to not have an IP address bound to the interface which is monitoring traffic. In this case, alerts and configuration changes would be sent via a seperate interface, which might be connected to a seperate network (perhaps to a network designated for monitoring only).

Hope that helped.

[streaker69]

Detecting a properly configured passive IDS sensor would be difficult, because they are generally setup to not have an IP address bound to the interface which is monitoring traffic. In this case, alerts and configuration changes would be sent via a seperate interface, which might be connected to a seperate network (perhaps to a network designated for monitoring only).

Hope that helped.

The snort boxes I've built could only ever listen on the interface they were monitoring and never ever transmit because I would only connect the receive lines to it. I was only concerned with inbound traffic at the time and not with outbound. If you really wanted to have fun, you could have three nics in the machine. 1 for inbound traffic, one for outbound traffic with the transmit wires disconnected on each one. The third of course is for looking at BASE.

In that configuration, it should be impossible to detect it in IDS mode as it can never transmit in response to anything. I would also never bind IP to the monitored interfaces.

[lupin]

The snort boxes I've built could only ever listen on the interface they were monitoring and never ever transmit because I would only connect the transmit lines to it. I was only concerned with inbound traffic at the time and not with outbound. If you really wanted to have fun, you could have three nics in the machine. 1 for inbound traffic, one for outbound traffic with the transmit wires disconnected on each one. The third of course is for looking at BASE.

In that configuration, it should be impossible to detect it in IDS mode as it can never transmit in response to anything. I would also never bind IP to the monitored interfaces.

See what you are up against when trying to detect an IDS OP?

Some of these IDS deployers are downright paranoid

[streaker69]

See what you are up against when trying to detect an IDS OP?

Some of these IDS deployers are downright paranoid

Not paranoid, just thorough.

[lupin]

Not paranoid, just thorough.

You say potato...

[Gitsnik]

You say potato...

And you say potato. So both of you are saying "potato".

Hmm

If the IDS has streaker at the helm, it's probably not detectable (unless you figure out there's a live switch port that doesn't have anything attached - but ACID will probably have picked you up well before this).

There are some briefly interesting things to note though, in no particular order:

• Snort has had some vulnerabilities that crash it which don't require interaction.
• You can port-blast mirror ports to breakage and cause the host to start responding correctly.
• It used to be possible to detect promiscuous packets on the network in certain conditions (probably still is).
• A change in routing loops can cause the snort units to be bypassed.

By no means is it easy, and you nearly need to know that the unit is there to figure it out, but there are some points.

[imported_cybrsnpr]

If the system installer did a poor job of setting up the IDS (as opposed to how streaker sets his up) and included a web interface such as ACID, BASE or SQUIL that they could connect to or if they have other sensors connecting to the main IDS, you could try a port scan for the known ports that are used for the sensor connections, ACID, BASE or SQUIL interfaces. I don't have a list of them handy, google should answer that.

There are some tools out there that may be able to detect promiscuous mode as has been pointed out in the thread.

That being said, if the IDS is installed properly, the easiest way to find one, is to gain access to the Network admin's box and find their network drawings. (assuming a legal pentest of course).

Good Luck...

cybrsnpr

[streaker69]

If the system installer did a poor job of setting up the IDS (as opposed to how streaker sets his up) and included a web interface such as ACID, BASE or SQUIL that they could connect to or if they have other sensors connecting to the main IDS, you could try a port scan for the known ports that are used for the sensor connections, ACID, BASE or SQUIL interfaces. I don't have a list of them handy, google should answer that.

Or the person could be really mean and have their BASE interface on yet another machine other than the one running Snort, and that machine could be heavily secured from curious eyes.

You can really have some fun with multiple Snort sensors scattered throughout a LAN/WAN all connecting back to a central collection database.

[t-alla]

Wow...so many variables? I guess I will have to study up on snort to get a solid understanding of how it works. So it would seem that if it is in passive mode it would be very difficult to detect but if it is actively responding with resets and icmp unreachables then I should be able to see that with a program like wireshark

Thanks for all the info guys