On Fri, 2002-03-15 at 12:41, sekureat_private wrote: > I'm "walking" by the internet finding about paper/techniques that can be > used to detect systemn with IDS installed. Try to detect > snort/snort+aide/quinds/.../ somebody know something like it ?? There's only two ways of detecting an IDS that I know. 1) Look for the data stream from a remote sensor (sniffer) to wherever it's stored and/or analyzed, or look for the alerts generated by the IDS. This isn't very useful, since it presupposes some measure of access to the network in question. And if you've already got that, the IDS has probably already alerted on you unless you're very, very paranoid and very, very skilled. 2) Timing detection. AntiSniff from l0pht uses this method. The theory goes like this: a network card usually discards ethernet frames not destined for it, without passing those frames into software processing. A card in promiscuous mode will process and forward up the stack *all* frames. So, you spend time pinging all systems on a network and collect the average timing. Then you flood the network with garbage packets. NICs not in promiscuous mode will ignore the trash, but any operating sniffer will process them all, slowing the system some (hopefully) measurable mount. In the middle of the flood, you ping everything again. Any system that shows a statistically significant deviation from previous timings is likely running a sniffer. This also isn't very useful for remote sniffer detection. You need access to the local network to inject all the garbage packets, and it's noisy as hell. (Attempting to do this from *outside* the local segment fails because normal variation in RTTs in the wild internet makes the collected ping timing statistics useless to begin with.) Additionally, varying load on other non-sniffer systems can lead to false positives. This is primarily useful for a network admin to check a segment and see if any *un*authorized sniffers have been installed. Both methods are completely useless against sniffers that have no IP address, or have out-of-band monitoring/alerting. Which is how they all should be installed anyway. 8)
This archive was generated by hypermail 2b30 : Tue Mar 19 2002 - 15:59:04 PST