Re: Firewall and IDS, (the second way).

From: Timothy J. Miller (cerebusat_private)
Date: Sat Mar 16 2002 - 10:52:20 PST

Next message: Jeremiah Grossman: "Re: CSS implication"

Previous message: Richard Rager: "RE: Wireless Legality- Netstumbler and kin"
In reply to: sekureat_private: "Firewall and IDS, (the second way)."
Next in thread: Anthony Stevens: "Re: Firewall and IDS, (the second way)."
Next in thread: Pedro Quintanilha: "RE: Firewall and IDS, (the second way)."
Reply: Anthony Stevens: "Re: Firewall and IDS, (the second way)."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2002-03-15 at 12:41, sekureat_private wrote:

> I'm "walking" by the internet finding about paper/techniques that can be
> used to detect systemn with IDS installed. Try to detect
> snort/snort+aide/quinds/.../ somebody know something like it ??

There's only two ways of detecting an IDS that I know.

1) Look for the data stream from a remote sensor (sniffer) to wherever
it's stored and/or analyzed, or look for the alerts generated by the
IDS.

This isn't very useful, since it presupposes some measure of access to
the network in question.  And if you've already got that, the IDS has
probably already alerted on you unless you're very, very paranoid and
very, very skilled.

2) Timing detection.  AntiSniff from l0pht uses this method.  

The theory goes like this:  a network card usually discards ethernet
frames not destined for it, without passing those frames into software
processing.  A card in promiscuous mode will process and forward up the
stack *all* frames.  

So, you spend time pinging all systems on a network and collect the
average timing.  Then you flood the network with garbage packets.  NICs
not in promiscuous mode will ignore the trash, but any operating sniffer
will process them all, slowing the system some (hopefully) measurable
mount.  In the middle of the flood, you ping everything again.  Any
system that shows a statistically significant deviation from previous
timings is likely running a sniffer.

This also isn't very useful for remote sniffer detection.  You need
access to the local network to inject all the garbage packets, and it's
noisy as hell.  (Attempting to do this from *outside* the local segment
fails because normal variation in RTTs in the wild internet makes the
collected ping timing statistics useless to begin with.)  Additionally,
varying load on other non-sniffer systems can lead to false positives. 
This is primarily useful for a network admin to check a segment and see
if any *un*authorized sniffers have been installed.

Both methods are completely useless against sniffers that have no IP
address, or have out-of-band monitoring/alerting.  Which is how they all
should be installed anyway.  8)

Next message: Jeremiah Grossman: "Re: CSS implication"
Previous message: Richard Rager: "RE: Wireless Legality- Netstumbler and kin"
In reply to: sekureat_private: "Firewall and IDS, (the second way)."
Next in thread: Anthony Stevens: "Re: Firewall and IDS, (the second way)."
Next in thread: Pedro Quintanilha: "RE: Firewall and IDS, (the second way)."
Reply: Anthony Stevens: "Re: Firewall and IDS, (the second way)."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 19 2002 - 15:59:04 PST