Penetration Testing: Re: [PEN-TEST] IDS identification and a personal cry for help :)

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Penetration Testing mailing list archives

Re: [PEN-TEST] IDS identification and a personal cry for help :)

From: Pedro Quintanilha <quinta () CERTBR COM BR>
Date: Tue, 22 Aug 2000 23:41:10 -0300

There's a *lot* of reactions that can be much more efficient and much
more "obscure" (from the attacker point of view) than simply break a
connection via RST or hardening a fw rule... I think that the "market
contamination" over the admin's minds is the great guilty about this
lack of vision.

Some "stealth" reactions as bandwidth-reduction, attack re-routing,
deception, and so on, are simply rejected or interpreted as "legends"
when, on the real word, are very useful.

I think that the most sec-admins tend to only "accept" what the "market
culture" says, and forget what they really *can* do to react on attack
situations.

Well... I exceed on my opinions sometimes... so, what you think about
it??


[]'s

Pedro Quintanilha
quinta () certbr com br


Bill Pennington wrote:

Yes this is why I stated a "hyperactive" NID at work (or maybe a hyperactive
admin ). Unfortunately I have run into a lot more of these lately as people
seem to think it is a cool thing to do. Until I shun them from there next
hop :-)

----- Original Message -----
From: Talisker <Talisker () NETWORKINTRUSION CO UK>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Saturday, August 19, 2000 11:12 AM
Subject: Re: IDS identification and a personal cry for help :)

Bill  - Comment below

One way to detect a NIDS is to launch attacks and see if you are then
shunned from the network. This is a good indication that a hyperactive

NID

is at work. Also if your connection gets reset when you attempt an

exploit

that is another tip-off. As far as fingerprinting goes, if you where
knowledgeable about default rulesets you might be able to determine a

NID

by

its reactions, or lack of action, to certain attacks.


I think think you'll find that most IDS have the auto response facility
turned off

Andy
www.networkintrusion.co.uk
                    '''
                 (0 0)
  ----oOO----(_)----------
  | The geek shall        |
  |  Inherit the earth     |
  -----------------oOO----
               |__|__|
                  || ||
              ooO Ooo

By Date By Thread

Current thread:

Re: [PEN-TEST] IDS identification and a personal cry for help :) Domenico De Vitto (Aug 21)
- <Possible follow-ups>
- Re: [PEN-TEST] IDS identification and a personal cry for help :) Dragos Ruiu (Aug 21)
- Re: [PEN-TEST] IDS identification and a personal cry for help :) Dragos Ruiu (Aug 21)
- Re: [PEN-TEST] IDS identification and a personal cry for help :) Talisker (Aug 21)
  - Re: [PEN-TEST] IDS identification and a personal cry for help :) Bill Pennington (Aug 22)
    - Re: [PEN-TEST] IDS identification and a personal cry for help :) Pedro Quintanilha (Aug 23)