it can be in two situations:
1. real hack to a network
2. blackbox pentest.

How can we discover if there is any sort of IDS on the network?

A properly implemented IDS system means you'll never be able to detect it, the only way you'd know it's there is to physically see the box sitting there.

Of course mine is even hidden from view.

A properly implemented IDS system means you'll never be able to detect it, the only way you'd know it's there is to physically see the box sitting there.

Of course mine is even hidden from view.

Yeh thats very true, on the other hand if the IDS was misconfigured or setup by an amature you could use cindy [lol, been reading about BASE a lot recently]. Of course if I am wrong streaker69 will correct me as he knows far more about BASE than I do.

Thats just my $0.02

Yeh thats very true, on the other hand if the IDS was misconfigured or setup by an amature you could use cindy [lol, been reading about BASE a lot recently]. Of course if I am wrong streaker69 will correct me as he knows far more about BASE than I do.

Thats just my $0.02

The best way to do it is with a passive tap where the TX and RX lines are separated and sometimes run into different NIC's. If all you're concerned about is monitoring inbound traffic, then you only monitor the RX lines, and don't even have the TX lines connected to your sensor nic. If someone attempts to ARP the sensor nic, it might try to reply, but it can't because it's not physically connected on the TX to the network.

I don't think there's really anyway to detect an IDS that's installed in that manner.

Of course, your IDS sensor NIC should never have IPv4 or IPv6 bound to it either.

imo there are 2 ways to discover an ids: from documentation (network topology or policy requirements) or by seeing it logging. In either case you would need to have a pretty good access to the network/org.

imo there are 2 ways to discover an ids: from documentation (network topology or policy requirements) or by seeing it logging. In either case you would need to have a pretty good access to the network/org.

"seeing it logging" you mean by sniffing the traffic and seeing it connecting to a remote database?

You'd never detect my IDS system by this method or by documentation as I don't have mine technically documented. It's sensor NIC doesn't respond to probes, it logs all it's information to itself.

The only way to know it's there would to be physically sitting on the box and looking at the processes that are running.

IMO, an IDS should be a self contained system that can just be plugged in wherever it's needed. The general populace of the network should not even know it's there as that prevents tampering by them. It should be placed in a secured location as well.

when your IP gets blocked because you were scanning or throwing exploits at a box you can, with a fair amount of certainty, conclude there is an IDS on the network ;-)

I just recommissioned mine...

http://img514.imageshack.us/img514/4205/boxqf3.jpg

I did mine too. I took out the box I was using it and installed Snort on my Cacti box which resides in my office. It's then linked into the DMZ via a direct CAT5 run and a passive tap between the Router and the Firewall.

I did mine too. I took out the box I was using it and installed Snort on my Cacti box which resides in my office. It's then linked into the DMZ via a direct CAT5 run and a passive tap between the Router and the Firewall.

Nice... I still owe you streak' originally for the tap work up - dont know where I'd be without it.

I don't have quite enough units for practical use of Cacti; I'm dying to check it out in depth. Can it work with VPN's?

I'm testing width snort to. Are there any other open-source IDS available?

IMO i think it's possible to find an IDS because if there's more network trafic it should work harder. Even if the IDS is writing to an other system and it's hidden from the process list the IO should grow his CPU. If it doesn't write on a network blok you can detect file's that are fast growing, just as fast (or a standard factor) as the network trafic you're generating.

Both cases you already should have access to the netwerk but it looks' possible to me.

I'm testing width snort to. Are there any other open-source IDS available?

IMO i think it's possible to find an IDS because if there's more network trafic it should work harder. Even if the IDS is writing to an other system and it's hidden from the process list the IO should grow his CPU. If it doesn't write on a network blok you can detect file's that are fast growing, just as fast (or a standard factor) as the network trafic you're generating.

Both cases you already should have access to the netwerk but it looks' possible to me.

This statement is somewhat incorrect.

Depending on the overall architecture of your network and how you have configured the IDS/IPS system you will not be able to determine the presence based on performance degradation. Most systems are set up so that traffic is mirrored to the IDS/IPS port and do not sit in-line of data flows between host client and service offered. Degradation of service due to a properly implemented IDS is highly unlikely.

BUT there is one way to detect whether an IDS/IPS system is in place if it contains a specific feature... :) Run a sniffer trace alongside of your scan and focus on a specific aspect in TCP - window size. Once detected certain IDS/IPS systems will negotiate a small window size to tar pit your session to render your scan useless. I have my IDS system to negotiate a 1 byte window size :)

So... if you're scanning a network and evasion is your goal, you tailor the scan to come in below the suspected thresholds. You have time on your side, so why the rush :)