Re: IDS: Passive Mapping: An Offensive Use of IDS

[Ron Gula <rgula@network-defense.com>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner@uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
-----------------------------------------------------------------------------

I'm not so sure I would call this "offensive use of an IDS". It's
really offensive use of a sniffer. There are a variety of protocols
such as SNMP and OSPF/RIP/BGP which can be used to figure out the
topology and services available on a target network. Even DNS and
"ping's" from a network management system can also be used. One of
my all time favorites was to intercept an X session which contained
an HP Openview session with active network maps. 

>From a commercial IDS point of view, I think this information has 
obvious security value. For example, in the Dragon IDS, you can 
search through a complex ACL of SYN-ACKs from servers on your 
network and also for responses from servers that your folks are 
visiting. This means you can say neat things like "I have 5 DNS 
servers so I will ignore port 53 traffic SYN/ACK traffic from them, 
but alert on port 53 SYN/ACKs from other servers that may be 
unauthorized ports". The same thing goes for general rules which
say, show me a SYN/ACK for any of my machines above port 1024
which may indicate backdoor traffic. There will be some false
alarms from FTP transfers, but a consistent port such as a proxy
or IRC server will stand out. 

Ron Gula, CTO
Network Security Wizards