Network Intrusion Prevention Systems or NIPS have been plagued by "False Positive" issues almost since their first deployment. A "False Positive" could simply be described as incorrectly or mistakenly detecting a threat that is not real. A large amount of research has gone into using "False Positive" as an attack vector either to attack the very validity of an IPS system or to conduct forms of Denial of Service attacks. However the very reaction to a "False Positive" in the first place may very well reveal more detailed information about defences than you might well think.
This talk takes a looks at how its is possible to enumerating network defences such as an IPS by very simple and effective means. A detection system such as an IPS reacting to a set of conditions under the control of an attacker can very well allow them to know what defences they need to overcome to be successful. With a simple crafted email it is possible to tell that clamAV is running on a mail server, or a simple fake URL parameter could well inform you that SNORT is defending a web application. Armed with this type of information an attacker can plan their attack that utilise IPS evasion techniques. All though this talk uses some very famous "Open Source" security application in its examples the methodology can easily be used to detect a whole host of commercial security products as well.
There is no hard and fast simple fix to the issues discussed in this talk, the aim is simple; to give the attendees the ability to spot and assess potential "reaction leakages" from a detection system. You can only really defend against what you can understand and with this information a more fitting solution can be sort.