IPS evasion techniques
Inbound evasion takes advantage of the differences between how the IPS (which is Linux-based) interprets the malicious packets and data streams, and how the target interprets these packets. This is true of both traditional IPS systems and WAF systems.
Detecting a WAF
For a WAF, it's handy for an attacker to know that a WAF is in play, and what it's based on. Wafw00f is a good starting point here. Wafw00f is a free scanner that can detect over 150 different WAF systems, many of which are also load balancers. It is written in Python and is hosted at https://github.com/EnableSecurity/wafw00f, but is also packaged within Kali Linux.
By testing a few sites, we can see different WAF solutions being hosted by hosting providers:
└─$ wafw00f isc.sans.edu [*] Checking https://isc.sans.edu [+] The site https://isc.sans.edu is behind Cloudfront (Amazon) WAF. [~] Number of requests: 2 └─$ wafw00f www.coherentsecurity.com ...
