This isn't IDS evasion in the truest sense, however, more of a social engineering trick that dawned on me that relates to IDS. This would only work in a small number of cases, but worth noting nonetheless.
I run a few Snort
sensors, and like any "good IDS analyst" (tm), in addition to piping the packets through Snort, I also save the raw packet captures to disk. This is quite useful when trying to determine whether the alert is a false positive, giving the alert context, etc.
Now, as you can imagine, these files get large fast, and if I had to find three packets out of a 50GB packet capture, it would not be a quick endeavor. The typical solution is to rotate after a specified amount of time, and most docs give you examples rotating every 30 mins., depending on your average traffic, with a cron job.
Out of habit, most folks would use :00 and :30 as the times to rotate. Now, a clever individual might realize that this creates some opportunities:
- a brief period of time where packets aren't being captured (between shutdown and startup of the packet capture process)
- with proper timing of the attack, the packets would span 2 capture files. An analyst might not realize this, and thus not get the whole picture of the attack that generated the alert when plowing through raw packets.
The above opportunities could be used in combination with other tricks to further disguise an attack.
Some off the top of my head mitigations:
- run the cron job at unusual times (obscurity)
- create a script that randomizes the start/stop time (obscurity)
- start a new capture 1 min. before shutting down the old capture
Food for thought. Enjoy.