Re: wlan ids

[Frank Knobbe <fknobbe () knobbeits com>]

On Wed, 2002-10-23 at 01:50, Jérôme Tytgat wrote:
> Are you talking about wep encryption ?
>
> I think it should work as it does not need a lot of ressources
> to be decrypted...
>
> The Wlan IDS will need to recognize you wlan network (SSID / WEP
> passphrase, maybe MAC ACL), but in fact it's directly at the
> level of the network card these things are done, so I don't see why it
> should not work.
> The IDS will not even "know" that encryption is on...


That's the problem though. These things are done at the card level, so
your IDS won't know about them.

With wireless NIC's you are three modes of operation. Normal (duh),
plain-old promiscuous mode which let's you sniff your traffic (but not
all), and monitor mode, which let's you see (and send) all wireless
packets. That's used for diagnosis, SID scanning, etc.. Also, by
monkeying with the RTS/CTS handshaking, you can sniuff all traffic on a
given WAP by having the WAP send you a copy of packets destined for
other WNICs.

I'm not aware of an WIDS that switches into monitor mode and could alert
if someone is actually messing around with the handshaking, or does some
other sophisticated prodding'n'probing. IDS' I've see so far just watch
IP traffic, but they don't watch the WAP packets directly (again, to
make sure that the handshaking isn't tampered with).

If I just haven't come across such a product, please let me know
if/where such a thing exists.

Thanks,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part