IDS mailing list archives
Re: wlan ids
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 24 Oct 2002 11:22:10 -0500
On Wed, 2002-10-23 at 01:50, Jérôme Tytgat wrote:
Are you talking about wep encryption ? I think it should work as it does not need a lot of ressources to be decrypted... The Wlan IDS will need to recognize you wlan network (SSID / WEP passphrase, maybe MAC ACL), but in fact it's directly at the level of the network card these things are done, so I don't see why it should not work. The IDS will not even "know" that encryption is on...
That's the problem though. These things are done at the card level, so your IDS won't know about them. With wireless NIC's you are three modes of operation. Normal (duh), plain-old promiscuous mode which let's you sniff your traffic (but not all), and monitor mode, which let's you see (and send) all wireless packets. That's used for diagnosis, SID scanning, etc.. Also, by monkeying with the RTS/CTS handshaking, you can sniuff all traffic on a given WAP by having the WAP send you a copy of packets destined for other WNICs. I'm not aware of an WIDS that switches into monitor mode and could alert if someone is actually messing around with the handshaking, or does some other sophisticated prodding'n'probing. IDS' I've see so far just watch IP traffic, but they don't watch the WAP packets directly (again, to make sure that the handshaking isn't tampered with). If I just haven't come across such a product, please let me know if/where such a thing exists. Thanks, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- wlan ids cyclon jet (Oct 22)
- Re: wlan ids Jérôme Tytgat (Oct 23)
- Re: wlan ids Frank Knobbe (Oct 24)
- <Possible follow-ups>
- RE: wlan ids Alan Shimel (Oct 22)
- Re: wlan ids pbsarnac (Oct 24)
- Re: wlan ids Jérôme Tytgat (Oct 23)