Re: Snort on Wireless

[Bennett Todd <bet () rahul net>]

I think it's helpful to distinguish between two very different and
separate sniffing functions.

Tools like AirSnort and Kismet throw the card into a physical
promiscuous mode, and thereby discover access points and adhoc wlan
connections, learn their SSIDs, and with enough captured traffic
crack their WEP keys. This is all stuff that's exceedingly specific
to 802.11b; snort is not a tool in this space.

Then there's sniffing IP traffic visible on an IP LAN. For that,
snort running non-promisc can do part of the job. But it can't see
nearly as much traffic.

I don't know of an app that can do what snort does, over all the
traffic visible by running an 802.11b card in wireless promiscuous
mode. I _think_ that adapting snort to do that for non-WEP-encrypted
802.11b traffic would only require teaching it about the 802.11b
framing, then using one of the helper scripts that come with Kismet
to throw the card into promisc. But I don't know.

I think promiscuously snorting WEPed traffic would probably be most
easily done by hacking on a capture file stashed by Kismet, hacking
up webcrack software to turn that into decrypted pcap, then running
snort over that. That would be a pretty impressive tour de force of
technical prowess. Great for bragging rights. But useful?

802.11b is best treated as utterly untrusted media. I don't attach
anything to it that's breakable, I don't run anything over it that's
sniffable.

Given that, I feel little need for these sorts of hybrids. Kismet is
handy for discovering wlans, and I don't expect to see anything on
'em that snort would find interesting.

-Bennett

Attachment: _bin
Description: