Snort mailing list archives
Re: Snort on Wireless
From: Bennett Todd <bet () rahul net>
Date: Thu, 17 Apr 2003 12:20:07 -0400
I think it's helpful to distinguish between two very different and separate sniffing functions. Tools like AirSnort and Kismet throw the card into a physical promiscuous mode, and thereby discover access points and adhoc wlan connections, learn their SSIDs, and with enough captured traffic crack their WEP keys. This is all stuff that's exceedingly specific to 802.11b; snort is not a tool in this space. Then there's sniffing IP traffic visible on an IP LAN. For that, snort running non-promisc can do part of the job. But it can't see nearly as much traffic. I don't know of an app that can do what snort does, over all the traffic visible by running an 802.11b card in wireless promiscuous mode. I _think_ that adapting snort to do that for non-WEP-encrypted 802.11b traffic would only require teaching it about the 802.11b framing, then using one of the helper scripts that come with Kismet to throw the card into promisc. But I don't know. I think promiscuously snorting WEPed traffic would probably be most easily done by hacking on a capture file stashed by Kismet, hacking up webcrack software to turn that into decrypted pcap, then running snort over that. That would be a pretty impressive tour de force of technical prowess. Great for bragging rights. But useful? 802.11b is best treated as utterly untrusted media. I don't attach anything to it that's breakable, I don't run anything over it that's sniffable. Given that, I feel little need for these sorts of hybrids. Kismet is handy for discovering wlans, and I don't expect to see anything on 'em that snort would find interesting. -Bennett
Attachment:
_bin
Description:
Current thread:
- Snort on Wireless Sadanapalli, Pradeep Kumar (MED, TCS) (Apr 17)
- Re: Snort on Wireless Jason (Apr 17)
- Re: Snort on Wireless Michael Santos (Apr 17)
- Re: Snort on Wireless Bennett Todd (Apr 17)
- Re: Snort on Wireless Chris Green (Apr 21)
- Re: Snort on Wireless Bennett Todd (Apr 21)
- <Possible follow-ups>
- RE: Snort on Wireless Philip Davidson (Apr 17)
- Re: Snort on Wireless Brent Wrisley (Apr 22)
- snort on wireless Vaidehi Kasarekar (May 31)