Snort mailing list archives
Re: Using Snort for Wireless
From: Mike Craik <bovine () btinternet com>
Date: Wed, 03 Apr 2002 18:04:06 +0100
Lists wrote:
Has anyone thought of using Snort specifically geared towards wireless? I would think that rules can be written specifically towards wireless use (like writing a rule to look for 'All your 802.11 belong to us' to look for Netstumblers?).
Hi, Correct me if I am wrong (usually am :P), but Snort is designed to look at Layer 3 protocols & above. Snort doesn't currently understand or decode Layer 2 protocols such as 802.11/LLC etc. In order to detect Netstumbler (or any active 802.11b scanning tool) with Snort this would be required. Kismet (An 802.11b sniffer) - http://www.kismetwireless.net - should have some sort of Netstumbler detection in the near future hopefully. For those interested in this, see this thread on the Kismet mailing list: http://www.kismetwireless.net/cgi-bin/ezmlm-cgi?mss:366:eafojgdoalggkiopbclf. Assuming you have an appropriate 802.11b card/driver configured, a quick 'n dirty way to detect Netstumbler using tethereal would be - # tethereal -V -i wlan0 -R "llc.oui eq 0x00601d" Capturing on wlan0 Frame 4 (90 on wire, 90 captured) Arrival Time: Apr 3, 2002 15:39:54.128849000 Time delta from previous packet: 0.007636000 seconds Time relative to first packet: 0.212388000 seconds Frame Number: 4 Packet Length: 90 bytes Capture Length: 90 bytes IEEE 802.11 Type/Subtype: Data (32) Frame Control: 0x0008 Version: 0 Type: Data frame (2) Subtype: 0 Flags: 0x0 DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00) .... .0.. = Fragments: No fragments .... 0... = Retry: Frame is not being retransmitted ...0 .... = PWR MGT: STA will stay up ..0. .... = More Data: No data buffered .0.. .... = WEP flag: WEP is disabled 0... .... = Order flag: Not strictly ordered Duration: 0 Destination address: 01:60:1d:00:01:00 (01:60:1d:00:01:00) Source address: fe:ed:de:ad:be:ef (fe:ed:de:ad:be:ef) BSS Id: de:23:97:b4:fe:ed (de:23:97:b4:fe:ed) Fragment number: 0 Sequence number: 3997 Logical-Link Control DSAP: SNAP (0xaa) IG Bit: Individual SSAP: SNAP (0xaa) CR Bit: Command Control field: U, func = UI (0x03) 000. 00.. = Unnumbered Information .... ..11 = Unnumbered frame Organization Code: Unknown (0x00601d) Protocol ID: 0x0001 Data (58 bytes) 0000 00 00 00 00 41 6c 6c 20 79 6f 75 72 20 38 30 32 ....All your 802 0010 2e 31 31 62 20 61 72 65 20 62 65 6c 6f 6e 67 20 .11b are belong 0020 74 6f 20 75 73 2e 20 20 20 20 20 20 fe ca ba ab to us. .... 0030 ad de 0f d0 07 10 60 fb 01 00 ......`... Or # tethereal -i wlan0 -R "llc.oui eq 0x00601d" Capturing on wlan0 0.078748 fe:ed:de:ad:be:ef -> 01:60:1d:00:01:00 LLC U, func = UI; SNAP, OUI 0x00601D (Unknown), PID 0x0001 1.087599 fe:ed:de:ad:be:ef -> 01:60:1d:00:01:00 LLC U, func = UI; SNAP, OUI 0x00601D (Unknown), PID 0x0001 (etc.) It would be quite trivial to extend this via a simple script to email out/send an SNMP trap etc. upon receiving a "hit". By no means a perfect method though! However, you won't see any of this traffic if your AP is configured NOT to respond to probe requests that use the Broadcast SSID. Netstumbler must find an AP using this method prior to sending any of the above probes. Cheers, Mike. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Using Snort for Wireless Lists (Apr 03)
- Re: Using Snort for Wireless Mike Craik (Apr 03)
- Re: Using Snort for Wireless james (Apr 03)
- Re: Using Snort for Wireless Skip Carter (Apr 03)
- Re: Using Snort for Wireless Erek Adams (Apr 03)
- Re: Using Snort for Wireless Aaron Richard Walters (Apr 04)
- Re: Using Snort for Wireless Mike Craik (Apr 04)
- Re: Using Snort for Wireless Nick Petroni (Apr 04)
- what would be the appropriate thing to do? Onie Camara (Apr 04)