Re: Using Snort for Wireless

[Mike Craik <bovine () btinternet com>]

Lists wrote:
> Has anyone thought of using Snort specifically geared towards wireless? I
> would think that rules can be written specifically towards wireless use
> (like writing a rule to look for 'All your 802.11 belong to us' to look for
> Netstumblers?).

Hi,
   Correct me if I am wrong (usually am :P), but Snort is designed to
look at Layer 3 protocols & above. Snort doesn't currently understand or
decode Layer 2 protocols such as 802.11/LLC etc. In order to detect
Netstumbler (or any active 802.11b scanning tool) with Snort this would
be required.

Kismet (An 802.11b sniffer) - http://www.kismetwireless.net - should
have some sort of Netstumbler detection in the near future hopefully.

For those interested in this, see this thread on the Kismet mailing
list:
http://www.kismetwireless.net/cgi-bin/ezmlm-cgi?mss:366:eafojgdoalggkiopbclf.

Assuming you have an appropriate 802.11b card/driver configured, a quick
'n dirty way to detect Netstumbler using tethereal would be -

# tethereal -V -i wlan0 -R "llc.oui eq 0x00601d"
Capturing on wlan0
Frame 4 (90 on wire, 90 captured)
    Arrival Time: Apr  3, 2002 15:39:54.128849000
    Time delta from previous packet: 0.007636000 seconds
    Time relative to first packet: 0.212388000 seconds
    Frame Number: 4
    Packet Length: 90 bytes
    Capture Length: 90 bytes
IEEE 802.11
    Type/Subtype: Data (32)
    Frame Control: 0x0008
        Version: 0
        Type: Data frame (2)
        Subtype: 0
        Flags: 0x0
            DS status: Not leaving DS or network is operating in AD-HOC
mode (To DS: 0  From DS: 0) (0x00)
            .... .0.. = Fragments: No fragments
            .... 0... = Retry: Frame is not being retransmitted
            ...0 .... = PWR MGT: STA will stay up
            ..0. .... = More Data: No data buffered
            .0.. .... = WEP flag: WEP is disabled
            0... .... = Order flag: Not strictly ordered
    Duration: 0
    Destination address: 01:60:1d:00:01:00 (01:60:1d:00:01:00)
    Source address: fe:ed:de:ad:be:ef (fe:ed:de:ad:be:ef)
    BSS Id: de:23:97:b4:fe:ed (de:23:97:b4:fe:ed)
    Fragment number: 0
    Sequence number: 3997
Logical-Link Control
    DSAP: SNAP (0xaa)
    IG Bit: Individual
    SSAP: SNAP (0xaa)
    CR Bit: Command
    Control field: U, func = UI (0x03)
        000. 00.. = Unnumbered Information
        .... ..11 = Unnumbered frame
    Organization Code: Unknown (0x00601d)
    Protocol ID: 0x0001
Data (58 bytes)

0000  00 00 00 00 41 6c 6c 20 79 6f 75 72 20 38 30 32   ....All your 802
0010  2e 31 31 62 20 61 72 65 20 62 65 6c 6f 6e 67 20   .11b are belong 
0020  74 6f 20 75 73 2e 20 20 20 20 20 20 fe ca ba ab   to us.      ....
0030  ad de 0f d0 07 10 60 fb 01 00                     ......`...      

Or

# tethereal -i wlan0 -R "llc.oui eq 0x00601d"
Capturing on wlan0
  0.078748 fe:ed:de:ad:be:ef -> 01:60:1d:00:01:00 LLC U, func = UI;
SNAP, OUI 0x00601D (Unknown), PID 0x0001
  1.087599 fe:ed:de:ad:be:ef -> 01:60:1d:00:01:00 LLC U, func = UI;
SNAP, OUI 0x00601D (Unknown), PID 0x0001

(etc.)

It would be quite trivial to extend this via a simple script to email
out/send an SNMP trap etc. upon receiving a "hit". By no means a perfect
method though!

However, you won't see any of this traffic if your AP is configured NOT
to respond to probe requests that use the Broadcast SSID. Netstumbler
must find an AP using this method prior to sending any of the above
probes.

Cheers,
Mike.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users