RE: Wireless IDS setup experience

["William Fitzgerald" <wfitzgerald () tssg org>]

I am not sure either but when I was asking about it no one responded
saying that snort has integrated it. 
Also the front ends such as BASE and ACID don't show wirless graphs in a
percentage bar graph like it does for UDP and TCP traffic.

So I am not sure

Regards,
Will.

Mr.William M. Fitzgerald (MSc,BSc),
Applied Researcher,
Telecommunications Software & Systems Group,
Waterford Institute of Technology,
Cork Rd.
Waterford.
Office Ph: +353 51 302937
Mobile Ph: +353 87 9527083
Web: www.williamfitzgerald.org/



-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of sam wun
Sent: 18 February 2005 09:48
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Wireless IDS setup experience


Hi, I got snort 2.30, which mentioned it supports wirelesss IDS: # grep
-r wireless * pkg-plist:%%PORTDOCS%%%%DOCSDIR%%/README.wireless
work/snort-2.3.0/ChangeLog:      - wireless arp printing fix
work/snort-2.3.0/src/decode.c: * Purpose: Decode those fun loving 
wireless LAN packets, one at a time!
work/snort-2.3.0/src/decode.c:    /* lay the wireless structure over the

packet data */
work/snort-2.3.0/src/decode.h:    WifiHdr *wifih;         /* wireless 
LAN header */
work/snort-2.3.0/src/log.c:             * wireless protocol */
work/snort-2.3.0/src/snort.h:  /* wireless statistics */
work/snort-2.3.0/src/win32/WIN32-Includes/NET/Bpf.h:#define 
DLT_IEEE802_11      105     /* IEEE 802.11 wireless */
work/snort-2.3.0/doc/Makefile.am:README.wireless PROBLEMS RULES.todo 
WISHLIST faq.pdf faq.tex
work/snort-2.3.0/doc/Makefile.in:README.wireless PROBLEMS RULES.todo 
WISHLIST faq.pdf faq.tex work/snort-2.3.0/doc/signatures/1966.txt:This
event is generated when an 
attempt is made to discover sensitive information associated with a 
Global Sun Technology wireless access point.

And the README.wireless said that:
Regular Snort, wireless interface:
---------------------------------
To use Snort over a wireless interface in RFMON mode, simply set the
card to that mode and start snort with the usual -i <interface> flag.
How is sniffing in RFMON mode different from sniffing in Ethernet
emulation mode (that is, the mode the card is usually in when you are
operating on your own network)? In RFMON mode the card is associated
with no particular network, rather it listens to all traffic it can see
from any device using 802.11 within range. Similar to using different
Virtual LANs on the same piece of wire, many 802.11 networks operate in
the same area. For those interested in monitoring only their own
network, it is recommended that they leave their wireless card in
Ethernet emulation mode. This is no different than snort in the wired
environment (and, in fact snort won't even know the difference). For
those interested in monitoring all wireless networks within range, RFMON
mode should be used.

...

I m not sure if snort-wireless had already integrated into snort.2.30.

Sam

sam wun wrote:

> Thanks for a quick reply.
> Which Wireless server PCI cards can be used?
>
> Thanks
> Sam
>
> William Fitzgerald wrote:
>
> > I have just set one up.
> > Yes it can detect RougueAP, Antistumbler traffic along with auth and 
> > deauth flood attacks.
> >
> > Grab a copy of snort-2.1.1 then got to snort-wireless.org and grap 
> > both the snort-2.1.1 wirless patch and the snort-2.1.1 database 
> > patch.
> >
> > Below is the list of software I needed:
> > MySQL: mysql-standard-4.1.9-pc-linux-gnu-i686
> > Automake: automake-1.6.1 Snort: snort-2.1.1 Snort-Wireless patches: 
> > Snort-2.1.1-wireless Zlib: zlib-1.2.1 [7]    JPEG: jpeg-6b Libpng: 
> > libpng-1.2.8 GD: gd-2.0.33 Apache: httpd-2.0.52
> > PHP: php-4.3.10
> > ADODB: adodb460 ACID: acid-0.9.6b23 PHPLOT: phplot-5.0rc2 JPGRAPH:
> > jpgraph-1.17 BASE: base-1.0.1 Linux: Debian Linux
> >
> > Regards,
> > Will.
> >
> > Mr.William M. Fitzgerald (MSc,BSc),
> > Applied Researcher,
> > Telecommunications Software & Systems Group,
> > Waterford Institute of Technology,
> > Cork Rd.
> > Waterford.
> > Office Ph: +353 51 302937
> > Mobile Ph: +353 87 9527083
> > Web: www.williamfitzgerald.org/
> >
> >
> > Hi,
> >
> > Does anyone have experience in setting up snort as a wireless IDS? I 
> > m wondering whether snort can be used to monitor for rogus AP access.

> > What can be used as a wireless monitoring console? Is there any 
> > documentation I can read on?
> >
> > Thanks
> > Sam
> >
> >
> >  


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users