Re: Snort on Wireless

[Bennett Todd <bet () rahul net>]

2003-04-21T11:05:21 Chris Green:
> Lots of wireless cards have issues with being in promiscous mode.

Ayup. More than that, promiscuous mode really means more, means
different things, on 802.11 than it does on 802.3 ethernets. On
the latter, it just means getting the same sort o' network frames
you'd be getting anyway, just dropping the usual MAC-addr-checking
filter implemented by hardware. In 802.11, it means seeing traffic
that creates the layer-2 network associations, which come in
two radically different sorts (adhoc -vs- infrastructure mode,
the latter implemented by access points) and any number of odd
variations (beacon packets on/off, wep enabled/disabled, and many
more vendor-specific and non-interoperable perversions than there
are distinct vendors).

> Try a different card, talk to the driver author, or run 2 wireless
> cards in your box, one for sniffing, one for using.

If you want to snort at all on 802.11 nets, two cards is a good
starting point, and the promisc enable/disable scripts that come
with Kismet are liable to be helpful. I still think snorting on
promisc 802.11 is not a really attractive goal; leave the 802.11
promisc sniffing to media-specific apps like Kismet, worrying only
about the layer-2 802.11-specific weirdness, and let snort look at
the normal traffic you see after you've configured your card to its
adhoc or infrastructure mode, with snort -p to avoid snort trying to
set the interface promisc.

Run a snort on every machine that does wireless associations, and on
the wired 802.3 side (if any) of the access point.

-Bennett

Attachment: _bin
Description: