[Snort-sigs] Problem to configure IDS with snort-wireless

Piergiorgio Venuti piergiorgiovenuti at ...902...
Fri Apr 30 02:59:26 EDT 2004


Hi all,
I have installed snort-2.1.1 with wireless exstention and I'am trying some wireless
attack(deauthentication, authentication flood,etc..) on my server but snort isn't able to detect that, may be it isn't
configurated very good?
My wireless card is in promiscus mode.I attach my snort.conf and my ../etc/wifi.rules
 
Could you give me some help?
Thank you.

My snort.conf is:

#--------------------------------------------------
#   http://www.snort.org     Snort 2.0.0 Ruleset
#     Contact: snort-sigs at lists.sourceforge.net
#--------------------------------------------------
# $Id: snort.conf,v 1.124 2003/05/16 02:52:41 cazz Exp $
#
###################################################
# This file contains a sample snort configuration. 
# You can take the following steps to create your 
# own custom configuration:
#
#  1) Set the network variables for your network
#  2) Configure preprocessors
#  3) Configure output plugins
#  4) Customize your rule set
#
###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect
# your local network. The variable is currently 
# setup for an RFC 1918 address space.
#
# You can specify it explicitly as: 
#
# var HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS 
# which will be always initialized to IP address and 
# netmask of the network interface which you run
# snort at.  Under Windows, this must be specified
# as $(<interfacename>_ADDRESS), such as:
# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:

var HOME_NET 10.0.1.0/24
#var HOME_NET any
#var HOME_NET $wlan0_ADDRESS

# Set up the external network addresses as well.  
# A good start may be "any"

var EXTERNAL_NET any
#var HOME_NET $eth0_ADDRESS
#var EXTERNAL_NET $eth0_ADDRESS

# Configure your wireless AP lists.  This allows snort to look for attacks
# against your wireless network, such as rogue access points or adhoc wireless

# networks. Also specify what channels your access points are setup on.
#
# Ex:
#
# var ACCESS_POINTS XX:XX:XX:XX:XX:XX
# var CHANNELS X
#                OR
#
# var ACCESS_POINTS [XX:XX:XX:XX:XX:XX, YY:YY:YY:YY:YY:YY, ....]
# var CHANNELS [X, Y, ....]

var ACCESS_POINTS 00:09:3B:17:21:AA
var CHANNELS 6

# Configure your server lists.  This allows snort to only look for attacks
# to systems that have a service up.  Why look for HTTP attacks if you are
# not running a web server?  This allows quick filtering based on IP addresses
# These configurations MUST follow the same configuration scheme as defined
# above for $HOME_NET.  

# List of DNS servers on your network 
var DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET

# List of web servers on your network
var HTTP_SERVERS $HOME_NET

# List of sql servers on your network 
var SQL_SERVERS $HOME_NET

# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET

# Configure your service ports.  This allows snort to look for attacks 
# destined to a specific application only on the ports that application
# runs on.  For example, if you run a web server on port 8081, set your
# HTTP_PORTS variable like this:
#
# var HTTP_PORTS 8081
#
# Port lists must either be continuous [eg 80:8080], or a single port [eg 80].
# We will adding support for a real list of ports in the future.

# Ports you run web servers on
var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

# Ports you do oracle attacks on
var ORACLE_PORTS 1521

# other variables
# 
# AIM servers.  AOL has a habit of adding new AIM servers, so instead of 
# modifying the signatures when they do, we add them to this list of 
# servers.
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

# Path to your rules files (this can be a relative path)
var RULE_PATH ../rules

# Configure the snort decoder:
# ============================
#
# Stop generic decode events:
#
# config disable_decode_alerts
#
# Stop Alerts on experimental TCP options
#
# config disable_tcpopt_experimental_alerts
#
# Stop Alerts on obsolete TCP options
#
# config disable_tcpopt_obsolete_alerts
#
# Stop Alerts on T/TCP alerts
#
# config disable_ttcp_alerts
#
# Stop Alerts on all other TCPOption type events:
#
# config disable_tcpopt_alerts
#
# Stop Alerts on invalid ip options
#
# config disable_ipopt_alerts


# Configure the detection engine
# ===============================
#
# Use a different pattern matcher in case you have a machine with very
# limited resources:
#

config detection: search-method lowmem


###################################################
# Step #2: Configure preprocessors
#
# General configuration for preprocessors is of 
# the form
# preprocessor <name_of_processor>: <configuration_options>

# frag2: IP defragmentation support
# -------------------------------
# This preprocessor performs IP defragmentation.  This plugin will also detect
# people launching fragmentation attacks (usually DoS) against hosts.  No
# arguments loads the default configuration of the preprocessor, which is a 
# 60 second timeout and a 4MB fragment buffer. 

# The following (comma delimited) options are available for frag2
#    timeout [seconds] - sets the number of [seconds] than an unfinished 
#                        fragment will be kept around waiting for completion,
#                        if this time expires the fragment will be flushed
#    memcap [bytes] - limit frag2 memory usage to [number] bytes
#                      (default:  4194304)
#
#    min_ttl [number] - minimum ttl to accept
# 
#    ttl_limit [number] - difference of ttl to accept without alerting
#                         will cause false positves with router flap
# 
# Frag2 uses Generator ID 113 and uses the following SIDS 
# for that GID:
#  SID     Event description
# -----   -------------------
#   1       Oversized fragment (reassembled frag > 64k bytes)
#   2       Teardrop-type attack

preprocessor frag2

# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat 
# stick/snot against TCP rules.  Also performs full TCP stream 
# reassembly, stateful inspection of TCP streams, etc.  Can statefully
# detect various portscan types, fingerprinting, ECN, etc.

# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8388608)
# options (options are comma delimited):
#   detect_scans - stream4 will detect stealth portscans and generate alerts
#                  when it sees them when this option is set
#   detect_state_problems - detect TCP state problems, this tends to be very
#                           noisy because there are a lot of crappy ip stack
#                           implementations out there
#
#   disable_evasion_alerts - turn off the possibly noisy mitigation of
#                            overlapping sequences.
#
#
#   min_ttl [number]       - set a minium ttl that snort will accept to
#                            stream reassembly
#
#   ttl_limit [number]     - differential of the initial ttl on a session versus
#                             the normal that someone may be playing games.
#                             Routing flap may cause lots of false positives.
# 
#   keepstats [machine|binary] - keep session statistics, add "machine" to 
#                         get them in a flat format for machine reading, add
#                         "binary" to get them in a unified binary output 
#                         format
#   noinspect - turn off stateful inspection only
#   timeout [number] - set the session timeout counter to [number] seconds,
#                      default is 30 seconds
#   memcap [number] - limit stream4 memory usage to [number] bytes
#   log_flushed_streams - if an event is detected on a stream this option will
#                         cause all packets that are stored in the stream4
#                         packet buffers to be flushed to disk.  This only 
#                         works when logging in pcap mode!
#
# Stream4 uses Generator ID 111 and uses the following SIDS 
# for that GID:
#  SID     Event description
# -----   -------------------
#   1       Stealth activity
#   2       Evasive RST packet
#   3       Evasive TCP packet retransmission
#   4       TCP Window violation
#   5       Data on SYN packet
#   6       Stealth scan: full XMAS
#   7       Stealth scan: SYN-ACK-PSH-URG
#   8       Stealth scan: FIN scan
#   9       Stealth scan: NULL scan
#   10      Stealth scan: NMAP XMAS scan
#   11      Stealth scan: Vecna scan
#   12      Stealth scan: NMAP fingerprint scan stateful detect
#   13      Stealth scan: SYN-FIN scan
#   14      TCP forward overlap

#preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4: detect_scans, detect_state_problems, keepstats,
log_flushed_streams

# tcp stream reassembly directive
# no arguments loads the default configuration 
#   Only reassemble the client,
#   Only reassemble the default list of ports (See below),  
#   Give alerts for "bad" streams
#
# Available options (comma delimited):
#   clientonly - reassemble traffic for the client side of a connection only
#   serveronly - reassemble traffic for the server side of a connection only
#   both - reassemble both sides of a session
#   noalerts - turn off alerts from the stream reassembly stage of stream4
#   ports [list] - use the space separated list of ports in [list], "all" 
#                  will turn on reassembly for all ports, "default" will turn
#                  on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
#                  and 513

preprocessor stream4_reassemble

# http_decode: normalize HTTP requests
# ------------------------------------
# http_decode normalizes HTTP requests from remote 
# machines by converting any %XX character 
# substitutions to their ASCII equivalent. This is
# very useful for doing things like defeating hostile
# attackers trying to stealth themselves from IDSs by
# mixing these substitutions in with the request. 
# Specify the port numbers you want it to analyze as arguments.
#
# Major code cleanups thanks to rfp
#
# unicode          - normalize unicode
# iis_alt_unicode  - %u encoding from iis 
# double_encode    - alert on possible double encodings
# iis_flip_slash   - normalize \ as /
# full_whitespace  - treat \t as whitespace ( for apache )
#
# for that GID:
#  SID     Event description
# -----   -------------------
#   1       UNICODE attack
#   2       NULL byte attack

preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace

# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual
# 4-byte encoding that is used by default.  This preprocessor
# normalized RPC traffic in much the same way as the http_decode
# preprocessor.  This plugin takes the ports numbers that RPC 
# services are running on as arguments.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP data
# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
# no_alert_large_fragments - don't alert when the fragmented
#                            sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
#                       exceeds the current packet size

preprocessor rpc_decode: 111 32771
#preprocessor alert_fragments

# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network.  Takes no arguments in 2.0.
# 
# The Back Orifice detector uses Generator ID 105 and uses the 
# following SIDS for that GID:
#  SID     Event description
# -----   -------------------
#   1       Back Orifice traffic detected

preprocessor bo

# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation strings from
# telnet and ftp traffic.  It works in much the same way as the 
# http_decode preprocessor, searching for traffic that breaks up
# the normal data stream of a protocol and replacing it with 
# a normalized representation of that traffic so that the "content"
# pattern matching keyword can work without requiring modifications.
# This preprocessor requires no arguments.
# Portscan uses Generator ID 109 and does not generate any SID currently.

preprocessor telnet_decode

# Portscan: detect a variety of portscans
# ---------------------------------------
# portscan preprocessor by Patrick Mullen <p_mullen at ...849...>
# This preprocessor detects UDP packets or TCP SYN packets going to
# four different ports in less than three seconds. "Stealth" TCP
# packets are always detected, regardless of these settings.
# Portscan uses Generator ID 100 and uses the following SIDS for that GID:
#  SID     Event description
# -----   -------------------
#   1       Portscan detect
#   2       Inter-scan info
#   3       Portscan End

preprocessor portscan: $HOME_NET 4 3 portscan.log

# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
# specific networks or hosts to reduce false alerts. It is typical
# to see many false alerts from DNS servers so you may want to
# add your DNS servers here. You can all multiple hosts/networks
# in a whitespace-delimited list.
#
#preprocessor portscan-ignorehosts: 0.0.0.0

# arpspoof
#----------------------------------------
# Experimental ARP detection code from Jeff Nathan, detects ARP attacks, 
# unicast ARP requests, and specific ARP mapping monitoring.  To make use
# of this preprocessor you must specify the IP and hardware address of hosts on 
# the same layer 2 segment as you.  Specify one host IP MAC combo per line.
# Also takes a "-unicast" option to turn on unicast ARP request detection. 
# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
#  SID     Event description
# -----   -------------------
#   1       Unicast ARP request
#   2       Etherframe ARP mismatch (src)
#   3       Etherframe ARP mismatch (dst)
#   4       ARP cache overwrite attack

preprocessor arpspoof
preprocessor arpspoof_detect_host: 10.0.1.3 00:0C:F1:OA:16:A9

# Conversation
#------------------------------------------
# This preprocessor tracks conversations for tcp, udp and icmp traffic.  It
# is a prerequisite for running portscan2.
#
# allowed_ip_protcols 1 6 17
#      list of allowed ip protcols ( defaults to any )
#
# timeout [num]
#      conversation timeout ( defaults to 60 )
#
#
# max_conversations [num] 
#      number of conversations to support at once (defaults to 65335)
#
#
# alert_odd_protocols
#      alert on protocols not listed in allowed_ip_protocols
#
preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 3000
#
# Portscan2
#-------------------------------------------
# Portscan 2, detect portscans in a new and exciting way.  You must enable
# spp_conversation in order to use this preprocessor.
#
# Available options:
#       scanners_max [num] 
#       targets_max [num]
#       target_limit [num]
#       port_limit [num]
#       timeout [num]
#       log [logdir]
#
preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5,
port_limit 20, timeout 60

# Too many false alerts from portscan2? Tone it down with
# portscan2-ignorehosts!
#
# A space delimited list of addresses in CIDR notation to ignore
#
# preprocessor portscan2-ignorehosts: 10.0.0.0/8 192.168.24.0/24
#

# Experimental Perf stats
# -----------------------
# No docs. Highly subject to change.
# 
# preprocessor perfmonitor: console flow events time 10


# RogueAP
#---------------------------------------------
# RogueAP detects rogue APs and AdHoc networks
# 
# Arguments:
#
# scan_flag [0 | 1]    => toggles scanning of multiple channels *NOT IMPLEMENTED*
# scan_timeout [num]   => time in seconds between channel scans *NOT IMPLEMENTED*
# expire_timeout [num] => time in seconds before a BSSID is removed from the
rogue list
#
preprocessor rogue_ap: $ACCESS_POINTS, $CHANNELS, scan_flag 1, scan_timeout
1800, expire_timeout 3600

# AntiStumbler
#---------------------------------------------
# AntiStumbler detects possible Netstumbler activity
#
# Arguments:
# 
# probe_reqs [num]     => number of probe requests that triggers an alert 
# probe_period [num]   => time period in seconds that NULL SSID probe requests
are counted
# expire_timeout [num] => time in seconds before a STA is removed from the
stumbler list
#

preprocessor antistumbler: probe_reqs 90, probe_period 30, expire_timeout 3600

####################################################################
# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use.
# General configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
output alert_fast: /home/piergiorgio/snort-wireless-2.0.1-current/var/log/alert

# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments.  Win32 can also
# optionally specify a particular hostname/port.  Under Win32, the
# default hostname is '127.0.0.1', and the default port is 514.
#
# [Unix flavours should use this format...]
# output alert_syslog: LOG_AUTH LOG_ALERT
#
# [Win32 can use any of these formats...]
#output alert_syslog: LOG_AUTH LOG_ALERT
#output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
#output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT

# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
output log_tcpdump: tcpdump.log

# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#
#output database: log, mysql, user=root password=test dbname=db host=localhost
#output database: alert, postgresql, user=snort dbname=snort
#output database: log, unixodbc, user=snort dbname=snort
#output database: log, mssql, dbname=snort user=snort password=test

# unified: Snort unified binary format alerting and logging
# -------------------------------------------------------------
# The unified output plugin provides two new formats for logging
# and generating alerts from Snort, the "unified" format.  The
# unified format is a straight binary format for logging data 
# out of Snort that is designed to be fast and efficient.  Used
# with barnyard (the new alert/log processor), most of the overhead
# for logging and alerting to various slow storage mechanisms
# such as databases or the network can now be avoided.  
#
# Check out the spo_unified.h file for the data formats.
#
# Two arguments are supported.
#    filename - base filename to write to (current time_t is appended)
#    limit    - maximum size of spool file in MB (default: 128)
#
#output alert_unified: filename snort.alert, limit 128
#output log_unified: filename snort.log, limit 128

# You can optionally define new rule types and associate one or 
# more output plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump.
# ruletype suspicious
# {
#   type log
#   output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
#
# This example will create a rule type that will log to syslog
# and a mysql database.
# ruletype redalert
# {
#   type alert
#   output alert_syslog: LOG_AUTH LOG_ALERT
#   output database: log, mysql, user=snort dbname=snort host=localhost
# }
#
# EXAMPLE RULE FOR REDALERT RULETYPE
# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
#   (msg:"Someone is being LEET"; flags:A+;)

#
# Include classification & priority settings
#

include classification.config

#
# Include reference systems
#

include reference.config

####################################################################
# Step #4: Customize your rule set
#
# Up to date snort rules are available at http://www.snort.org
#
# The snort web site has documentation about how to write your own 
# custom snort rules.
#
# The rules included with this distribution generate alerts based on
# on suspicious activity. Depending on your network environment, your
# security policies, and what you consider to be suspicious, some of
# these rules may either generate false positives ore may be detecting
# activity you consider to be acceptable; therefore, you are
# encouraged to comment out rules that are not applicable in your
# environment.
#
# Note that using all of the rules at the same time may lead to
# serious packet loss on slower machines. YMMV, use with caution,
# standard disclaimers apply. 
#
# The following individuals contributed many of rules in this
# distribution.
#
# Credits:
#   Ron Gula <rgula at ...2357...> of Network Security Wizards
#   Max Vision <vision at ...1729...>
#   Martin Markgraf <martin at ...2358...>
#   Fyodor Yarochkin <fygrave at ...1...>
#   Nick Rogness <nick at ...11...>
#   Jim Forster <jforster at ...11...>
#   Scott McIntyre <scott at ...2359...>
#   Tom Vandepoel <Tom.Vandepoel at ...2360...>
#   Brian Caswell <bmc at ...95...>
#   Zeno <admin at ...355...>
#   Ryan Russell <ryan at ...113...>
# 
#=========================================
# Include all relevant rulesets here 
# 
# shellcode, policy, info, backdoor, and virus rulesets are 
# disabled by default.  These require tuning and maintance.  
# Please read the included specific file for more information.
#=========================================

include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules

include $RULE_PATH/wifi.rules











and my wifi.rules is:

# these are just for testing right now

# *NOTE* MAC addresses can be substituted for "any"


# Frame types
# ! may proceed any type argument to perform a logical NOT operation

alert wifi any -> any (msg:"Mangement Frame"; type:TYPE_MANAGEMENT;)
alert wifi any -> any (msg:"Control Frame"; type:TYPE_CONTROL;)
alert wifi any -> any (msg:"Data Frame"; type:TYPE_DATA;)


# Frame subtypes (These implicitly check the frame's type)
# ! may proceed any stype argument to perform a logical NOT operation

alert wifi any -> any (msg:"Association Request"; stype:STYPE_ASSOCREQ;)
alert wifi any -> any (msg:"Association Response"; stype:STYPE_ASSOCRESP;)
alert wifi any -> any (msg:"Reassociation Request"; stype:STYPE_REASSOC_REQ;)
alert wifi any -> any (msg:"Reassociation Response"; stype:STYPE_REASSOC_RESP;)
alert wifi any -> any (msg:"Probe Request"; stype:STYPE_PROBEREQ;)
alert wifi any -> any (msg:"Probe Response"; stype:STYPE_PROBERESP;)
alert wifi any -> any (msg:"Beacon"; stype:STYPE_BEACON;)
alert wifi any -> any (msg:"ATIM"; stype:STYPE_ATIM;)
alert wifi any -> any (msg:"Disassociation"; stype:STYPE_DISASSOC;)
alert wifi any -> any (msg:"Authentication"; stype:STYPE_AUTH;)
alert wifi any -> any (msg:"Deauthentication"; stype:STYPE_DEAUTH;)

alert wifi any -> any (msg:"Power-Save Poll"; stype:STYPE_PSPOLL;)
alert wifi any -> any (msg:"RTS"; stype:STYPE_RTS;)
alert wifi any -> any (msg:"CTS"; stype:STYPE_CTS;)
alert wifi any -> any (msg:"Ack"; stype:STYPE_ACK;)
alert wifi any -> any (msg:"CF-End"; stype:STYPE_CFEND;)
alert wifi any -> any (msg:"CF-End+CF-Ack"; stype:STYPE_CFEND_CFACK;)

alert wifi any -> any (msg:"Data"; stype:STYPE_DATA;)
alert wifi any -> any (msg:"CF-Ack"; stype:STYPE_CFACK;)
alert wifi any -> any (msg:"CF-Poll"; stype:STYPE_CFPOLL;)
alert wifi any -> any (msg:"CF-Ack+CF-Poll"; stype:STYPE_CFACK_CFPOLL;)
alert wifi any -> any (msg:"NULL Function"; stype:STYPE_NULLFUNC;)
alert wifi any -> any (msg:"CF-Ack+NULL Function"; stype:STYPE_CFACK_NULLFUNC;)
alert wifi any -> any (msg:"CF-Poll+NULL Function"; stype:STYPE_CFPOLL_NULLFUNC;)
alert wifi any -> any (msg:"CF-Ack+CF-Poll-NULL Function";
stype:STYPE_CFACK_CFPOLL_NULLFUNC;)

# Check for a match of the entire frame control field against a hex or decimal value
# ! may proceed the argument to perform a logical NOT operation

alert wifi any -> any (msg:"WEP encrypted Data frame with from_ds set";
frame_control:0x4208;)
alert wifi any -> any (msg:"WEP encrypted Data frame with from_ds set";
frame_control:16904;)


# Frame control flags
# ON, OFF, TRUE, or FALSE may be used. '!' may proceed any of these.

alert wifi any -> any (msg:"from_ds flag set"; from_ds:TRUE;)
alert wifi any -> any (msg:"to_ds flag set"; to_ds:ON;)
alert wifi any -> any (msg:"more_frags flag set"; more_frags:!FALSE;)
alert wifi any -> any (msg:"retry flag set"; retry:!OFF;)
alert wifi any -> any (msg:"pwr_mgmt flag not set"; pwr_mgmt:FALSE;)
alert wifi any -> any (msg:"more_data flag not set"; more_data:OFF;)
alert wifi any -> any (msg:"wep flag set"; wep:TRUE;)
alert wifi any -> any (msg:"order flag set"; order:TRUE;)


# These plugins will detect on frames that contain the respective field
# '!' may proceed any of these plugin arguments to perform a logical NOT operation

alert wifi any -> any (msg:"Duration/ID is 0xFF"; duration_id:0xFF;)
alert wifi any -> any (msg:"BSSID is not 00\:DE\:AD\:C0\:DE\:00";
bssid:!0x00DEADC0DE00;)

alert wifi any -> any (msg:"Sequence Number is 2345"; seqnum:2345;)


alert wifi any -> any (msg:"Sequence Number is 0xFF"; seqnum:0x00FF;)


alert wifi any -> any (msg:"Fragment Number is 12"; fragnum:12;)


alert wifi any -> any (msg:"Fragment Number is 15"; fragnum:0xF;)

alert wifi any -> any (msg:"Address 4 Field is D1\:ED\:1E\:D1\:ED\:1E";
addr4:0xD1ED1ED1ED1E;)

alert wifi any -> any (msg:"SSID is linksys"; ssid:boellahostap;)








-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6063 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040430/028b310a/attachment.bin>


More information about the Snort-sigs mailing list