[Snort-users] Wireless IDS setup experience

sam wun sam.wun at ...12784...
Fri Feb 18 01:47:53 EST 2005

Hi, I got snort 2.30, which mentioned it supports wirelesss IDS:
# grep -r wireless *
work/snort-2.3.0/ChangeLog:      - wireless arp printing fix
work/snort-2.3.0/src/decode.c: * Purpose: Decode those fun loving 
wireless LAN packets, one at a time!
work/snort-2.3.0/src/decode.c:    /* lay the wireless structure over the 
packet data */
work/snort-2.3.0/src/decode.h:    WifiHdr *wifih;         /* wireless 
LAN header */
work/snort-2.3.0/src/log.c:             * wireless protocol */
work/snort-2.3.0/src/snort.h:  /* wireless statistics */
DLT_IEEE802_11      105     /* IEEE 802.11 wireless */
work/snort-2.3.0/doc/Makefile.am:README.wireless PROBLEMS RULES.todo 
WISHLIST faq.pdf faq.tex
work/snort-2.3.0/doc/Makefile.in:README.wireless PROBLEMS RULES.todo 
WISHLIST faq.pdf faq.tex
work/snort-2.3.0/doc/signatures/1966.txt:This event is generated when an 
attempt is made to discover sensitive information associated with a 
Global Sun Technology wireless access point.

And the README.wireless said that:
Regular Snort, wireless interface:
To use Snort over a wireless interface in RFMON mode, simply set the
card to that mode and start snort with the usual -i <interface>
flag. How is sniffing in RFMON mode different from sniffing in
Ethernet emulation mode (that is, the mode the card is usually in when
you are operating on your own network)? In RFMON mode the card is
associated with no particular network, rather it listens to all
traffic it can see from any device using 802.11 within range. Similar
to using different Virtual LANs on the same piece of wire, many 802.11
networks operate in the same area. For those interested in
monitoring only their own network, it is recommended that they leave
their wireless card in Ethernet emulation mode. This is no different
than snort in the wired environment (and, in fact snort won't even
know the difference). For those interested in monitoring all wireless
networks within range, RFMON mode should be used.


I m not sure if snort-wireless had already integrated into snort.2.30.


sam wun wrote:

> Thanks for a quick reply.
> Which Wireless server PCI cards can be used?
> Thanks
> Sam
> William Fitzgerald wrote:
>> I have just set one up.
>> Yes it can detect RougueAP, Antistumbler traffic along with auth and
>> deauth flood attacks.
>> Grab a copy of snort-2.1.1 then got to snort-wireless.org and grap both
>> the snort-2.1.1 wirless patch and the snort-2.1.1 database patch.
>> Below is the list of software I needed:
>> MySQL: mysql-standard-4.1.9-pc-linux-gnu-i686
>> Automake: automake-1.6.1 Snort: snort-2.1.1 Snort-Wireless patches: 
>> Snort-2.1.1-wireless Zlib: zlib-1.2.1 [7]    JPEG: jpeg-6b Libpng: 
>> libpng-1.2.8 GD: gd-2.0.33 Apache: httpd-2.0.52
>> PHP: php-4.3.10
>> ADODB: adodb460 ACID: acid-0.9.6b23 PHPLOT: phplot-5.0rc2 JPGRAPH: 
>> jpgraph-1.17 BASE: base-1.0.1 Linux: Debian Linux
>> Regards,
>> Will.
>> Mr.William M. Fitzgerald (MSc,BSc),
>> Applied Researcher,
>> Telecommunications Software & Systems Group,
>> Waterford Institute of Technology,
>> Cork Rd.
>> Waterford.
>> Office Ph: +353 51 302937
>> Mobile Ph: +353 87 9527083
>> Web: www.williamfitzgerald.org/
>> Hi,
>> Does anyone have experience in setting up snort as a wireless IDS? I m
>> wondering whether snort can be used to monitor for rogus AP access. What
>> can be used as a wireless monitoring console? Is there any documentation
>> I can read on?
>> Thanks
>> Sam

More information about the Snort-users mailing list