This blog has several entries about security in 802.11 networks. Moreover, one of the projects we are working on covers this very topic. You can check the whole list in this blog. For the mentioned project, a WIFI IDS has been developed and is now publicly released.

The software gathers from an 802.11 wireless interface that is able to sniff frames and add radiotap headers to them. This traffic is processed by the IDS. There is a brief explanation on how to set up an Atheros wireless card (the ones we used) properly. In this screenshot, Wireshark shows an interface ready to sniff traffic.

This is a rules based IDS written in Python. There is a document enclosed with the code that describes its capabilities and how it works.

Configuration is made by a single XML file that holds the rules. Generally speaking a rule is a boolean expression that includes fields read from the 802.11 and physical headers. It is esasier to understand with an example:

dot11.type=0 and (dot11.subtype=10 or dot11.subtype=12) and dot11.destination_addr=ff:ff:ff:ff:ff:ff

This expression checks if the captured frame is a management one (dot11.type=0), it is a deauthentication or desassociation frame (dot11.subtype=10 or dot11.subtype=12) and it was sent to the broadcast address (dot11.destination_addr=ff:ff:ff:ff:ff:ff). Whenever this kind of traffic is seen, the IDS generates an alert.

Instead of checking a single boolean expression, complex rules can check a series of them. This way, attacks that need different consecutive actions to be performed can be detected. Other kind of complex rules determines how many times per second an specific kind of frames (defined by a boolean expression) is seen. Depending on that rate, alerts are issued. It makes detecting DOS and systematic reinjection easy.

An alert can have different meanings, depending on the configuration. An alert can be shown on the screen, written in a file, sent thorough the network, stored in a database, kept in a log using syslog or any combination of these actions.

This IDS an also be used to keep an eye on our access points. Some parameters are automatically checked and serious security issues are alerted as soon as they happen.

There are more features that you can check. If you are familiar with the 802.11 protocol, you can easily write your own rules and s long as you respect the license, you are completely free to use and modify the source code. We would really like you to download the software and comment any suggestion, doubt or idea in this blog or by sending us an e-mail.

Patxi Astiz
S21sec labs

Deja un comentario