Snort-Wireless
 

Anyone have any experience with snort-wireless they want to share...

I have this thing set up and running with mysql and syslog and it does log normal alerts fine when it is running on my ethernet card!!! But when I set it to work on my wireless card I dont get any alerts and I turn on rogue acceess points and such and I get nothing!!!

I have all of the preprocessors uncommented in the snort.conf
I also uncommented all the rules in the wiFi rules file.
I have made no changes to these rules so they should be set so that everything triggers and alert.


The wireles card I set to (iwconfig wifi0 mode Master) I didnt do anything else to the card and that may be the problem I am not sure if I need to do more... I have tried a cisco aironet card and an intell pro wirless so far. I have access to atheros and onronco cards as well. But the cisco should definatly work

current OS: Slackware 10.2
snortwireless: newest version http://snort-wireless.org/

I *think* your card needs to be in monitoring mode, try
iwpriv $DEVICE
(where device is your wireless card; ie eth1 or eth0 etc)

If you don't see a line like
monitor (8BE8) : set 2 int & get 0
(it has to feature the monitor, the specifics can vary)
your wireless NIC drivers is incapable of monitor mode.

If you do see a monitor mode these two commands:
/sbin/iwpriv $DEVICE monitor 1 $CHANNEL
/sbin/ifconfig $DEVICE promisc up
should enable monitoring.

Thanks the iwconfig eth1 m monitor and the ifconfig promisc did the trick!!!!!!!!!! Now just need to find a patch for mysql support for wirless alerts on the newest release, I havnt seen one yet