How To: Sniffing the Air

Setting up

Before you begin, you need a system that is capable of not only running Snort, but also acting as a wireless access point. The cheapest way to do this is with the venerable Linksys WRT54G wireless router [reviewed here]. The WRT54G runs open source firmware that can be replaced with many alternative distros that offer enhanced capabilities - including running Snort. Alternatively, if you have a spare machine, a wireless card, a normal Ethernet adaptor, and a lot of spare time, you can set it up as an access point.

Linksys WRT54G

Figure 3: Linksys WRT54G

This article will use examples using a WRT54G router running OpenWRT RC 2 (codenamed 'White Russian'). There are many Linux distributions for wireless routers available (something I hope to cover in a future article), but I chose OpenWRT because it is simple, lightweight, and comes with a package system similar to Debian Linux.

OpenWRT in action

Figure 4: OpenWRT in action
(Click image to enlarge)
NOTE!Disclaimer: Loading OpenWRT, Snort Wireless or other alternative firmware onto your WRT54G will void your warranty.

TomsNetworking, Tom's Guides Publishing and I are not responsible for any damage that the information in this article may cause to your WRT54G.

So download a copy of the current firmware before you start, and don't go trying to get help from Linksys if you break it.

I won't go into the details of installing OpenWRT, since there is very good installation documentation on the OpenWRT website. Once the install is complete, you can Telnet into the router [instructions here] and poke around.

Once OpenWRT has been set up on the router, the Snort Wireless program may be downloaded and installed. This can be done through OpenWRT's aforementioned package manager system, ipkg, with the following command:

ipkg install

Note that this package is nearly a year out of date. This is all right, as all of the basic functionality that we want in an IDS is still there, and all of the latest Snort rulesets may be downloaded with ipkg (see the OpenWRT tracker page for details on the latest packages). For those of you running a dedicated machine as an access point, you can get a copy of the Snort Wireless source and compile that on the machine. Take special care to add the --enable-wireless flag when you configure, otherwise the Wi-Fi-specific preprocessors will not function.

Snort Wireless works in a similar way to Snort itself, but is intended to be deployed on a wireless access point to defend against wireless attacks. In particular, it contains a new rule protocol (entitled wifi) to allow the IDS to properly identify traffic associated with common wireless attacks such as Netstumbler traffic or WEP cracking attempts. Using the wifi protocol for rules in Snort Wireless follows the same pattern as writing normal Snort rules, with one notable exception: instead of specifying the IP addresses and ports of the first and second hosts, their MAC addresses are used.