Snort Wireless Rules

[molecul3]

Hi Guys,

Does anyone here know how to configure snort/snort wireless rules. I need some help as I have just started using Snort Wireless.

I want to know how to use the '!'/not operation
I tried various methods of writing the rule down but non seems to work...
I want to display the application to check the users MAC address with a list of MAC addresses that I have specified and trigger the alert if the connecting user does not have his MAC address listed. I would also like to display that user's MAC address.

Can anyone help me out or tell me where i can go to for help? Thanks guys

 

[lrolsen]

Go over to

http://www.sourceforge.net

and to the snort project.

http://sourceforge.net/mail/?group_id=3357

You can subsribe to the snort-users list and post your questions there. VERY active list, should be helpful. Unless airsnort has its own list? Anyway you can check the airsnort porject page when your over at sourceforge.

Hope that helps...

 

[ebroo]

Post an example of the rule you are attempting to compose -

'not' in re is ! (I thought) so I'm not sure what you are looking for...

 

[molecul3]

Hi,

I checked out source forge and tried posting the question there as well...but did not get any replies

Basically i got the rule to work but am trying to display the MAC addresses of the unauthorised users...

My current rule looks something like this

e.g.

alert wifi ![MAC Address list of authorised users] -> any (msg: "Association request from unauthorised user"; stype: STYPE_ASSOCREQ

The rule above triggers the alert but does not allow me to view the MAC address of that particular "unauthorised" user.

Another forum i visited told me to put the "- e" statement when executing the Snort Wireless application to enable the viewing of MAC addresses but that doesn't seem to work.

Can anyone tell me how i can log or bring up the MAC addresses of these users along with the alert message.

Thanks guys

Cheers