Pages

Wednesday, March 25, 2015

OSSIM WIDS howto

So, it took me a while to find this, and low and behold, it's on github.  Props to the maintainer, linked below.  That said: I am reposting the how to page because you never know when things get deleted...

alienvault-ossim/HOWTO at master · jpalanco/alienvault-ossim:

If you want to talk about what this looks like in a fully functional environment, give me a shout.  You would be surprised to know what people are trying to do to your wifi.







CONFIGURATION PROCEDURE



WIDS

----



* Introduction



  Organizations that require Payment Card Industry's Data Security Standard (PCI DSS) compliance need to follow a set of procedures when deploying 802.11 Wireless Local Area Networks (WLAN).

  AlienVault includes a Wireless Compliance module that helps organizations that require PCI DSS compliance.

  This module was developed using the information provided by Kismet, an Open Source wireless network detector, sniffer, and intrusion detection system.

  The PCI DSS module includes reports and statistics needed to perform a PCI DSS audit successfully.

  To run this module you must have kismet installed in your wireless sensors that feed the system with information about wireless networks in the environment that it is being monitored.



  - Kismet:



    Kismet is an 802.11 wireless network detector, sniffer, and intrusion detection system.

    Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic (devices and drivers permitting).

    Kismet also sports a plugin architecture allowing for additional non-802.11 protocols to be decoded.

    Kismet identifies networks by passively collecting packets and detecting networks, which allows it to detect (and given time, expose the names of) hidden networks and the presence of non-beaconing networks via data traffic.

    Kismet will work with any distribution of Linux. Currently, Linux is the recommended platform for running Kismet because it has the largest selection of rfmon capable drivers.

    Kismet is distributed under the GNU General Public License.





* Requirements



  In order to install Kismet in your Sensors you will need a wireless card which supports raw monitoring mode.

  Kismet Documentation includes a list of known supported wireless cards:

 

        Atmel_USB, ACX100, ADMTek, Atheros, Cisco, Prism2,  Orinoco, WSP100, Drone, wtapfile, pcapfile, wrt54g, ipw2100,

        rt2400, rt2500, rt73, rt8180, ipw2200, ipw2915, ipw3945, iwl3945, iwl4965, iwl5000, iwlagn, iwl5100, iwl5300, Broadcom 43xx

   

    This tutorial was written using a Wireless Card with the RT8718 chipset. Internet connection is required when installing Kismet in the AlienVault Sensor.

    This tutorial explains how to setup a remote host running Kismet (REMOTE_WIDS).

    An AlienVault Sensor will collect the WIDS events from the remote Wireless Sensor.



  - Location of the wireless Sensor:



When installing the wireless card you need to make sure that the Wireless Sensor will be deployed in a location in which wireless networks can be monitored.

It doesn't make sense monitoring the wireless networks in a basement, parking or from a closed rack cabinet.





* Installation



  To install Kismet execute the following commands in the Linux Terminal:

 

    # apt-get update

    # apt-get install kismet firmware-*

 

  Kismet will be installed as well as some other libraries required to run Kismet.

 

    av-wireless-sensor# apt-get install kismet

    Reading package lists... Done

    Building dependency tree      

    Reading state information... Done

    The following extra packages will be installed:

      libc-ares2 libcap2-bin libsmi2ldbl wireshark wireshark-common

    Suggested packages:

      sox festival gpsd libcap-dev snmp-mibs-downloader

    The following NEW packages will be installed:

      kismet libc-ares2 libcap2-bin libsmi2ldbl wireshark wireshark-common

    0 upgraded, 6 newly installed, 0 to remove and 316 not upgraded.

    Need to get 15.9MB of archives.

    After this operation, 64.0MB of additional disk space will be used.

    Do you want to continue [Y/n]? y





* Configuration



  Once Kismet has been installed you will need to set the Kismet configuration based on the Chipset of the Wireless Network card being used.

  You will also need to enable the Kismet plugin in the AlienVault Sensor so that AlienVault can start collecting events generated by Kismet.

 

  - Kismet Configuration

 

    Kismet configuration is stored in the following file:

 

      /etc/kismet/kismet.conf

 

    To start configuring Kismet you will need to find out which is the network interface that is being used by Kismet. To do that execute the following command:

   

      # iwconfig

   

    The output of the command shows all the network cards indicating wether it has been recognized as a wireless card or not. In this case our wireless card can be identified by the tag "wlan0"

   

      av-wireless-sensor# iwconfig

      lo        no wireless extensions.



      eth0      no wireless extensions.



      wlan0     IEEE 802.11bg  ESSID:off/any

                Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm  

                Retry  long limit:7   RTS thr:off   Fragment thr:off

                Encryption key:off

                Power Management:off

   

    To configure your wireless card in the Kismet main configuration file (/etc/kismet/kismet/conf) find the following line:

   

      source=none,none,addme

     

    and replace it based on the chipset your wireless card runs and the tag that the system has assigned to your wireless card:

   

      source=rt8180,wlan0,wlan0-av1

     

    Sources are defined as:

   

      source=sourcetype,interface,name

     

      1. sourcetype: Source types that can be used to se this configuration can be found in a README file at /usr/share/doc/kismet/README.gz (Capture Sources section).

      2. interface: This is the name given by the operating system to the Wireles card (In the example wlan0)

      3. name: Descriptive name to identify this source

     

    In this case the Wireless card with the chipset RT8717 uses the source type rt8180.

    Now it is time to configure the Kismet logging template. To do this find this line in /etc/kismet/kismet.conf:

   

      logdefault=Kismet

     

    and replace Kismet by the IP address of your Wireless Sensor (E.g: 192.168.1.133). This IP address will be used later when inserting the Wireless Sensor in the AlienVault Asset inventory:

   

      logdefault=192.168.1.133

     

    To configure the name of the files that Kismet will be creating find the following line in /etc/kismet/kismet.conf:

   

      logtemplate=/var/log/kismet/%n-%d-%i.%l

     

    and replace it using the following line:

   

      logtemplate=/var/log/kismet/%n_%D-%i.%l

     

    Make sure the following parameters have this values:

   

      configdir=/var/lib/kismet/

      logexpiry=3600

     

    Make sure that the new configuration does not break Kismet, start Kismet by executing the following command in a linux terminal:

   

      # kismet

     

    If the configuration loads successfully Kismet will start and display a Welcome message.

    Configure Rsyslog in the remote host running the WIDS to forward the events to the AlienVault Sensor:

    Create the following file under /etc/rsyslog.d/

   

      /etc/rsyslog.d/wids_alienvault.conf

   

    with the following content:

   

      *.*                             @ALIENVAULT_SENSOR_IP

     

    and reload Rsyslog configuration in the remote host using the following command:

   

      /etc/init.d/rsyslog reload

     

    Finally, start Kismet in the remote host running the WIDS using the following command:

   

      # /usr/bin/kismet_server -l xml -t REMOTE_WIDS_IP -f /etc/kismet/kismet.conf 2>&1 | logger -t REMOTE_WIDS_IP  -p local7.1

   

 

  - AlienVault Configuration



    In the AlienVault host create a file under /etc/cron.hourly/ called kismet:

   

      /etc/cron.hourly/kismet

   

    with the following content:

 

      #!/bin/bash

      /usr/bin/perl /usr/share/ossim/www/wireless/fetch_kismet.pl



    Copy kismet_sites.pl to a new location:



      cp /usr/share/ossim/www/wireless/kismet_sites.pl /var/ossim/kismet



    Edit /var/ossim/kismet/kismet_sites.pl and edit %site hash to include the Remote WIDS sensor:



      $sites{'REMOTE_WIDS_IP'}='/var/log/kismet';



    where you will have to replace REMOTE_IP by the IP Address of your remote WIDS Sensor. In case you are running multiple WIDS sensor just copy and paste that line as many times as required.



   

    The AlienVault Sensor will need to have SSH access to retrieve the XML files generated by Kismet. You will need to exchange the SSH public keys between the AlienVault Sensor and the remote host running the WIDS Sensor.



    To do this execute the following command in the AlienVault Sensor:

   

      # ssh-copy-id root@REMOTE_WIDS_IP

   

   

    To finish this configuration, you will need to setup your Wireless Sensors in the AlienVault Web Interface. Please refer to the User guide to learn how to setup your Wireless Sensors and locations.





Done.