So, it took me a while to find this, and low and behold, it's on github. Props to the maintainer, linked below. That said: I am reposting the how to page because you never know when things get deleted...
alienvault-ossim/HOWTO at master · jpalanco/alienvault-ossim:
If you want to talk about what this looks like in a fully functional environment, give me a shout. You would be surprised to know what people are trying to do to your wifi.
CONFIGURATION PROCEDURE
WIDS
----
* Introduction
Organizations that require Payment Card Industry's Data Security Standard (PCI DSS) compliance need to follow a set of procedures when deploying 802.11 Wireless Local Area Networks (WLAN).
AlienVault includes a Wireless Compliance module that helps organizations that require PCI DSS compliance.
This module was developed using the information provided by Kismet, an Open Source wireless network detector, sniffer, and intrusion detection system.
The PCI DSS module includes reports and statistics needed to perform a PCI DSS audit successfully.
To run this module you must have kismet installed in your wireless sensors that feed the system with information about wireless networks in the environment that it is being monitored.
- Kismet:
Kismet is an 802.11 wireless network detector, sniffer, and intrusion detection system.
Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic (devices and drivers permitting).
Kismet also sports a plugin architecture allowing for additional non-802.11 protocols to be decoded.
Kismet identifies networks by passively collecting packets and detecting networks, which allows it to detect (and given time, expose the names of) hidden networks and the presence of non-beaconing networks via data traffic.
Kismet will work with any distribution of Linux. Currently, Linux is the recommended platform for running Kismet because it has the largest selection of rfmon capable drivers.
Kismet is distributed under the GNU General Public License.
* Requirements
In order to install Kismet in your Sensors you will need a wireless card which supports raw monitoring mode.
Kismet Documentation includes a list of known supported wireless cards:
Atmel_USB, ACX100, ADMTek, Atheros, Cisco, Prism2, Orinoco, WSP100, Drone, wtapfile, pcapfile, wrt54g, ipw2100,
rt2400, rt2500, rt73, rt8180, ipw2200, ipw2915, ipw3945, iwl3945, iwl4965, iwl5000, iwlagn, iwl5100, iwl5300, Broadcom 43xx
This tutorial was written using a Wireless Card with the RT8718 chipset. Internet connection is required when installing Kismet in the AlienVault Sensor.
This tutorial explains how to setup a remote host running Kismet (REMOTE_WIDS).
An AlienVault Sensor will collect the WIDS events from the remote Wireless Sensor.
- Location of the wireless Sensor:
When installing the wireless card you need to make sure that the Wireless Sensor will be deployed in a location in which wireless networks can be monitored.
It doesn't make sense monitoring the wireless networks in a basement, parking or from a closed rack cabinet.
* Installation
To install Kismet execute the following commands in the Linux Terminal:
# apt-get update
# apt-get install kismet firmware-*
Kismet will be installed as well as some other libraries required to run Kismet.
av-wireless-sensor# apt-get install kismet
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
libc-ares2 libcap2-bin libsmi2ldbl wireshark wireshark-common
Suggested packages:
sox festival gpsd libcap-dev snmp-mibs-downloader
The following NEW packages will be installed:
kismet libc-ares2 libcap2-bin libsmi2ldbl wireshark wireshark-common
0 upgraded, 6 newly installed, 0 to remove and 316 not upgraded.
Need to get 15.9MB of archives.
After this operation, 64.0MB of additional disk space will be used.
Do you want to continue [Y/n]? y
* Configuration
Once Kismet has been installed you will need to set the Kismet configuration based on the Chipset of the Wireless Network card being used.
You will also need to enable the Kismet plugin in the AlienVault Sensor so that AlienVault can start collecting events generated by Kismet.
- Kismet Configuration
Kismet configuration is stored in the following file:
/etc/kismet/kismet.conf
To start configuring Kismet you will need to find out which is the network interface that is being used by Kismet. To do that execute the following command:
# iwconfig
The output of the command shows all the network cards indicating wether it has been recognized as a wireless card or not. In this case our wireless card can be identified by the tag "wlan0"
av-wireless-sensor# iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
wlan0 IEEE 802.11bg ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
To configure your wireless card in the Kismet main configuration file (/etc/kismet/kismet/conf) find the following line:
source=none,none,addme
and replace it based on the chipset your wireless card runs and the tag that the system has assigned to your wireless card:
source=rt8180,wlan0,wlan0-av1
Sources are defined as:
source=sourcetype,interface,name
1. sourcetype: Source types that can be used to se this configuration can be found in a README file at /usr/share/doc/kismet/README.gz (Capture Sources section).
2. interface: This is the name given by the operating system to the Wireles card (In the example wlan0)
3. name: Descriptive name to identify this source
In this case the Wireless card with the chipset RT8717 uses the source type rt8180.
Now it is time to configure the Kismet logging template. To do this find this line in /etc/kismet/kismet.conf:
logdefault=Kismet
and replace Kismet by the IP address of your Wireless Sensor (E.g: 192.168.1.133). This IP address will be used later when inserting the Wireless Sensor in the AlienVault Asset inventory:
logdefault=192.168.1.133
To configure the name of the files that Kismet will be creating find the following line in /etc/kismet/kismet.conf:
logtemplate=/var/log/kismet/%n-%d-%i.%l
and replace it using the following line:
logtemplate=/var/log/kismet/%n_%D-%i.%l
Make sure the following parameters have this values:
configdir=/var/lib/kismet/
logexpiry=3600
Make sure that the new configuration does not break Kismet, start Kismet by executing the following command in a linux terminal:
# kismet
If the configuration loads successfully Kismet will start and display a Welcome message.
Configure Rsyslog in the remote host running the WIDS to forward the events to the AlienVault Sensor:
Create the following file under /etc/rsyslog.d/
/etc/rsyslog.d/wids_alienvault.conf
with the following content:
*.* @ALIENVAULT_SENSOR_IP
and reload Rsyslog configuration in the remote host using the following command:
/etc/init.d/rsyslog reload
Finally, start Kismet in the remote host running the WIDS using the following command:
# /usr/bin/kismet_server -l xml -t REMOTE_WIDS_IP -f /etc/kismet/kismet.conf 2>&1 | logger -t REMOTE_WIDS_IP -p local7.1
- AlienVault Configuration
In the AlienVault host create a file under /etc/cron.hourly/ called kismet:
/etc/cron.hourly/kismet
with the following content:
#!/bin/bash
/usr/bin/perl /usr/share/ossim/www/wireless/fetch_kismet.pl
Copy kismet_sites.pl to a new location:
cp /usr/share/ossim/www/wireless/kismet_sites.pl /var/ossim/kismet
Edit /var/ossim/kismet/kismet_sites.pl and edit %site hash to include the Remote WIDS sensor:
$sites{'REMOTE_WIDS_IP'}='/var/log/kismet';
where you will have to replace REMOTE_IP by the IP Address of your remote WIDS Sensor. In case you are running multiple WIDS sensor just copy and paste that line as many times as required.
The AlienVault Sensor will need to have SSH access to retrieve the XML files generated by Kismet. You will need to exchange the SSH public keys between the AlienVault Sensor and the remote host running the WIDS Sensor.
To do this execute the following command in the AlienVault Sensor:
# ssh-copy-id root@REMOTE_WIDS_IP
To finish this configuration, you will need to setup your Wireless Sensors in the AlienVault Web Interface. Please refer to the User guide to learn how to setup your Wireless Sensors and locations.
Done.
No comments:
Post a Comment