Snort-Wireless 
==============

Copyright (c) 2003 Andrew Lockhart

Any feedback, bug reports, feature requests, etc. are welcome at 
andrew@snort-wireless.org.  If you'd like to help in any way, feel free to
contact me. I'll try to respond ASAP.

"wifi" Protocol Rules
=====================
Snort at present does not contain direct support for rule based detection of
anything below the IP layer.  It is possible in Snort 2.0.x to match byte 
patterns in a packet, but it is not very straightforward and is very 
time-consuming to write detection rules this way.

Rules for detecting particular 802.11 frames are specified 
using the following syntax:

<action> wifi <src mac> -> <dst mac> (<rule options>)
    
The 802.11 plugins are in src/detection-plugins and their filenames begin 
with sp_wifi_.  Each plugin should have documentation for it in the comments 
at the top of its source file. A complete set of example rule are being prepared for the next release.

-Bugs-
* Only the alert and log actions have been tested
* Only the first matching rule triggers an alert
* Alerts logged to a database do not show up in ACID - this is because they 
  lack in IP header

RogueAP Preprocessor
The RogueAP preprocessor detects both rogue APs and AdHoc networks. To 
configure it, you'll need to first specify your APs BSSIDs and channels that
they operate on in your snort.conf file using the ACCESS_POINTS and CHANNELS
variables.

# Single AP
var ACCESS_POINTS XX:XX:XX:XX:XX:XX 
# Multiple APs
var ACCESS_POINTS [XX:XX:XX:XX:XX:XX, YY:YY:YY:YY:YY:YY, ....]
# Single channel
var CHANNELS X
# Multiple channels
var CHANNELS [X, Y, ...]

The preprocessor is activated by specifying the following in your snort.conf:

preprocessor rogue_ap: $ACCESS_POINTS, $CHANNELS, scan_flag [0 | 1], \
scan_timeout [num], expire_timeout [num]
      

* scan_flag - toggles scanning of multiple channels *NOT IMPLEMENTED*
* scan_timeout - time in seconds between channel scans *NOT IMPLEMENTED*
* expire_timeout - time in seconds before a BSSID is removed from the rogue
  list

AntiStumbler Preprocessor

The AntiStumbler preprocessor attempts to detect Netstumbler like traffic. It 
does this by keeping track of probe request frames sent with NULL SSID fields.
The preprocessor is activated by specifying the following in your snort.conf:

preprocessor antistumbler: probe_reqs [num], probe_period [num], \
expire_timeout [num]
    

* probe_reqs - number of probe requests that triggers an alert
* probe_period - time period in seconds that NULL SSID probe request count is
					  maintained
* expire_timeout - time in seconds before a STA is removed from the stumbler 
						 list