Archive: http://msgs.securepoint.com/ids
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
This post from last week didn't get through it seems. I have included some
responses from another IDS forum which only some may monitor.
----------------------------------------------------

Has anyone done any IDS work in regard to collecting wireless protocol or
server activity and are there any other useful tools for this type of
monitoring work that you might recommend?

Mike Ruscher, ITS Specialist
Communications Security Establishment
mgruschercse-cst.gc.ca
-----------------------------------------------------

> From: Scott C. Kennedy [mailto:scks4r.com]
> Sent: Saturday, December 09, 2000 5:00 AM
> To: Mike.RuscherCSE-CST.GC.CA
> Cc: nfr-usersnfr.net
> Subject: Re: [nfr-users] Wireless protocol sniffing
>
>
> Do you mean WAP (aka Web Enabled Devices) or do you mean Wireless
> Ethernet (802.11) or something else?
>
> The regular HTTP n-code from Anzen and NFR both can capture WAP
> connections from the WAP gateway to the server, but not from the WAP
> enabled phone to the WAP gateway.
>
> Scott

Well I suppose one could use RF equipment to capture the 802.11 traffic and
replay it past an IDS (e.g., NFR) in sudo real time, or am I all wet here. I
would seem that targeting a particular 'network' from the airwaves could be
complex. Likely most, if not all, of this traffic would be encrypted leaving
only some form of traffic analysis as a possibility. Monitoring a server
makes more sense along the same lines as monitoring behind a VPN say. Does
all wireless protocol traffic takes the HTTP route?

> I plan on doing it in about three weeks, with Lucent gold cards and the
> bridge, to verify WEP. It shouldn't work because the cards should disallow
> sniffer operations such as going into promiscuous mode.

> Christopher A. Martin
> DA Secure Networks

If I understand this technology correctly, it would appear that ID
monitoring would have to be done higher up the stack than the NIC. This
could present a few issues. Certainly these types of cards (not the Gold
Card per se) can be PM enabled for IDS capability I should think.

> Hi Mike,
> If you can list the items you want to monitor we can develop it; I think
> take any protocol dump and start "intelligent" parsing, we will have a
> monitoring tooools ... is it'nt ..

Yes I agree. I don't understand the last bit though.
 
> Can you specify want you want in wireless protocol,
>
> mail me and/or in list, with detail prototype iff any ..
> <saugatarajbigfoot.com>
> <scapcal2.vsnl.net.in>
>
> From
> Saugata Chakrabarti
> <an approach: developer to developer>
>
> ps: > Has anyone done any backend work ................ ?? ??

Thanks for the offer. I 'm not really at a stage of awareness to make any
specific proposals, just curious about other NFR users' work with wireless
and any tools (e.g., collected WAP traffic?! etc) which might be lying
around for educational purposes.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]