Kismet Wireless

Kismet Forums

 

Posted by:securez
Subject:Emit unified2 alerts
Date:11:35:28 07/08/2013

> > Hi,
> >
> > I'm a newbie with IDS, I used kismet in the past, but for only scan perimeter WLANs and get info about them.
> >
> > Now I want to create a WIDS that will get security alerts, i see that a tap interface that snort can consume, but snort is only get layer 3 - 7 attacks, so I see that Kismet can detect some Layer 2 activity that can be suspicious.
> >
> > My problem now is that alert files are not rotated, i can make a script that stops kismet rotate logs, but I try to find some more elegant solution.
> >
> > I get all the alerts and send it to a central database, barnyard2 will collect snort unified2 files and send to DB, kismet in the other end emit the alerts in custom format. So i can parse the custom format and create unified2 files, but this lead me the same no-rotation log problem.
> >
> > It's possible or exists some project that I can contribute that will emit the Kismet alerts in unified2 format with a limit as snort do?
> >
> > Regards.
>
> Have you tried using the virtual tap interface yet by adding "forcevap=true" to your Kismet config? Dragorn may have a more elegant solution but I have gotten results obtaining alerts by using this one line in the past.

I'm using the lastest Kismet version, I see in documentation that this is the default value, if i undertand this correctly, the TAP interface will have al WLAN traffic that are around, included drones, It is usseful to use snort in this interface.

The problem that i have is that if Kismet create alerts, this will go to file Kismet-*.alert, this file increase in size, and the only soluction that i found is stop/rotate/start Kismet.

I love difficult thinks, so I will spend more time trying to find a more elegant solution, Is anybody using Kismet as IDS, or is preferable to use Snort / Surucata or any of his friends?

Thks for your fast reply.

Regards.


Reply to this message