Alerts

Kismet uses alerts to communicate wireless intrusion events and critical Kismet server events.

Alerts are generated both as text messages on the messagebus and as dedicated alert records.

For real-time monitoring of alerts, see the eventbus API.

Alert severities

Alerts severities are categorized by numerical value; a higher number is more severe.

SeverityDefintionUse
0INFOInformational alerts, such as datasource errors, Kismet state changes, etc
5LOWLow-risk events such as probe fingerprints
10MEDIUMMedium-risk events such as denial of service attempts
15HIGHHigh-risk events such as fingerprinted watched devices, denial of service attacks, and similar
20CRITICALCritical errors such as fingerprinted known exploits

Alert types

Alerts are categorized by type; alert types are free-form strings, but include:

TypeUse
DENIALPossible denial of service attack
EXPLOITKnown fingerprinted exploit attempt against a vulnerability
OTHERGeneral category for alerts which don’t fit in any existing bucket
PROBEProbe by known tools
SPOOFAttempt to spoof an existing device
SYSTEMSystem events, such as log changes, datasource errors, etc

Alert configuration

DESC
Ksimet exposes the full alert system configuration, including currently support alert types, descriptions of alert content, severity of alerts, and time and burst-rate delivery limiting.
ROLES
readonly
URI
/alerts/definitions.json
/alerts/definitions.ekjson
/alerts/definitions.prettyjson
METHODS
GET
RETURN
JSON list of all alert definition and configuration records.

All alerts

DESC

Kismet retains the past N alerts, as defiend by alertbacklog in kismet_memory.conf.

By default, Kismet retains 50 alert records.

ROLES
readonly
URI
/alerts/all_alerts.json
/alerts/all_alerts.ekjson
/alerts/all_alerts.prettyjson
METHODS
GET
RETURN
JSON list of all currently stored alerts.

Recent alerts

DESC

This endpoint returns alerts since the exact timestamp of seconds and milliseconds.

A more efficient and reliable method is to use the eventbus websocket.

ROLES
readonly
URI
/alerts/last-time/{TIMESTAMP}/alerts.json
/alerts/last-time/{TIMESTAMP}/alerts.ekjson
/alerts/last-time/{TIMESTAMP}/alerts.prettyjson
METHODS
GET
URI
PARAMETERS
TIMESTAMP number (double) REQUIRED
A double-precision timestamp of the UNix epochal second *and* a microsecond precision sub-second timestamp (such as 1234567.12345)
RETURN
JSON list of alerts since TIMESTAMP.UTIMESTAMP

Recent alerts (wrapped)

DESC

This endpoint functions identically to the recent alerts endpoint, but wraps the return in a JSON object including the timestamp when the server generated the report.

This can be used for polling UI implementations to know the exact time pass in the next alert query.

A more efficient and reliable method is to use the eventbus websocket.

ROLES
readonly
URI
/alerts/wrapped/last-time/{TIMESTAMP}/alerts.json
/alerts/wrapped/last-time/{TIMESTAMP}/alerts.ekjson
/alerts/wrapped/last-time/{TIMESTAMP}/alerts.prettyjson
METHODS
GET
URI
PARAMETERS
TIMESTAMP number (double) REQUIRED
A double-precision timestamp of the UNix epochal second *and* a microsecond precision sub-second timestamp (such as 1234567.12345)
RETURN
JSON object containing a list of alerts since TIMESTAMP.UTIMESTAMP and the exact timestamp of the return generation.