WIDZ - The Wirless Intrusion detection system by FATBLOKE


This is only a proof on concept - It is not up to great software packages like Snort etc that 
you might find on sourceforge.  Its development has been bogged down by a series of trials 
some technical, some managerial.


Widz package contains a number of very simple programs.  The are designed to cover three of the 
major 802.11 risks

- Unauthorised APs (widz_apmon.c )
                    Bogus  APS that designed to steal the association and login Credentials
                    
                    Unauthorised AP, you know the ones that are installed by the marketing dept
                    after they have visited the local PC superstore, which allows all and sundry
                    access to the corporate lan without a password.


- War Driving (widz_probemon.c )
                    Picks up probe requests which don't have the ESSId field set in the probe.

                     It is envisaged that this will process by Snort and used to in an activate
                     or tag rule to look for DHCP requests etc

- Flooding (widz_probemon.c )
                   Picks up attempts to flood the AP with associations.

DISCLAIMER
==========


THis software is provided as is .  It is a "proof of concept" as such is not intend to be
run, except under lab conditions that you deem adequate and secure.  The AUTHOR cannot take
or be held responsible for its use experimental or otherwise.  If it is compiled and run it
is done at the your own risk.



Testing 
========

This has been minimal.  With many drivers/builds we found that  *apmon would not run
co-exist with *probemon, hence we developed the process of getting *apmon to call the
*probemon evocation script.

We found that with standard wavelan drivers we could drive a DWL650 or ZoomAir 4100
we could run both concurrently but it was unrelaiable (should I say more Unreliable)

Despite rave reviews, rlmod did not work on my Mandrake system and supposedly compatible
card - no problem I gave it to the wife

Some succes with wlan-ng drivers but  not as good as the first.

Host_ap gave us the best results.


However, as my company suddlenly found it had surplus of around 600-700 Compaq m300 or m700
laptops most testing was done with *apmon running on one box and *probemon running on another.

Leaving over 598 spare, and they still complained.



 widz_apmon.c 
==============
This sad little program monitors an area for Access Points
If finds an ap it compares it to a list of Authorised APs in a config file
if the AP isnt in list it calls a program called Alert with an appropriate message. 

The example Alert script will send a syslog message which in our example will be picked up by snort
- but it could sent an snmp trap or a command.

running:

  $ widz_apmon sleep_time Interface generate|monitor

Sleep_time is the time between scans in seconds

Interface is the WLAN interface say wlan0 or eth1

Generate produces the widz_apmon.conf file in the current directory


Monitor - puts it into IDS mode

example

   $ widz_apmon 1 wlan0 generate


   $ widz_apmon 1 wlan0 monitor


Debugging
     export DEBGUG will cause the program to print debug info to stdout


funtion

 widz_apmon.c assumes your driver is in auto associate mode.  The  Interface should be up 
otherwise the program returns odd results.  It does the approriate IOCTL call to
 read the ASSOCIATED ESSID from the interface  then get the MAC.

It then does the Alerting processing described above, then it resets ESSID to force the card to search 
for another AP, When all done it  waits a couple seconds then calls Controlexit routine that can in turn
used to  call widz_probemon.c which checks for probe frames    
 

  widz_apmon.c improvements
                            We had a lot of problems with drivers on this project
                             the major problem with prog apart from the bad coding 
                            is the scanning technique.  It would be better to use a
                           the sxxAPLIST ioct call or the scan function.

                            It should also not alert an AP more than once.




 widz_probemon.c 
==============
see seperatefile


Alert 
===== 

This example script is suitably commended and shows how to 
 - send a syslog message 
 - write to the console or current term
- send an snmp trap 
- send an email


Controlexit 
===========
Called by widz_apmon and does nothing
