Chapter 2 - 802.11 Detection Rules
2.1 Overview
Writing custom rules for detecting 802.11 frames matching your specific criteria
is just as easy as writing any other type of custom Snort rule. The 802.11 rule
engine of Snort-Wireless is built upon the rule engine of the standard Snort
distribution and for the most part it shares the same syntax. The only difference
between the two, is that instead of specifying a source IP address and port or destination
IP address and port, you simply specify source and destination MAC addresses.
Format
<action> wifi <mac> <direction> <mac> (<rule options>)
2.2 Rule Actions
The rule header contains the information that defines the who,
where, and what of a packet, as well as what to do in the
event that a packet with all the attributes indicated in the rule
should show up. The first item in a rule is the rule action. The rule
action tells Snort what to do when it finds a packet that matches
the rule criteria. There are 5 available default actions in Snort,
alert, log, pass, activate, and dynamic.
- alert - generate an alert using the selected alert method, and then
log the packet
- log - log the packet
- pass - ignore the packet
- activate - alert and then turn on another dynamic rule
- dynamic - remain idle until activated by an activate rule , then act
as a log rule
2.3 MAC Addresses
Source and Destination MAC addresses may be specified in much the same way that IP addresses
are specified in Snort rules. A single MAC address may be specified by a colon separated
list of octets, or a list separated by commas and enclosed in braces. In addition the '!'
character may prefix any MAC address to perform a logical NOT operation.
Format
# Single MAC Address
00:DE:AD:BE:EF:00
# MAC Address List
[00:DE:AD:BE:EF:00, 00:DE:AD:C0:DE:00, ....]
2.4 The Direction Operator
Snort contains two operators for specifying the direction of the traffic that a rule applies
to. The unidirectional operator -> translates to "source to destination." The
bidirectional operaotr <> translates to "source to destination or
destination to source."
2.5 Rule Options
Snort-Wireless has many 802.11 specific rule options available when creating rules that use
the "wifi" protocol. Additionally many of Snort's standard rule options are available to
use for "wifi" protocol rules.
Snort-Wireless Specific Keywords
frame_control
tests the entire frame control field
type
tests the 802.11 frame's type
stype
tests the 802.11 frame's subtype
from_ds
tests the from distribution system frame control flag
to_ds
tests the to distribution system frame control flag
more_frags
tests the more fragments frame control flag
retry
tests the retry frame control flag
pwr_mgmt
tests the power management frame control flag
more_data
tests the more data frame control flag
wep
tests the wep frame control flag
order
tests the order frame control flag
duration_id
tests the frame's duration/id field
bssid
tests the frame's BSSID
seqnum
tests the frame's sequence number
fragnum
tests the frame's fragment number
addr4
tests the frame's 4th address field
ssid
tests the frame's SSID
2.5.1 frame_control
The frame_control option allows you to check whether or not the entire frame control field
contains a specific value. Values may be specified in either hexadecimal or
decimal notation. An 802.11 frame's control field is 16 bits wide, thus the minimum value
allowed is 0 and the maximum is 65535. In addition, '!' may proceed the argument to specify a
logical NOT operation on the comparison.
Format
frame_control:[!]<number>;
The type option allows you to specify specific 802.11 frame types that a rule applies
to. '!' may proceed the argument to specify a logical NOT operation on the comparison.
Format
type:[!]<wifi type>;
Valid Types
STYPE_MANAGMENT
STYPE_CONTROL
STYPE_DATA
The stype option allows you to specify specific 802.11 frame subtypes that a given
rule applies to. When using this rule option the frame's type is implicitly checked. In
addition, '!' may proceed the argument to specify a logical NOT operation on the comparison.
Format
stype:[!]<wifi subtype>;
Valid Management Frame Subtypes
STYPE_ASSOCREQ
STYPE_ASSOCRESP
STYPE_REASSOC_REQ
STYPE_REASSOC_RESP
STYPE_PROBEREQ
STYPE_PROBERESP
STYPE_BEACON
STYPE_ATIM
STYPE_DISASSOC
STYPE_AUTH
STYPE_DEAUTH
Valid Control Frame Subtypes
STYPE_PS
STYPE_RTS
STYPE_CTS
STYPE_ACK
STYPE_CFEND
STYPE_CFEND_CFACK
Valid Data Frame Subtypes
STYPE_DATA
STYPE_CFACK
STYPE_CFPOLL
STYPE_CFACK_CFPOLL
STYPE_NULL
STYPE_CFACK_NULL
STYPE_CFPOLL_NULL
STYPE_CFACK_CFPOLL_NULL
The from_ds option allows you to specify whether the rule applies to 802.11 frames leaving
the distribution system (e.g., the frame is travelling from access point to stations). Valid
arguments are ON, OFF, TRUE, or FALSE. For consistency
and silliness, '!' may proceed the argument to perform a logical NOT operation on the
comparison.
Format
from_ds:[!] TRUE | FALSE | ON | OFF ;
The to_ds option allows you to specify whether the rule applies to 802.11 frames entering
the distribution system (e.g., the frame is travelling from a station to an access point).
Valid arguments are ON, OFF, TRUE, or FALSE. For
consistency and silliness, '!' may proceed the argument to perform a logical NOT operation on
the comparison.
Format
to_ds:[!] TRUE | FALSE | ON | OFF ;
2.5.6 more_frags
The more_frags option allows you to specify whether the rule applies 802.11 to frames that
have more fragments following them. Valid arguments are ON, OFF,
TRUE, or FALSE. For consistency and silliness, '!' may proceed the
argument to perform a logical NOT operation on the comparison.
Format
more_frags:[!] TRUE | FALSE | ON | OFF ;
The retry option allows you to specify whether the rule applies to 802.11 frames that have
been retransmitted. Valid arguments are ON, OFF,
TRUE, or FALSE. For consistency and silliness, '!' may proceed the
argument to perform a logical NOT operation on the comparison.
Format
retry:[!] TRUE | FALSE | ON | OFF ;
The pwr_mgmt option allows you to specify whether the rule applies to 802.11 frames that
indicate whether the transmitting device is in power-save mode.
Valid arguments are ON, OFF, TRUE, or FALSE. For
consistency and silliness, '!' may proceed the argument to perform a logical NOT operation on
the comparison.
Format
pwr_mgmt:[!] TRUE | FALSE | ON | OFF ;
The more_data option allows you to specify whether the rule applies to 802.11 frames that
have their more data control flag set.
Valid arguments are ON, OFF, TRUE, or FALSE. For
consistency and silliness, '!' may proceed the argument to perform a logical NOT operation on
the comparison.
Format
more_data:[!] TRUE | FALSE | ON | OFF ;
The wep option allows you to specify whether the rule applies to 802.11 frames that have
been processsed by the WEP algorithm.
Valid arguments are ON, OFF, TRUE, or FALSE. For
consistency and silliness, '!' may proceed the argument to perform a logical NOT operation on
the comparison.
Format
wep:[!] TRUE | FALSE | ON | OFF ;
The order option allows you to specify whether the rule applies to 802.11 frames that are
being transmitted using the strictly-ordered service class.
Valid arguments are ON, OFF, TRUE, or FALSE. For
consistency and silliness, '!' may proceed the argument to perform a logical NOT operation on
the comparison.
Format
order:[!] TRUE | FALSE | ON | OFF ;
The duration_id option allows you to specify whether the rule applies to 802.11 frames that
either do or do not have a specific value for their Duration/ID field.
Values may be specified in either hexadecimal or
decimal notation. An 802.11 frame's Duration/ID field is 16 bits wide, thus the minimum
value allowed is 0 and the maximum is 65535.
In addition, '!' may proceed the argument to specify a
logical NOT operation on the comparison.
Format
duration_id:[!]<number>;
The bssid option allows you to specify whether the rule applies to 802.11 frames
that either do or do not have a specific BSSID. BSSID's are specified as a 48-bit hexadecimal number (i.e., 0x000000000000 to 0xFFFFFFFFFFFF). In addition, '!' may proceed the argument to specify a
logical NOT operation on the comparison.
Format
bssid:[!]0x00DEADBEEF00;