Connecting to wifi networks
944 views
Skip to first unread message
Brian Stoiber
Mar 29, 2017, 8:52:40 AM3/29/17
to security-onion
I am a student currently taking an intrusion detection class. Our class project is to built an IDS using Wireshark and SNORT (Sguil) on any version of Linux. Our professor said that if you want to push yourself use Security Onion to do the project.
So far I have been able to dual boot my laptop, partition a drive, install SO and run Wireshark on ethernet. I am unable to connect to any wi-fi networks though. When I go to the Network Connections, I can add a wi-fi connection, but everything is grayed out. I know I am doing something wrong but not sure what.
Any help someone could offer would be greatly appreciated.
So far I have been able to dual boot my laptop, partition a drive, install SO and run Wireshark on ethernet. I am unable to connect to any wi-fi networks though. When I go to the Network Connections, I can add a wi-fi connection, but everything is grayed out. I know I am doing something wrong but not sure what.
Any help someone could offer would be greatly appreciated.
Shane Castle
Mar 29, 2017, 11:42:33 AM3/29/17
to securit...@googlegroups.com
Hi Brian,
Security Onion (SO) does not support direct sniffing on a wireless interface.
There are several reasons for this, and I won't go into those. But using VMware
or some other virtual host software, it's possible for SO to see the traffic
that is destined for or that is from the wireless interface.
Here is a link to the VMware walkthrough:
https://github.com/Security-Onion-Solutions/security-onion/wiki/VMWare-Walkthrough
My first exposure to IDS was building Snort and the various components to
support the old ACID alert display interface, which was replaced by BASE, and
then by SO. As you may be aware, SO is not just an IDS - it is a full network
security monitor (NSM), and when configured correctly can capture all of the
traffic it sees for review and analysis later. For your project, I recommend
staying with installing Snort, Mysql, and Sguil - you will learn a lot more
about how an IDS works that way, and it will look less like a black box that
spits out alerts.
OTOH, SO has lots of really cool tools for digging into network traffic, and the
Bro component is worth deep study all by itself. SO is really the "deep end" of
the IDS pool.
There is a package named Kismet that can sniff wireless traffic, and Wireshark
can do it as well. Kismet does not necessarily need your wireless interface to
be a client to an AP, but I'm pretty sure that, ordinarily, Wireshark does,
unless you have one of the special USB radios (Airshark, I think).
If you examine the various things that Kismet has to do you may see why SO does
not support wireless radios.
--
Mit besten Grüßen
Shane Castle
Security Onion (SO) does not support direct sniffing on a wireless interface.
There are several reasons for this, and I won't go into those. But using VMware
or some other virtual host software, it's possible for SO to see the traffic
that is destined for or that is from the wireless interface.
Here is a link to the VMware walkthrough:
https://github.com/Security-Onion-Solutions/security-onion/wiki/VMWare-Walkthrough
My first exposure to IDS was building Snort and the various components to
support the old ACID alert display interface, which was replaced by BASE, and
then by SO. As you may be aware, SO is not just an IDS - it is a full network
security monitor (NSM), and when configured correctly can capture all of the
traffic it sees for review and analysis later. For your project, I recommend
staying with installing Snort, Mysql, and Sguil - you will learn a lot more
about how an IDS works that way, and it will look less like a black box that
spits out alerts.
OTOH, SO has lots of really cool tools for digging into network traffic, and the
Bro component is worth deep study all by itself. SO is really the "deep end" of
the IDS pool.
There is a package named Kismet that can sniff wireless traffic, and Wireshark
can do it as well. Kismet does not necessarily need your wireless interface to
be a client to an AP, but I'm pretty sure that, ordinarily, Wireshark does,
unless you have one of the special USB radios (Airshark, I think).
If you examine the various things that Kismet has to do you may see why SO does
not support wireless radios.
--
Mit besten Grüßen
Shane Castle
Brian Stoiber
Mar 29, 2017, 3:22:10 PM3/29/17
to security-onion
Thank you for the information. I think what you are referring to is an Alfa Wireless card. Right?
https://www.amazon.com/Alfa-Network-Wireless-802-11g-AWUS036H/dp/B000WXSO76
Kris Springer
Aug 1, 2017, 4:03:07 PM8/1/17
to security-onion
I know this post is a few months old, but I was looking for the same info recently, so I thought I'd add my results for others. Here's how I was able to get my wifi working.
------------------
Make sure physical wifi switch is enabled if there is one, such as on a laptop.
Make sure wifi isn’t blocked in the system.
~$sudo rfkill unblock all
Show list of wifi devices and connection status. Make note of wifi device name. It's probably wlan0
~$iwconfig
Edit network config, and then save it.
~$sudo pico /etc/network/interfaces
[For dhcp]
auto wlan0
iface wlan0 inet dhcp
wpa-ssid blahblahname
wpa-psk blahblahkey
[For static]
auto wlan0
iface wlan0 inet static
wpa-ssid blahblahname
wpa-psk blahblahkey
address 192.168.1.234
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 192.168.1.1 8.8.8.8 8.8.4.4
dns-domain yourdomain.com
Reboot. Could just restart the network service, but rebooting proves it will work.
~$sudo reboot
Check the connection status after the reboot.
~$iwconfig
Test successful communication with browser.
------------------
Make sure physical wifi switch is enabled if there is one, such as on a laptop.
Make sure wifi isn’t blocked in the system.
~$sudo rfkill unblock all
Show list of wifi devices and connection status. Make note of wifi device name. It's probably wlan0
~$iwconfig
Edit network config, and then save it.
~$sudo pico /etc/network/interfaces
[For dhcp]
auto wlan0
iface wlan0 inet dhcp
wpa-ssid blahblahname
wpa-psk blahblahkey
[For static]
auto wlan0
iface wlan0 inet static
wpa-ssid blahblahname
wpa-psk blahblahkey
address 192.168.1.234
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 192.168.1.1 8.8.8.8 8.8.4.4
dns-domain yourdomain.com
Reboot. Could just restart the network service, but rebooting proves it will work.
~$sudo reboot
Check the connection status after the reboot.
~$iwconfig
Test successful communication with browser.
Reply all
Reply to author
Forward
0 new messages