Kismet OSSIM Plugin 0.1

by nate@bedkings.com and internet-goods.com

GNU GENERAL PUBLIC LICENSE

First release 0.1

6.22.2009

This plugin watches /var/log/kismet/kismet.log

It reports the four kismet ALERTs I have seen so far in the wild.

When it detects one it creates an OSSIM event.

Installing On Debian:

1) Load the kismet.sql files into your ossim database.
2) copy kismet.cfg to Agent Plugins Directory
3) edit kismet init file to work with your network card
4) edit kismet agent config.cfg to enable kismet plugin
add this to its own line:
kismet=/etc/ossim/agent/plugins/kismet.cfg
5) restart the ossim agent. Kismet should come online.

TODO:
The rest of the kismet ALERT types I havn’t seen yet need to be codified into OSSIM events.
Someone send me logs of other kismet alerts than the four I’ve done so far.
Some sort of Network Access Point detection/storage
A page to configure the kismet settings with php/form/dropdowns creating the configs for kismet wouldnt be bad either.

Code snippets:

/etc/ossim/agent/plugins# cat kismet.cfg
#http://www.ossim.net/dokuwiki/doku.php?id=documentation:agent
[DEFAULT]
plugin_id=9000

[config]
type=detector
enable=yes
process=kismet_server
start=yes ; launch plugin process when agent starts
stop=yes ; shutdown plugin process when agent stops
startup=/etc/init.d/kismet start
shutdown=/etc/init.d/kismet stop
source=log
location=/var/log/kismet/kismet.log
# create log file if it does not exists,
# otherwise stop processing this plugin
create_file=true

[Suspicious Client]
event_type=event
regexp=’^ALERT\s+\S+\s+(?P\S+\s+\S+\s+\S+\s+\S+)\sSuspicious client\s(?P\w{1,2}\:\w{1,2}\:\w{1,2}\:\w{1,2}\:\w{1,2}\:\w{1,2})’
date={normalize_date($date)}
plugin_sid=1

[Out-of-sequence BSS timestamp]
event_type=event
regexp=’^ALERT\s+\S+\s+(?P\S+\s+\S+\s+\S+\s+\S+)\sOut-of-sequence BSS timestamp’
date={normalize_date($date)}
plugin_sid=2

[Channel Change possible AP spoofing]
event_type=event
regexp=’^ALERT\s+\S+\s+(?P\S+\s+\S+\s+\S+\s+\S+)\sBeacon on’
date={normalize_date($date)}
plugin_sid=3

[Data within seconds of disassociate]
event_type=event
regexp=’^ALERT\s+\S+\s+(?P\S+\s+\S+\s+\S+\s+\S+)\sSuspicious traffic’
date={normalize_date($date)}
plugin_sid=4

For now I have put together a quick /etc/init.d/kismet script for the plugin to use, something like this:

# Function that starts the daemon/service.
#
d_start() {
##$DAEMON $OPTS
/usr/bin/kismet_server -c rt2500,wlan0,pciwifi &> /var/log/kismet/kismet.log &

}

#
# Function that stops the daemon/service.
#
d_stop() {
killall kismet_server
}

then when ossim starts, so does the kismet plugin.

SQL for the plugins tables in OSSIM:

INSERT INTO plugin (id, type, name, description) VALUES( 9000, 1,
‘kismet’, ‘Kismet IDS’);

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9000, 2, NULL, NULL, ‘Out-of-sequence BSS timestamp’, 0, 3);

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9000, 1, NULL, NULL, ‘Suspicious client’, 0, 3);

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9000, 4,NULL,NULL,’Data within seconds of disassociate’,0,3);

add this line to /etc/ossim/agent/config.cfg
kismet=/etc/ossim/agent/plugins/kismet.cfg