The Snort-Wireless project is an attempt to make a scalable (and free!) 802.11 intrusion detection system that is easily integratable into an IDS infrastructure. It is completely backwards compatible with Snort 2.0.x and adds several additional features. Currently it allows for 802.11 specific detection rules through the new "wifi" rule protocol, as well as rogue AP, AdHoc network, and Netstumbler detection. Many more new features are planned for future releases. Read on for more info.


11.07.2005 After receiving an email from a user asking about where wifi.rules went I figured out that I it got left out accidentally due to SourceFire removing rules from their distribution of Snort. I merged in their changes, so the for the rules dir ended up getting removed. Anyway, it's all fixed in the latest release now. The alpha04 files for Snort 2.4.3 have been updated.
10.25.2005 I just found a pretty good article on using Snort/Snort-Wireless with OpenWRT on Linksys APs called How To: Sniffing the Air over at Toms Networking by Derek Boiko-Weyrauch. I'm up past my bedtime :) so I've only skimmed it, but it looks like it provides a good overview of Snort and what Snort-Wireless adds, setting up OpenWRT, and attacks that Snort-Wireless can detect. Thanks for the article Derek!
10.21.2005 Well, it's been a while, but I've managed to merge all of the features in Sebastien's branch into the main one. Additionally I've updated the code to patch with Snort 2.4.3. In light of the recent announcement of the vulnerability in the "bo" preprocessor everyone should upgrade to the newest version.
05.13.2005 I've finished merging all changes from Snort 2.x to Snort 2.3.3 into Snort-Wireless. Surprised? I've even added another branch for Sebastien's patch since he added so many features. I'm going to work on merging those back into my main CVS branch, but for the time being I'll have both branches available for download. In addition I'll be merging in some of the database output patches that have been sent in.
Older news....


These patches are copyright © 2003-2005 Andrew Lockhart and others.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. See COPYING for more details.

If you're building from your own patched source you will need to run automake from the top-level of your source tree.

snort-wireless-2.4.3-alpha04.tar.gz (.sig) Snort 2.4.3 source tree pre-patched with Snort-Wireless alpha04 release (NOTE: no need to use --enable-wireless anymore)
snort-2.4.3-wireless-alpha04.patch.gz (.sig) Snort-Wireless alpha04 patch for Snort 2.4.3
snort-wireless-2.3.3-sgracia.tar.gz Snort 2.3.3 source tree pre-patched with code from Sebastien's branch (NOTE: run ./configure with the --enable-wireless switch)
snort-2.3.3-wireless-sgracia.patch.gz Patch against Snort 2.3.3 derived from Sebastien's patch for v2.1.1
snort-wireless-2.3.3-alpha03.tar.gz Snort 2.3.3 source tree pre-patched with main branch (NOTE: You should use Sebastien's branch for now)
snort-2.3.3-wireless-alpha03.patch.gz Alpha 03 patch against Snort 2.3.3 (NOTE: You should use Sebastien's branch for now)
snort-2.1.1-wireless-db-dwalther.patch.gz Patch against Sebastien's 2.1.1 patch to add DB output support by (©) Daniel Walther (See Daniel's tutorial)
snort-2.1.1-wireless-sgracia.patch.gz Patch against Snort 2.1.1 by (©) Sebastien Gracia (See README file) Win32 binary with Alpha01 patch and TZSP support provided by Network Chemistry for use with their Neutrino Sensor or WSP100 (See this for more info)


Snort-Wireless User's Guide Comprehensive documentation for Snort-Wireless features (Currently under Development)
README.snort-wirelessTentative documentation on added features

Test Configurations

Snort-Wireless should work on any platform that provides a compiler that supports anonymous structs/unions (gcc does and anything that conforms to C99 should as well) and should work with any wireless card/driver that supports DLT_IEEE802_11 or DLT_PRISM_HEADER. It's currently been tested on x86 Linux with the HostAP, AirJack, and MadWifi drivers. In addition it also works on the Linksys WRT54G access point.

Future Development

In the future expect to see these features:

  • More plugins for management frame bodies
  • Channel scanning for rogue APs and AdHocs
  • DoS attack detection (Auth flood to AP, Deauth flood to STA, etc...) - DONE
  • Sequence number based MAC spoof detection - DONE
  • Flexible response mechanisms (i.e., DoS netstumblers with thousands of fake APs, etc..)
  • WEP preprocessor - decrypted data frame bodies fed back into detection engine for layer 3 analysis
  • Better ACID support
  • Comments, Questions, etc.

    If you have any comments, bug reports, questions, or feature requests drop me a line and I'll try to get back to you ASAP. Also if you're interested in helping feel free to contact me.

    Copyright © 2003 - 2005 Andrew Lockhart
    Last modified: Mon Nov 7 23:20:30 MST 2005