OSSEC Kismet Rules

As part of a project I was asked to write some rules to allow OSSEC to monitor Kismet alerts. This is my first attempt at writing OSSEC rules and it is based heavily on this article I found from Mad Irish.

Please give feedback on these rules, this is my first attempt and am happy to take comments on how I can improve them.

To go with these rules I also developed a script to convert a CSV file to a rule file, this makes it much easier to manage the rules as they can be done in a spreadsheet and then converted to the XML file. Visit my OSSEC Rule Converter project for more information.

Download the rules and config files

Explanations

Add this line to your ossec.conf file: 

<!-- Monitor Kismet Alerts -->
<localfile>
	<log_format>syslog</log_format>
	<location>/var/log/kismet.alerts</location>
</localfile>

Here is the decoder, I would have preferred to use a more elegant regex but with the limited regex support in OSSEC this is the best I could come up with that worked. 

<!-- Custom decoder for Kismet -->
<decoder name="kismet">
	<prematch>^\w+\s+\w+\s+\d+\s+\d\d:\d\d:\d\d \d\d\d\d </prematch>
</decoder>

<decoder name="kismet-alert">
	<parent>kismet</parent>
	<regex offset="after_parent">(\w+) (\d+) (\.+) (\.+) (\.+) (\.+) (\.+)</regex>
	<order>action,data,data,data,data,data,data</order>
</decoder>

And I won't include the full rule set here but here is a sample. All the alerts in my file have alert level 10, that is because I currently don't know how the client wants to rate the different types of alerts so I've just cranked everything up full and they can turn it down as they see fit. The descriptions are based on the descriptions found in the Kismet README file. 

<group name="syslog,kismet,">
	<rule id="110000" level="0">
		<decoded_as>kismet</decoded_as>
		<description>Kismet Alerts.</description>
	</rule>

	<rule id="110001" level="10">
		<if_sid>110000</if_sid>
		<action>ADHOCCONFLICT</action>
		<description>Possible AP spoofing/impersonation</description>
	</rule>
	<rule id="110002" level="10">
		<if_sid>110000</if_sid>
		<action>AIRJACKSSID</action>
		<description>Airjack attack</description>
	</rule>
	<rule id="110003" level="10">
		<if_sid>110000</if_sid>
		<action>APSPOOF</action>
		<description>ARP Spoofing or conflicting APs</description>
	</rule>

Support The Site

I don't get paid for any of the projects on this site so if you'd like to support my work you can do so by using the affiliate links below where I either get account credits or cash back. Usually only pennies, but they all add up.

Buy me a smoothieBuy me a smoothie

The Protein Works