Suricata Rule Request: Alert when a Wi-Fi Client enables Monitor / Promiscuous Mode
-
I am looking for a Suricata Rule that would detect when a random Wi-Fi clients connects to my AP and enables Monitor / Promiscuous Mode on their Wi-Fi card.
Assume I have a SPAN port with a copy of all my traffic being pumped to a 3rd NIC on PFSense.
Is this type of rule technically possible ?
Thanks.
-
@ngr2001 And how do you think that would be detected? Its in listening mode.. It doesn't send out traffic - hey I am in monitor mode.. When your in monitor mode its not even authed to your wifi.
It would be like trying to detect when someone turned on a radio.. Does the radio station know when people are listening?
-
The rouge laptop would be connected / authenticated to the AP SSID, once connected that same laptop would enable monitor mode to sniff traffic. I know we had a SNORT rule for this at NJIT 25 years ago but I forget how we did it.
To your point, I don't care about the scenario where a Wi-Fi card is in monitor mode and not connected to the SSID.
-
Detecting rogue device on your network is a bit different than detecting that they are in monitor mode or sniffing traffic.
You can setup all kinds of ways to get alerted when something auths to your network, or fails to auth, etc. But I detecting that they went into monitor mode? Or other wifi devices in the area that some AP sees, etc. Via the beacons a AP sends out or probe requests a client might send out.
Sounds like you don't actually understand what monitor mode is used for.. Normally a client that is in monitor mode can not auth to the wifi anyway while they are listening - multiple cards would be needed, etc. .. And if they put the card into promiscuous mode, again how do you think you would detect that? They just pass all packets they see up the stack, vs the ones with its own mac on it.. They don't send out info saying hey I am doing that..
You could detect beacons a wifi AP sends out, or a probe request a client sends out.. This is how you would detect other wifi devices in your area.. But I don't see how you would expect to know if some device that is authed to your network changed to promiscuous or that some device in your area is in monitor mode..
-
I'm looking for creative ideas here, for example the below was AI generated.
Alert: Detects excessive ARP activity (common in sniffing):
alert udp any any -> any any (msg:"Possible promiscuous mode sniffing";
content:"\x08\x06"; depth:2; sid:100003; rev:1;) -
@ngr2001 said in Suricata Rule Request: Alert when a Wi-Fi Client enables Monitor / Promiscuous Mode:
Alert: Detects excessive ARP activity (common in sniffing):
And that is some AI hallucination - sniffing or doing packet captures does not send out any arps.. Passively listening to traffic, especially in monitor mode and not on the wifi network anyway - how would it send out arps?
Why would a device need to arp if it was just listening to traffic.. I can see the macs, it can see the IPs - there is little reason to arp to find out what mac belongs to what IP.
-
Assume the malicious actor is connected to the access point, i.e. they have the password already.
-
@ngr2001 again that would being trying to detect malicious behavior - that would not be detecting someone in monitor mode or promiscuous mode.
If they are on your network.. There are much easier ways to detect malicious behavior than listening for arps.. You understand there are lots of arps going on all the time on every network.. What level of arp traffic would be considered malicious? 1 arp a second, 10 arps a second, 100 arps a minute? 100 Arps from same device?
I would look for traffic to your specific services that is unexpected.. Why is device A trying to ssh to my PC, or my router/switch? Why is port scanning for anything listening on sql, etc.
-
I hear ya, and I do have that working already. I was just very curious if there were any creative ways to catch someone casually sniffing with Wireshark in promiscuous mode. To your point, as soon as they start arp poisoning or scanning internal hosts I am going to catch them in seconds with my current setup and ruleset.