OSSEC Kismet Rules
As part of a project I was asked to write some rules to allow OSSEC to monitor Kismet alerts. This is my first attempt at writing OSSEC rules and it is based heavily on this article I found from Mad Irish.
Please give feedback on these rules, this is my first attempt and am happy to take comments on how I can improve them.
To go with these rules I also developed a script to convert a CSV file to a rule file, this makes it much easier to manage the rules as they can be done in a spreadsheet and then converted to the XML file. Visit my OSSEC Rule Converter project for more information.
Add this line to your ossec.conf file:
<!-- Monitor Kismet Alerts --> <localfile> <log_format>syslog</log_format> <location>/var/log/kismet.alerts</location> </localfile>
Here is the decoder, I would have preferred to use a more elegant regex but with the limited regex support in OSSEC this is the best I could come up with that worked.
<!-- Custom decoder for Kismet --> <decoder name="kismet"> <prematch>^\w+\s+\w+\s+\d+\s+\d\d:\d\d:\d\d \d\d\d\d </prematch> </decoder> <decoder name="kismet-alert"> <parent>kismet</parent> <regex offset="after_parent">(\w+) (\d+) (\.+) (\.+) (\.+) (\.+) (\.+)</regex> <order>action,data,data,data,data,data,data</order> </decoder>
And I won't include the full rule set here but here is a sample. All the alerts in my file have alert level 10, that is because I currently don't know how the client wants to rate the different types of alerts so I've just cranked everything up full and they can turn it down as they see fit. The descriptions are based on the descriptions found in the Kismet README file.
<group name="syslog,kismet,"> <rule id="110000" level="0"> <decoded_as>kismet</decoded_as> <description>Kismet Alerts.</description> </rule> <rule id="110001" level="10"> <if_sid>110000</if_sid> <action>ADHOCCONFLICT</action> <description>Possible AP spoofing/impersonation</description> </rule> <rule id="110002" level="10"> <if_sid>110000</if_sid> <action>AIRJACKSSID</action> <description>Airjack attack</description> </rule> <rule id="110003" level="10"> <if_sid>110000</if_sid> <action>APSPOOF</action> <description>ARP Spoofing or conflicting APs</description> </rule>