DigitalMDX

Hi all...
Some people have been waiting for AirSnare... well, I can say it is out. I still think its too early to release it, but hopefully by releasing it I will get some good feedback and suggestions.
AirSnare is an intrusion detection program for windows.
You can read about it at:
The AirSnare Web Page

Install it, then edit the "trustedMAC.txt" file and enter all the MAC addresses of the devices on your network along with a short description of them, start AirSnare and have fun.
Go easy on me, like I said, I still think its a bit early to release, but I've been stuck in a rut in developing this so I'm open to suggestions.
Thanks,
Jay

blackwave

Thank you DigitalMDX! too much super software, too little time!

__________________
-=BW=-

Grey Wolf

Jay once again thanks for a great program!

1) Can I add or edit MAC address on the fly? Without stopping and restarting the program?

2) Would be great if the program could work with lowercase mac address.

Grey

__________________
~the packets are out there~
waiting....

DigitalMDX

1) No. You'll need to quit the program and restart. I might be able to have it reload by the Start/Stop button... I'll look into this.

2) What do you mean by lowercase MAC addresses. The ability to type lowercase into the trustedMAC.txt file or the ability to display lowercase MAC addresses in the Trusted MAC list?

Thanks,
Jay

TheWatcher

Jay,

you are superb ...

__________________
Wardriving.INFO - "wireless web portal"
Wireless Sniffers - we got them, let me know if I missed your tools.

Grey Wolf

The ability to enter lowercase into the Trusted MAC list.

Also I have another question that you might know the answer to, in the Adapters list I have 1 network adapter that I actually have listed, and about 7 NdisWan Adapters listed. The NdisWan Adapters only seem to appear in your programs, (or I don't know where to find them ) and they don't seem to do anything.

There doesn't seem to be a way to copy info from the watch list to a text file. Any chance that you could copy this to a log file? And add a time stamp to it?

Thanks
Grey

__________________
~the packets are out there~
waiting....

DigitalMDX

I don't know why all those show up... I know one of my laptops has about 6 or more, and that's about the number of different cards I've tried in it over time... but not sure why they show up or why they don't go away. But... someone must know...

version 0.5.8 is posted.
1) Allows lowercase MAC addresses
2) Timestamps entries in the Watch List
3) Has a button to write watch list to a text file
4) Pressing the Stop button then Start again, loads the TrustedMAC.txt file "on the fly"
... I think that's everything...
Thanks,
Jay

blackwave

Thanks for the quick turnaround! thanks for the suggestions Grey Wolf, I wish I had time to play with it. *blackwave quickly tries to finish off a few things in other projects...

__________________
-=BW=-

Grey Wolf

Ok perhaps I'm missing something here, but I think I like NSSpyGlass best.

IF I have a MAC address set up to watch, I seem to see all activity from the address, but nothing to it.

Any chance you could add a feature to watch an address, or better yet, and option to watch all activity between to address? Thanks for giving us the logging feature, but I was thinking of the program automaticly writting to the log file. Kind of where I could give it a list of address to watch, and it would auto log to a file on each event. Also would be great if I could select where it wrote to. From a security standpoint, I like to be able to install, airsnare in what ever dictory I wanted using whatever name I want, and not have a log file in the same location. For that matter, I just as son not have an ini file with it either. No point in making things easy for the kids. Also this seems like a great program to set up to call another like you did for NSSpyglass. Perhaps I would like to be paged on an event, and have my X-10 light come on.

Also I miss the DHCP feature from NSSpyglass. Where it would show all DHCP request. Perhaps that will be a third program, but for me, I find the DHCP request the most useful of it all. I guess I'm looking for a utility that will let me look into the *Normal* background activity that is always going on, in my network. My guess is I'm more likely to be hit with a trojan or a backdoor, that an unaurthorized machine on my network.

As to the trusted list, any way that it could be modified so that it included a time period, So that Machine 1 was trusted between 8:00 am to 12:01PM but not from 12:02 to 12:58pm and was trusted again from 1:00pm till 6:00pm then untrusted 6:01 pm till 8:00 am? I think that kind of trusting would be way more useful. Where you could say on this day from this point to that point it will be trusted, but not on the weekend, or perhaps on this day.

Great Job!
Grey

__________________
~the packets are out there~
waiting....

DigitalMDX

Yes, this is true... This is an intrusion detection program, not a machine monitor program. We are concerned with where the unfriendly MAC address is going and what he is up to, not really with what his buddy is replying back to him with AOL instant messenger. This could change, however it would be more burden on the program to track this also.
hmmm... would you accept putting AirSnare into one of two modes? like, AirSnare mode... would work the way it does now, watches for ALL unfriendly MAC addresses and AirMonitor Mode, where it would watch the activity to and from a SINGLE MAC address? I might be able to do something like that...
OK, I can do this but if your not around and this thing is running over the weekend it could fill up fast, do you want a limit on the log size also? Also, I will consider the ability to save the log to a different directory.
That could be done, but the problem is *what* do you trigger the event on? This isn't looking for a specific packet (like the NetStumbler detection), it's looking at everything within a TCP and UDP packet, the event would be firing constantly.
It shows DHCP requests for all unfriendly MAC addresses... do you want 1) to show ALL DHCP requests from both friendly and unfriendly? or 2) option to sound a WAV file on a DHCP request and if so from who? Friendly or unfriendly?
Any good antivirus program will protect you from this, just make sure the autoupdate is working and you should be fine.
Wow... could you explain why? Even if nobody is on that machine and it is just sitting there without ANY visible programs running there will still be network traffic to and from that machine, this is normal. This would also trigger an alert if it was 'untrusted'.
Wow... this was long... let me know what you think and I'll see what I can do...
Thanks,
Jay

WitchDr

Now I just need to find a place to set this up to capture some activity. My neighborhood just isn't that active However my jobsite is right downtown....How does one convince the VP to allow an access point to be installed?

blackwave

... actually most ppl don't even ask, and most of the time it is the vp installing out of the box aps anyhow... you could just be another statistic

__________________
-=BW=-

Grey Wolf

Hmmm... I think knowing who or what is on the other end might be useful, in evaluating what is happening, the degree of threat it poses.

Quote:

hmmm... would you accept putting AirSnare into one of two modes? like, AirSnare mode... would work the way it does now, watches for ALL unfriendly MAC addresses and AirMonitor Mode, where it would watch the activity to and from a SINGLE MAC address? I might be able to do something like that...

I don't think I would want to give up the AirSnare mode. Is it really that hard to watch traffic in both directions?

Quote:

OK, I can do this but if your not around and this thing is running over the weekend it could fill up fast, do you want a limit on the log size also? Also, I will consider the ability to save the log to a different directory. That could be done, but the problem is *what* do you trigger the event on? This isn't looking for a specific packet (like the NetStumbler detection), it's looking at everything within a TCP and UDP packet, the event would be firing constantly.

If you could limit the log size that would be good, would it be possible to set it up so that it is saving the most recent, and trashing the oldest?

As to what should trigger it, I was thinking, when the screen turns red, it triggers, and doesn't go off again until the screen is reset.

Quote:

It shows DHCP requests for all unfriendly MAC addresses... do you want 1) to show ALL DHCP requests from both friendly and unfriendly? or 2) option to sound a WAV file on a DHCP request and if so from who? Friendly or unfriendly?

I would like to see as an option for all DHCP request from both friendly and unfrindly MAC address. With the option to play a sound file on friendly DHCP request, and a different sound file on unfriendly request. So we could see unfriendly request only, and play a warning. Or unfriendly & friendly with two different sound files.

Quote:

Wow... could you explain why? Even if nobody is on that machine and it is just sitting there without ANY visible programs running there will still be network traffic to and from that machine, this is normal. This would also trigger an alert if it was 'untrusted'.

Perhaps this is do to the corperation where I worked and how I was brought up. But I'm of the old school where if your not using the PC, turn it off. So after hours it should not be on, and not be generating traffic. If it is something is wrong. In the home enviroment, perhaps the kids are allow to use the computer till 9 or 10 pm, after that it should be off.

As always thanks for the great program.
Grey

__________________
~the packets are out there~
waiting....

WitchDr

We're getting audited continually so I can imagine he's going to be a bit nervous. All we need is some asswipe auditor saying he found a wide open AP.....of course it'd be nice to say "Yeah, and here is your MAC address and where you went"

Grey Wolf

WitchDr. AirSnare doesn't need an AP it will work with a wired LAN. And NSSpyglass doesn't need an AP that is part of the LAN. Does that help? Granted you'll get more interesting results if it is, but they both will work the other way too.

You want to play with NSSpyglass? Set up an AP, give it the name of your company or another close by. Set it up to pass out DHCP address, and sit back and wait. Someone will be by soner or later. If he is like me, all he will want to know is that you exist, and where you are. If he's not happy with that, well it will take him a bit to find out you AP doesn't connect to anything.

Want to run Nsspyglass in just DHCP mode, seems like you don't really need an AP, I can set it up to run off of my Cisco router. Ok I will not detect stumbler that way, but I can see DHCP request that way. Which will get me a list of MAC address.

Hmm Jay it seems to me, that it would be nice to start up AirSnare, and have the ability to add the MAC address it finds to the friendly list. With a count option. So that I know my approved list has 5 devices or 17, or a 100 devices. That could save a lot of time. I would bet that a lot of shops will not have a list of mac address. They might know that all of there NIC are 3Com, or some other brand. But I would bet that people running in DHCP server mode know a lot less about there equipment, than say people running in static mode.

Grey

__________________
~the packets are out there~
waiting....