Skip to main content
Version: 1.1.x

Network Monitoring

To monitor your networks for common attacks, nzyme has to understand the expected state of your networks. The 802_11_networks section in your nzyme configuration file configures it.

Adding monitored networks#

The example configuration file of nzyme comes with a 802_11_networks section that looks like this:

802_11_networks: [  {    ssid: mywifinetwork    channels: [1,2,3,4,5,6,7,8,9,10,11,12,13]    security: [WPA2-PSK-CCMP]    beacon_rate: 40    bssids: [      {        address: "f0:9f:c2:dd:18:f6"        fingerprints: [ 8ba95bfb6207749c01479235017a76b15ad63c387fd0bcc74593388f81326ca0 ]      }    ]  }]

Note that it is an array. You can configure as many monitored networks as you wish.

To understand the configuration, let's take a look at every available variable:

ssid#

The name of the network.

channels#

A list of channels that your network operates on. If you don't know, just run nzyme for a while and use the networks list to see which channels are in use. Note that some access points will switch between channels dynamically and based on channel utilization. (they try to use a channel with less traffic to optimize performance)

If you enabled the UNEXPECTED_CHANNEL alert, nzyme will trigger an alert when this network is advertised on a channel not included in this list.

See also Channel Hopping.

security#

The expected security settings of this network. You can copy and paste the security string displayed on the networks page if you are unsure what exact security settings your network is using.

Examples:

  • NONE (does not require a password to join, open network)
  • WPA2-PSK-CCMP (by far the most common)
  • WPA1-EAM-TKIP

It's absolutely OK to simply copy the security string from the networks page but if you want to learn more about what it means, here is a short explanation:

It is split up into three parts, separated by a dash. The first part is the mode and describes if WPA1 or WPA2 is in use.

The second part is the key management mode and describes how the key (password) is distributed. It can be either PSK (pre-shared-key, also called WPA-Personal) or EAM (*extensible authentication protocol, also called WPA-Enterprise` and often used with RADIUS servers for authentication).

The third part is the encryption protocol and can be set to either TKIP (used by WPA1) or CCMP (based on AES and significantly stronger than TKIP).

If you enabled the CRYPTO_CHANGE alert, nzyme will trigger an alert when this network is advertised with different security settings.

beacon_rate#

Access points are advertising their networks using beacon frames. Many attacks on your wireless infrastructure will increase that beacon rate, even when perfectly spoofing other aspects.

In many environments, the beacon rate will be fairly steady. Configure this setting to value just above the maximum beacon rate you see on the details page of your network. An alert will be triggered by nzyme if the BEACON_RATE_ANOMALY alert is enabled and the recorded beacon rate exceeds the configured beacon rate threshold.

It is a good idea to let nzyme run for a while to see a longer history of the beacon rate frequency on your network detail page. This way you get a good feeling for what the threshold should be configured to.

If you have a network that dynamically adapts beacon rate, it is a good idea to disable the BEACON_RATE_ANOMALY alert to avoid false positives.

bssids#

A list of access points serving this network. A access point definition looks like this:

{  address: "f0:9f:c2:dd:18:f6"  fingerprints: [ 8ba95bfb6207749c01479235017a76b15ad63c387fd0bcc74593388f81326ca0 ]}

The address is the BSSID (think of a MAC address) of the access point. The list of fingerprints must list all fingerprints this access point will create.

Some access points might create multiple fingerprints in nzyme. You can find the fingerprints of your access points on the network detail page. Learn more about it in the fingerprinting documentation.

The fingerprints configuration is an array (it uses the [ ] brackets). Multiple fingerprints can be configured like this:

{  address: "f0:9f:c2:dd:18:f6"  fingerprints: [    8ba95bfb6207749c01479235017a76b15ad63c387fd0bcc74593388f81326ca0    a965d037684c9c47dfe17a6051d52059a2ac0e3c0991ff8b1e49e2892a63d4c6  ]}

Nzyme will trigger the following alerts based off of this list of access points: