A Wireless Intrusion Detection System (WIDS) monitors the RF spectrum for unauthorized access points and wireless attack signatures. Unlike a standard WiFi access point, a WIDS sensor is in monitor mode â listening to all WiFi traffic in the area, not just traffic addressed to it.
Signature vs Behavioral Detection Signature-Based DetectionWIDS maintains a database of known attack signatures â specific frame patterns, SSIDs, and device fingerprints. When it sees a match, it alerts. This is fast and accurate for known attacks but cannot detect novel attack patterns.
Signature examples: - SSID: "Free_WiFi" (known honeypot SSID) - BSSID: DE:AD:BE:EF:00:01 not in approved AP list - Frame: Deauth flood (>10 deauth/second from same source) - Frame: Auth flood (>5 auth requests/second)Behavioral Detection
Behavioral detection looks for anomalies relative to a baseline. It doesn't know what attacks look like â it knows what normal looks like and alerts when behavior deviates.
Behavioral anomalies: - AP appears with same SSID as authorized AP but different BSSID - AP broadcasts on channel used by legitimate AP (possible channel overlap attack) - Client connects to AP that is not the nearest authorized AP (suspicious RSSI) - Sudden spike in probe requests (KARMA attack in progress)
The best WIDS solutions use both signature and behavioral detection. Signature detection catches known attacks quickly with low false positive rates. Behavioral detection catches novel attacks that signatures haven't seen yet.
Commercial Solutions| Product | Vendor | Type | Notes |
|---|---|---|---|
| AirMagnet Enterprise | NetAlly | Dedicated WIDS | Industry standard, dedicated sensors + controller |
| Wireless IPS (WIPS) | Cisco Meraki | Cloud-managed WIDS | Integrated into Meraki APs, no extra hardware |
| Aruba ClearPass | HP Aruba | WIDS + NAC | Combines wireless detection with network access control |
| Extreme AirDefense | Extreme Networks | Dedicated WIDS | Strong in large campus deployments |
| Watcher | Ladybug | IDS/IPS | Software-based, Linux, lower cost |
Kismet is the most powerful open-source wireless detector and intrusion detection system. It runs on Linux with monitor-mode adapters and can:
- Detect access points, clients, and attacks passively
- Classify devices and SSIDs
- Alert on known rogue AP patterns
- Log all packets for forensic analysis
- Integrate with SIEM systems via syslog
$ sudo kismet -i wlan1mon [Kismet 2024-04-R1] [Log file: /var/log/kismet/Kismet-20260407-14-00-00-1.log] [Connected to Kismet server] [ALERT] Rogue AP Detected: SSID: "ACME_Corporate_WiFi" BSSID: AA:BB:CC:DD:EE:FF Channel: 6 Encryption: WPA2 GPS: 25.2048, 55.2708 (Dubai, UAE) Signal: -42 dBm NOTE: This SSID is NOT in the approved AP list! [Investigate immediately â potential Evil Twin]