Snorting the WRT54G

Snort on the WRT54G

++


When I heard that the Linksys WRT54G was running Linux, and that people on Seattle Wireless had figured out how to upload software to it, I had to give it a try. So I went out and bought one. The WRT54G is one of those inexpensive combination 802.11 access point, router and switch that they sell by the pallette load at CompUSA and Best Buy. What makes this device more interesting than the rest is the fact that it's running Linux. For around $100 it makes an interesting little device to experiment with. It has a 125 Mhz MIPS processor, 16 meg of Ram and is on kernel version 2.4.5. A powerful little box.

I followed the steps on Seattle Wireless and was able to get a shell with basic tools but I was looking for more. A friend suggested that Snort might be an interesting addition to the box. Running Snort on the box would allow some level of intrusion detection and alerting inside the access point. This seemed like a useful addition to the stock capabilities. I'm still experimenting with what it makes sense to do in a device like this and I'm a Snort novice. This page lists the steps I took to make Snort run in the hope that someone else will find it helpful.

My system is running firmware version 1.30.7 dated July 8, 2003. The ability to upload sofware to the box relies on a Linksys bug with a ping utility. Newer versions may fix this bug and prevent uploading new software.

Note that the modifications I've made to my box are non-permanent. Although people have figured out how to upload new firmware, there are still issues that can turn the box into a $100 doorstop. Therefore, I chose to only make my changes on the Ram disk. If I screw anything up, I just hit the reset button and the box is back to normal. The downside is that I lose my changes on a power-cycle.

The WRT54G appears to be based on a Broadcom design. Several other access points from different manufacturers also appear to be based on this design, so the steps list here may be relevant on other boxes. Your mileage may vary...

The first step in getting new software on the box is to set up a build environment. The processor on the box is a MIPS so I needed to build a cross-compiler. I found a nice script that automated a gcc build on my Mandrake system. I configured the script for MIPS, fired it up and several hours later I had a toolchain. While experimenting with it, I found that I needed to set the CC environment variable for some things, aliasing gcc worked for others, and sometimes I needed to modify Makefiles. But one way or the other, I always got it to work.

Next I downloaded version 2.0.1 of Snort and verison 0.7.2 of libpcap which Snort needs. I configured libpcap like so : "./configure -host=mips --with-pcap=linux " I modifed the make file to point to my new compiler and did a simple "make".

Then I configured Snort like so : "./configure -host=mips --with-libpcap-libraries=$PCAP --with-libpcap-includes=$PCAP" where PCAP pointed to the directory where I built libpcap. I futzed with the Makefile a bit to make sure it pointed to the correct cross-compilation tools and to do a static link. Once I got it set, it built without problem and I had a statically linked Snort binary. I stripped the result using the strip from my cross-compilation tree to cut the size down and I was ready to go.

Using the tools and methods available here, I moved the binary over to the system, telneted in and fired it up. Success! My tests show that Snort runs fine and It doesn't seem to consume much CPU. My main limitiation seems to be ram. I can't use too many rules without exhausting the available ram. In addition, since I've been logging alerts to the box itself, each log entry consumes a bit more memory.

Update : 09/21/2003 I've been experimenting a bit more with some success. I've been able to run with a number of intrusion detection rules and log to an NFS mounted drive. I now have a remote-logging capable syslog daemon on the box, so I really should be using that for logging. I've also found that the upnp daemon on the box generates false alarms so I've turned off that rule.

At this point, I'm still not sure what it makes sense to do on the box, but I'll continue to experiment. If anyone has any suggestions or comments contact me, Jim Buzbee, at jbuzbee@nyx.net

If you'd like to try out my version of Snort on your WRT54G, it's available here.
If you would like more, try my wrt54g linux distribution

Other ideas for the box:
  • A VPN end-point. Forget about WEP, make your wireless connections really secure. There's been some progress with VPN. My distribution now has a VPN daemon included.
  • A NoCatNet wireless portal. It's been done
  • ???


Check out my wrt54g linux distribution


Jim Buzbee, September 21 2003