Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fingerprint is not recognized #534

Closed
crs369 opened this issue Sep 19, 2021 · 8 comments
Closed

Fingerprint is not recognized #534

crs369 opened this issue Sep 19, 2021 · 8 comments

Comments

@crs369
Copy link

crs369 commented Sep 19, 2021

Hello,

i'm getting the following alert;


SSID [myipng] was advertised by a device with unexpected fingerprint [278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff]
First seen:
2021-09-19T13:25:48+02:00 (32 minutes ago)
Last seen:
2021-09-19T13:27:29+02:00 (31 minutes ago)

Meta Information

bssid
fc:ec:da:4f:81:01 
ssid
myipng 
bandit_fingerprint
278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff 
channel
 44 
frequency
5220 
antenna_signal
-62 

Frames
2
Subsystem
DOT_11
Alert Type ID
UNEXPECTED_FINGERPRINT_BEACON

The nzyme.conf looks like that:

802_11_networks: [
  {
    ssid: myipng
    channels: [1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128]
    security: [WPA2-PSK-CCMP]
    beacon_rate: 40
    bssids: [
      {
        address: "fc:ec:da:4f:f1:12"
        fingerprints: [
          0d7a011b357b7b9fa4346f92107aafbcb33c611fdfafc1c91526fcf4b2d67f7f
          1ca4cbab1ed76b3d19065ba8776fa98c5f436f2ad8b9d804d17b59bdd95db22b
          278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff
          3d16696d1adb775745422a7d63f2a847d6599d3605c3af3d022d4ba09b0c8c3d
          4db22a8f5b77336956b8af0fccd30b72cf660904d3ef058d0691bea3dda06b60
          633c97332d33c7d3c8e4ed59d628f8a95364c8482ca651174849cbc159935657
          6dd6b742ebb05073b5ec6f04d763e28b14d1fa2f62198a802d209bdac84d1367
          74f990206b3b3e39622947c5a4b24ed2406061e3e2d85f211ddce3a47c294c51
          90b303404d1bb7dfcc73095655f6f9822dcbc2ac04eb61004c41d660ac838cf4
          a9916fe621b95ef512c75884ee1f0714de39f52ac8e54abd0c397c344d071e1d
          aac6df6031b4318dc091184362af6e04865009ccdffd85b1d92db3ce56f6a6a6
          c3e7bb86fdafcf0c3856f6bf7450a1c86cebca227f9507a243db03155f11c8b8
          e4691ca420980a11d10c3d25f40dcecb1a99519a5e45c7ff83bb2daccc8d7c4d
          faf5c66307132df81ef3b5568161d7250d2baee004297e03d3c1d351d89211c9
       ]
      }
      {
        address: "fc:ec:da:4f:f1:13"
        fingerprints: [
          0d7a011b357b7b9fa4346f92107aafbcb33c611fdfafc1c91526fcf4b2d67f7f
          1ca4cbab1ed76b3d19065ba8776fa98c5f436f2ad8b9d804d17b59bdd95db22b
          278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff
          3d16696d1adb775745422a7d63f2a847d6599d3605c3af3d022d4ba09b0c8c3d
          4db22a8f5b77336956b8af0fccd30b72cf660904d3ef058d0691bea3dda06b60
          633c97332d33c7d3c8e4ed59d628f8a95364c8482ca651174849cbc159935657
          6dd6b742ebb05073b5ec6f04d763e28b14d1fa2f62198a802d209bdac84d1367
          74f990206b3b3e39622947c5a4b24ed2406061e3e2d85f211ddce3a47c294c51
          90b303404d1bb7dfcc73095655f6f9822dcbc2ac04eb61004c41d660ac838cf4
          a9916fe621b95ef512c75884ee1f0714de39f52ac8e54abd0c397c344d071e1d
          aac6df6031b4318dc091184362af6e04865009ccdffd85b1d92db3ce56f6a6a6
          c3e7bb86fdafcf0c3856f6bf7450a1c86cebca227f9507a243db03155f11c8b8
          e4691ca420980a11d10c3d25f40dcecb1a99519a5e45c7ff83bb2daccc8d7c4d
          faf5c66307132df81ef3b5568161d7250d2baee004297e03d3c1d351d89211c9
       ]
      }
      {
        address: "fc:ec:da:4f:81:00"
        fingerprints: [
          0d7a011b357b7b9fa4346f92107aafbcb33c611fdfafc1c91526fcf4b2d67f7f
          1ca4cbab1ed76b3d19065ba8776fa98c5f436f2ad8b9d804d17b59bdd95db22b
          278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff
          3d16696d1adb775745422a7d63f2a847d6599d3605c3af3d022d4ba09b0c8c3d
          4db22a8f5b77336956b8af0fccd30b72cf660904d3ef058d0691bea3dda06b60
          633c97332d33c7d3c8e4ed59d628f8a95364c8482ca651174849cbc159935657
          6dd6b742ebb05073b5ec6f04d763e28b14d1fa2f62198a802d209bdac84d1367
          74f990206b3b3e39622947c5a4b24ed2406061e3e2d85f211ddce3a47c294c51
          90b303404d1bb7dfcc73095655f6f9822dcbc2ac04eb61004c41d660ac838cf4
          a9916fe621b95ef512c75884ee1f0714de39f52ac8e54abd0c397c344d071e1d
          aac6df6031b4318dc091184362af6e04865009ccdffd85b1d92db3ce56f6a6a6
          c3e7bb86fdafcf0c3856f6bf7450a1c86cebca227f9507a243db03155f11c8b8
          e4691ca420980a11d10c3d25f40dcecb1a99519a5e45c7ff83bb2daccc8d7c4d
          faf5c66307132df81ef3b5568161d7250d2baee004297e03d3c1d351d89211c9
        ]
      }
      {
        address: "fc:ec:da:4f:81:01"
        fingerprints: [
          0d7a011b357b7b9fa4346f92107aafbcb33c611fdfafc1c91526fcf4b2d67f7f
          1ca4cbab1ed76b3d19065ba8776fa98c5f436f2ad8b9d804d17b59bdd95db22b
          278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff
          3d16696d1adb775745422a7d63f2a847d6599d3605c3af3d022d4ba09b0c8c3d
          4db22a8f5b77336956b8af0fccd30b72cf660904d3ef058d0691bea3dda06b60
          633c97332d33c7d3c8e4ed59d628f8a95364c8482ca651174849cbc159935657
          6dd6b742ebb05073b5ec6f04d763e28b14d1fa2f62198a802d209bdac84d1367
          74f990206b3b3e39622947c5a4b24ed2406061e3e2d85f211ddce3a47c294c51
          90b303404d1bb7dfcc73095655f6f9822dcbc2ac04eb61004c41d660ac838cf4
          a9916fe621b95ef512c75884ee1f0714de39f52ac8e54abd0c397c344d071e1d
          aac6df6031b4318dc091184362af6e04865009ccdffd85b1d92db3ce56f6a6a6
          c3e7bb86fdafcf0c3856f6bf7450a1c86cebca227f9507a243db03155f11c8b8
          e4691ca420980a11d10c3d25f40dcecb1a99519a5e45c7ff83bb2daccc8d7c4d
          faf5c66307132df81ef3b5568161d7250d2baee004297e03d3c1d351d89211c9
        ]
      }
    ]
  }
{
    ssid: myipng_guest
    channels: [1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128]
    security: [WPA2-PSK-CCMP]
    beacon_rate: 40
    bssids: [
      {
        address: "fe:ec:da:1f:f1:12"
        fingerprints: [
          0d7a011b357b7b9fa4346f92107aafbcb33c611fdfafc1c91526fcf4b2d67f7f
          1ca4cbab1ed76b3d19065ba8776fa98c5f436f2ad8b9d804d17b59bdd95db22b
          278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff
          3d16696d1adb775745422a7d63f2a847d6599d3605c3af3d022d4ba09b0c8c3d
          4db22a8f5b77336956b8af0fccd30b72cf660904d3ef058d0691bea3dda06b60
          633c97332d33c7d3c8e4ed59d628f8a95364c8482ca651174849cbc159935657
          6dd6b742ebb05073b5ec6f04d763e28b14d1fa2f62198a802d209bdac84d1367
          74f990206b3b3e39622947c5a4b24ed2406061e3e2d85f211ddce3a47c294c51
          90b303404d1bb7dfcc73095655f6f9822dcbc2ac04eb61004c41d660ac838cf4
          a9916fe621b95ef512c75884ee1f0714de39f52ac8e54abd0c397c344d071e1d
          aac6df6031b4318dc091184362af6e04865009ccdffd85b1d92db3ce56f6a6a6
          c3e7bb86fdafcf0c3856f6bf7450a1c86cebca227f9507a243db03155f11c8b8
          e4691ca420980a11d10c3d25f40dcecb1a99519a5e45c7ff83bb2daccc8d7c4d
          faf5c66307132df81ef3b5568161d7250d2baee004297e03d3c1d351d89211c9
        ]
      }
      {
        address: "fc:ec:da:1f:f1:13"
        fingerprints: [
          0d7a011b357b7b9fa4346f92107aafbcb33c611fdfafc1c91526fcf4b2d67f7f
          1ca4cbab1ed76b3d19065ba8776fa98c5f436f2ad8b9d804d17b59bdd95db22b
          278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff
          3d16696d1adb775745422a7d63f2a847d6599d3605c3af3d022d4ba09b0c8c3d
          4db22a8f5b77336956b8af0fccd30b72cf660904d3ef058d0691bea3dda06b60
          633c97332d33c7d3c8e4ed59d628f8a95364c8482ca651174849cbc159935657
          6dd6b742ebb05073b5ec6f04d763e28b14d1fa2f62198a802d209bdac84d1367
          74f990206b3b3e39622947c5a4b24ed2406061e3e2d85f211ddce3a47c294c51
          90b303404d1bb7dfcc73095655f6f9822dcbc2ac04eb61004c41d660ac838cf4
          a9916fe621b95ef512c75884ee1f0714de39f52ac8e54abd0c397c344d071e1d
          aac6df6031b4318dc091184362af6e04865009ccdffd85b1d92db3ce56f6a6a6
          c3e7bb86fdafcf0c3856f6bf7450a1c86cebca227f9507a243db03155f11c8b8
          e4691ca420980a11d10c3d25f40dcecb1a99519a5e45c7ff83bb2daccc8d7c4d
          faf5c66307132df81ef3b5568161d7250d2baee004297e03d3c1d351d89211c9
        ]
      }
     {
        address: "fe:ec:da:1f:81:00"
        fingerprints: [
          0d7a011b357b7b9fa4346f92107aafbcb33c611fdfafc1c91526fcf4b2d67f7f
          1ca4cbab1ed76b3d19065ba8776fa98c5f436f2ad8b9d804d17b59bdd95db22b
          278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff
          3d16696d1adb775745422a7d63f2a847d6599d3605c3af3d022d4ba09b0c8c3d
          4db22a8f5b77336956b8af0fccd30b72cf660904d3ef058d0691bea3dda06b60
          633c97332d33c7d3c8e4ed59d628f8a95364c8482ca651174849cbc159935657
          6dd6b742ebb05073b5ec6f04d763e28b14d1fa2f62198a802d209bdac84d1367
          74f990206b3b3e39622947c5a4b24ed2406061e3e2d85f211ddce3a47c294c51
          90b303404d1bb7dfcc73095655f6f9822dcbc2ac04eb61004c41d660ac838cf4
          a9916fe621b95ef512c75884ee1f0714de39f52ac8e54abd0c397c344d071e1d
          aac6df6031b4318dc091184362af6e04865009ccdffd85b1d92db3ce56f6a6a6
          c3e7bb86fdafcf0c3856f6bf7450a1c86cebca227f9507a243db03155f11c8b8
          e4691ca420980a11d10c3d25f40dcecb1a99519a5e45c7ff83bb2daccc8d7c4d
          faf5c66307132df81ef3b5568161d7250d2baee004297e03d3c1d351d89211c9
        ]
      }
      {
        address: "fe:ec:da:1f:81:01"
        fingerprints: [
          0d7a011b357b7b9fa4346f92107aafbcb33c611fdfafc1c91526fcf4b2d67f7f
          1ca4cbab1ed76b3d19065ba8776fa98c5f436f2ad8b9d804d17b59bdd95db22b
          278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff
          3d16696d1adb775745422a7d63f2a847d6599d3605c3af3d022d4ba09b0c8c3d
          4db22a8f5b77336956b8af0fccd30b72cf660904d3ef058d0691bea3dda06b60
          633c97332d33c7d3c8e4ed59d628f8a95364c8482ca651174849cbc159935657
          6dd6b742ebb05073b5ec6f04d763e28b14d1fa2f62198a802d209bdac84d1367
          74f990206b3b3e39622947c5a4b24ed2406061e3e2d85f211ddce3a47c294c51
          90b303404d1bb7dfcc73095655f6f9822dcbc2ac04eb61004c41d660ac838cf4
          a9916fe621b95ef512c75884ee1f0714de39f52ac8e54abd0c397c344d071e1d
          aac6df6031b4318dc091184362af6e04865009ccdffd85b1d92db3ce56f6a6a6
          c3e7bb86fdafcf0c3856f6bf7450a1c86cebca227f9507a243db03155f11c8b8
          e4691ca420980a11d10c3d25f40dcecb1a99519a5e45c7ff83bb2daccc8d7c4d
          faf5c66307132df81ef3b5568161d7250d2baee004297e03d3c1d351d89211c9
        ]
      }
    ]
  }
]

The fingerprint "278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff" on myipng with fc:ec:da:4f:81:01 is correct (?) defined.

See somebody the problem or is something wrong with the parsing from the nzyme.conf.

Something that i see also - wenn i click on the Link from the BSSID in Alerts , i see only 1 or 2 fingerprints and not all 14?!

Thanks
@prasket
Copy link

prasket commented Sep 29, 2021

I am also getting this issue after a recent update. Out of all my of SSID's and Fingerprints 2 are throwing alerts even though I have the correct info in nyzme.conf file.

@lennartkoopmann
Copy link
Member

Did you add the fingerprint after the alert was triggered? Alerts do not "clean up" after a configuration change.

@crs369
Copy link
Author

crs369 commented Oct 10, 2021

I'm not sure in what direction your answer goes.

I'm using the above configuration and enable it with "sudo systemctl restart nzyme" and after that the alerts triggers. And i think that must not happen because the fingerprint is correct defined.

@lennartkoopmann
Copy link
Member

That's weird. I appears like you are doing everything right. I'll look into it.

@Quas7
Copy link

Quas7 commented Oct 20, 2021

Not sure, if this helps but I switched to "systemctl stop nzyme" and "systemctl start nzyme" to get new fingerprints in. A "restart" did not do update for me at least once.

@crs369
Copy link
Author

crs369 commented Oct 22, 2021

I gave it a try, but it makes no sense. The command "systemctl restart nzyme" start and stops the service. I check it on the process list. After the command the "nzyme-Process" has a new PID.

At least i don't get any message with the fingerprint already defined till now, but I don't think the problem is gone.

Because of that problem #510 it is very hard to track it down. I have 80 Alerts in two days, that i must check.

Sorry, nzyme is not usable for me at the moment. I have read in the forum that you want to modify the calculation of the fingerprint - possible that solves the problem for me. I am also geting a lot of messages in the log with "Malformed 802.11 tagged parameters"

When it gaves a possibilty to see what parms are used für the fingerprint in log - i can checkout more.

@Quas7
Copy link

Quas7 commented Oct 23, 2021
edited

I have the same issue with growing fingerprints on my Fritz AP + repeater network.
Over 30 fingerprints per network (main and guest wifi) and AP+Repeater (4x ~30 fingerprints) and it is still growing fast. Would be great to have a click+collect interface instead of copy&paste to the config. ;D

I deactivated the fingerprint and crypto_change alerts for now but as I also see unexpected SSIDs beacons with random single character names ("j", "^", "L",...) I am assuming there might be just incomplete frames or noise involved as I have ~16 wifi networks channel hopping around me here.
Or I am under attack? ;)

EDIT: just noticed, that also all new fingerprints are 1 Frame events as well.

@lennartkoopmann
Copy link
Member

This will be improved with the new v2.0.0 architecture.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lennartkoopmann @Quas7 @prasket @crs369