Inspiration
Rogue access point attacks require nothing more than a $5 device and basic knowledge, yet most organizations have no detection in place. We wanted to make the threat tangible and prove that detection doesn't have to be expensive.
What it does
REEF simulates and detects evil twin rogue AP attacks in real time. An ESP32 honeypot spoofs a trusted WiFi network and captures victim metadata through a convincing captive portal. That data streams through a Python bridge into Snort IDS and a Splunk SIEM dashboard, alerting security teams the moment an attack is detected.
How we built it
We built a full hardware-to-SIEM pipeline. The ESP32 runs a custom captive portal firmware broadcasting a spoofed SSID. A Python serial bridge forwards JSON telemetry over USB into a log file monitored by Snort for rule-based detection and Splunk for real-time visualization.
Challenges we ran into
What we learned
We learned how rogue AP attacks actually work at the hardware level, how to write Snort detection rules, and how to structure log data for SIEM ingestion.
Log in or sign up for Devpost to join the conversation.