Another interesting observation regarding Disassociation flood wireless IDS alarms:
When a wireless client goes out of range of an AP, is that it is not uncommon for a burst of 64 disassociation frames to be sent in order to ensure that the client/AP are no longer associated.
However, the threshold in the WLC's IDS signature file is 50. It is unclear why this value was chosen by the developers. However, at Cisco's recommendation, we have adjusted the signature file to a value of FREQ=80 (instead of 50) for the following alarms:
Disassociation, Deauth Flood, and Bcast Deauth
This has resulted in fewer false alarms (except for Bcast deaut which is the result of the WLC alarming on its own containment messages - see previous thread!).
Additional Note: When making changes to the IDS signature file, it would appear that a REBOOT ended up being necessary in our case in order to get the WLCs to recognize the changes to the IDS signature file. When we merely upgraded the signature file, it did not make a difference.
Also, it would appear that the name of the signature file is important (since the parsing of the file does not take place unless a specific file name is given).