Disassoc flood - false alarms - IDS signature file needs adjustment

Unanswered Question

Another interesting observation regarding Disassociation flood wireless IDS alarms:

When a wireless client goes out of range of an AP, is that it is not uncommon for a burst of 64 disassociation frames to be sent in order to ensure that the client/AP are no longer associated.

However, the threshold in the WLC's IDS signature file is 50. It is unclear why this value was chosen by the developers. However, at Cisco's recommendation, we have adjusted the signature file to a value of FREQ=80 (instead of 50) for the following alarms:

Disassociation, Deauth Flood, and Bcast Deauth

This has resulted in fewer false alarms (except for Bcast deaut which is the result of the WLC alarming on its own containment messages - see previous thread!).

Additional Note: When making changes to the IDS signature file, it would appear that a REBOOT ended up being necessary in our case in order to get the WLCs to recognize the changes to the IDS signature file. When we merely upgraded the signature file, it did not make a difference.

Also, it would appear that the name of the signature file is important (since the parsing of the file does not take place unless a specific file name is given).

- John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Fri, 08/10/2007 - 10:54

After adjusting the signature file to a value of FREQ=80 (instead of 50), are the alarms generating the correct burst??.

ericgarnel Fri, 08/17/2007 - 08:49

Where in the controller menu did you adjust the freq? (FREQ=80)

I dug around a bit and did not find the command to change the freq from 50 to 80

scottwilliamson Fri, 08/17/2007 - 04:39

Hi,

I'm getting a lot of false positive rogue APs (I've checked the MAC addresses and they are definitely ours), is it possible that a similar problem with signatures is causing this?

Scott

Actions

This Discussion

 

 

Trending Topics - Security & Network