Apologies if this has been asked already. There seems to be many posts with people getting critical alarms and they are due to Cisco bugs ?
Couple of points.
I am running the above version and I am getting lots of IDS Deauth Auth and Assoc alarms on the WLCs/WCS.
How do I know if these are bug releated or not?
Also, does anyone know of how these three and the other signature attacks work? IE, a deauth is a number of deauth messages sent to an AP, but how many gets sent before the WLC reports on them? ie, what is the criteria to generate IDS alarms. Also for the other signature attacks?
There does not seem to be too much docs on this on the web?
Many thx and kind regards,
I believe that MacFreq has to do with how many packets per time interval have come from the SAME mac address vs. Freq which would be ANY mac address within the specified timeframe.
That's my take at least.
This is an area that has been a bit murky in terms of documentation. There have been a number of requests for better documentation, but we are still waiting to see it.
Surprisingly, one of the best forms of
"documentation" is by reviewing the Wireless IDS signature file which has some comments and explains how the parameters work. You may find that a bit enlightening.
Also, when it comes to false alarms, we have seen quite a number of them in various flavors. Here are a couple of thoughts:
If you are performing "containment" or rogue APs, the Wireless IDS system currently interprets its own containment messages as a false-positive/attack. This is a known bug ( CSCsj06015 )that says it is fixed, but to my knowledge continues to be a problem.
Here is a link to the bug:
Also, when certain brands of clients go out of range, a string of dissassociation messages is sent over the RF to ensure that the RF connection is broken. However, the number of these legitimate sign-offs sometimes exceeds the permitted value in Cisco's Wireless IDS signature file and the WLC erroneously interprets these as a false-positive / attack, when in fact, it is a normal signoff. The value of the number of detections per second can be adjusted (in fact, TAC suggested making some changes there - but this really needs to be tuned better at the factory to prevent these from ocurring). One of the links below discusses the methodology for changing the Wireless IDS. Newer versions of the WCS/WLC are supposed to allow a parameter/GUI based edit of these parameters vs. exporting/editing/uploading the Wireless IDS signature file out of/into each WLC.
For your reading pleasure, here are some links that you might find helpful which discuss various wrinkles in the wireless IDS:
(Please remember to rate helpful posts)