IDS Signature Attacks - OVERLOAD

Unanswered Question
Jun 16th, 2008

Guys,

I know that this has been talked about many timres, but wanted to ask a couple of points.

Question 1. On the WCS, on some days we are receiving up to 70+ critical alarms for signature attacks. These are all Deauth, Auth Flood attacks. (There are a couple of Assoc floods).

Pls see similar post on open forum

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&topicID=.ee6e8c0&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc0798a

Now, in the signature file we have the following profiles set. (Pls note Deauth flood and Assoc Flood, BUT NO AUTH FLOOD)

Name = "Deauth flood", Ver = 0, Preced= 8, FrmType = mgmt, Pattern = 0:0:0x00C0:0x00FF, Freq=50, Quiet = 600, Action = report, Desc="Deauthentication flood", Track=signature_n_mac, MacFreq=30

Name = "Assoc flood", Ver = 0, Preced= 4, FrmType = mgmt, Pattern = 0:0:0x0000:0x00FF, Freq=50, Quiet = 600, Action = report, Desc="Association Request flood", Track=signature_n_mac, MacFreq=30

Can you guys or Cisco TAC advise us on if we need to change these values and are there any rules? and where is the signature pattern for an "Auth flood"? Dont see it in the file?

Question 2. The WCS only appears to report these critical signature alarms (and other alarms) for the last 7 days. I have tried to read through the WCS documentation and cannot find what happens to the alarms after 7 days and if this 7 day period is configurable?

Once again, Many thx guys for all the help,

Ken ( all IDS'd out )

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

I hadn't noticed before that the AUTH FLOOD has no corresponding IDS signature file entry - bizarre!

Attempts to get TAC to come up with any recommended changes for the signature file (at least in my experience going all the way to 3rd level TAC) resulted in an akward silence the other end of the line. I hope that your experience is better.

Each version of WLC software appears to fix some false alarms, but sometimes generates new ones. It is unclear if this is due to differing values in the signature file or (more likely) due to new code anomalies.

If you do run across better documentation on the Wireless IDS signature file, please feed it back into the forum.

As regular forum readers can attest, the Wireless IDS system false alarms, lack of explanation of the threat posture of these alarms, as well as the lack of documentaiton for tuning the signature file values without completely disabling the alarms, have been a sore spot with me.

I would even submit that it would be more helpful if Cisco would add a mechanism that would automatically forward these WIDS alarms (on a voluntary basis) back to Cisco. This would help Cisco developers to get a better idea of the numerous false positives we are seeing out here in the field enable them to provide a better-tuned signature file in the first place!

You may find the following post of interest:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&topicID=.ee6e8c0&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc08c87

As far as question 2 goes, when I tested this on our WCS 5.0, I am showing critical level security "WPA MIC" errors that go back to 5/19/08 (almost a month old).

Please remember to rate helpful posts.

John

Actions

This Discussion

 

 

Trending Topics - Security & Network