The wireless system has detected a possible intrusion attack by signature..

Unanswered Question
Sep 11th, 2009

We are getting the following "critical" alert with the following:

Description

NULL Probe Response - Zero length SSID element

Message

{controller} IDS 'NULL probe resp 1' Signature attack detected on AP 'AP Name' protocol '802.11b/g' on Controller 'x.x.x.x'. The Signature description is 'NULL Probe Response - Zero length SSID element', with precedence '2'. The attacker's mac address is 'xx:xx:xx:xx:xx:xx', channel number is '6', and the number of detections is '1'.

Help

The wireless system has detected a possible intrusion attack by signature detection for a specific attacker. Immediate attention is required.

I'm trying to find more information on this and am wondering if this is a false/positive.

Thanks for help in advance.

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Lucien Avramov Fri, 09/11/2009 - 11:54

I would point more towards a false positive alert here.

NULL Probe Response - Zero length SSID element:

Some frames are permitted to carry a null (zero length) SSID, called a broadcast SSID. For example, a station can send a probe request that carries a broadcast SSID; the AP must return its actual SSID in the probe response. Some APs can be configured to send a zero-length broadcast SSID in beacon frames instead of sending their actual SSID. However, it is not possible to keep an SSID value secret, because the actual SSID (ESS name) is carried in several frames.

As far as how to modify the IDS sensor in the WLC:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008063e5d0.shtml

HTH

djgizmo250 Fri, 09/11/2009 - 12:45

In reference to the link, the document indicates "These IDS signatures ship with the controller as “standard IDS signatures”."

With this statement, does this imply that the critical alert on the controller is in fact a false/positive?

Thank you for your response.

Lucien Avramov Fri, 09/11/2009 - 14:56

I'm not sure enough to provide you a firm answer on that question.

However, the explanation I have for the SSID message does not seem to be alarming.

From experience, the IDS sensor in the WLC is very sensitive and usually the default values are generating a lot of alarms in a real world production environment and tweaking those settings can reduce the amount of alarms you will get. You can always put a wireless sniffer to find out if it really undergoes an attack.

I would be more worried of auth/ de auth flood than a broadcast SSID. It's possible that some frames have a zero-length SSID value, it does not involve that the AP and network undergoes an attack.

micheajp Sun, 01/31/2010 - 19:56

Is there a way to exclude a mac from being reported on? Support told me to disable the reporting.... I'd rather not.

Actions

This Discussion

 

 

Trending Topics - Security & Network