The wireless system has detected a possible intrusion attack by signature..

Unanswered Question
Sep 11th, 2009
User Badges:

We are getting the following "critical" alert with the following:


NULL Probe Response - Zero length SSID element


{controller} IDS 'NULL probe resp 1' Signature attack detected on AP 'AP Name' protocol '802.11b/g' on Controller 'x.x.x.x'. The Signature description is 'NULL Probe Response - Zero length SSID element', with precedence '2'. The attacker's mac address is 'xx:xx:xx:xx:xx:xx', channel number is '6', and the number of detections is '1'.


The wireless system has detected a possible intrusion attack by signature detection for a specific attacker. Immediate attention is required.

I'm trying to find more information on this and am wondering if this is a false/positive.

Thanks for help in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Lucien Avramov Fri, 09/11/2009 - 11:54
User Badges:
  • Red, 2250 points or more

I would point more towards a false positive alert here.

NULL Probe Response - Zero length SSID element:

Some frames are permitted to carry a null (zero length) SSID, called a broadcast SSID. For example, a station can send a probe request that carries a broadcast SSID; the AP must return its actual SSID in the probe response. Some APs can be configured to send a zero-length broadcast SSID in beacon frames instead of sending their actual SSID. However, it is not possible to keep an SSID value secret, because the actual SSID (ESS name) is carried in several frames.

As far as how to modify the IDS sensor in the WLC:


djgizmo250 Fri, 09/11/2009 - 12:45
User Badges:

In reference to the link, the document indicates "These IDS signatures ship with the controller as “standard IDS signatures”."

With this statement, does this imply that the critical alert on the controller is in fact a false/positive?

Thank you for your response.

Lucien Avramov Fri, 09/11/2009 - 14:56
User Badges:
  • Red, 2250 points or more

I'm not sure enough to provide you a firm answer on that question.

However, the explanation I have for the SSID message does not seem to be alarming.

From experience, the IDS sensor in the WLC is very sensitive and usually the default values are generating a lot of alarms in a real world production environment and tweaking those settings can reduce the amount of alarms you will get. You can always put a wireless sniffer to find out if it really undergoes an attack.

I would be more worried of auth/ de auth flood than a broadcast SSID. It's possible that some frames have a zero-length SSID value, it does not involve that the AP and network undergoes an attack.

micheajp Sun, 01/31/2010 - 19:56
User Badges:

Is there a way to exclude a mac from being reported on? Support told me to disable the reporting.... I'd rather not.


This Discussion



Trending Topics - Security & Network