WCS IDS False Alarms - NetStumbler Generic Attack

Unanswered Question

We have a particular installation where we are seeing four (4) types of IDS errors constantly reappearing:


"IDS Signature attack detected. Signature Type: Standard"


"Disassoc flood, Description: Disassociation flood


"AP impersonation"


"NetStumbler Generic Attack"


In the first three alarms, Cisco has acknowledged that there are known issues with false IDS alarms that are supposed to be fixed in an upcoming "BE-MR2" in mid-December, and a new IDS signature in January.


Is anyone else experiencing the NetStumbler Generic IDS alarm? We see them on a regular basis.


If so, please reply - as I would like to forward this on to TAC to make sure they get this fixed in the next release.


We are using WLC-4.x and WCS 4.x with LAP-1131AG access points.


- John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tmoffett Sat, 11/18/2006 - 04:52
User Badges:

I have been seeing Disassociation attack alarms from one particular site where the attacker's address is the MAC address of one of the APs in the building.


I would almost consider the fact that someone could be impersonating the AP, but it has been the base radio MAC of many APs. This is a mixture of 1131 and 1231 APs...



The Disassociation attack is a known bug acknowledged by Cisco TAC. (That is not a guarantee that it is a false alarm - that is what has been especially frustrating in troubleshooting these).


Specifically, though, I am trying to confirm that others are experiencing the NetStumbler attack as we suspect this is another false alarm since it came from the MAC address of a trusted laptop that was confirmed to not be running NetStumbler - and, yes, I realize that the MAC address can be spoofed, but with the high number of false positives on the other types of alarms mentioned earlier, it would seem more likely that the WLC's IDS subsystem needs tweaking.


I would really like to get this fixed within the next release, and am hoping that additional confirmation may help get Cisco to resolve it more quickly.


- John


wdmiller3 Mon, 04/23/2007 - 08:02
User Badges:

We are running wcs version 4.0.96.0 and we are seeing the NetStumbler generic signature attacks. We are also seeing the Disassociation Flood attacks, which I am looking into to try and verify if this is a false alarm.


Have you been able to get anywhere with Cisco on the NetStumbler signatures?


jcmartin Mon, 04/23/2007 - 10:31
User Badges:

So version 4.0.217.0 is now out. Has anyone tried this yet, and is it considered stable?

sonjam Tue, 04/24/2007 - 06:27
User Badges:

I have 4 WLCs running 4.0.217.0 with no issues.

wdmiller3 Tue, 04/24/2007 - 06:31
User Badges:

Do you have a WCS also? If so, which version? I am getting a few signature messages that might be false alarms, and would save troubleshooting time if I could verify that against what others are seeing.


signatures like the netstumbler and the disassociation flood.

Actions

This Discussion