cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1899
Views
0
Helpful
7
Replies

WCS IDS False Alarms - NetStumbler Generic Attack

johnruffing
Level 4
Level 4

We have a particular installation where we are seeing four (4) types of IDS errors constantly reappearing:

"IDS Signature attack detected. Signature Type: Standard"

"Disassoc flood, Description: Disassociation flood

"AP impersonation"

"NetStumbler Generic Attack"

In the first three alarms, Cisco has acknowledged that there are known issues with false IDS alarms that are supposed to be fixed in an upcoming "BE-MR2" in mid-December, and a new IDS signature in January.

Is anyone else experiencing the NetStumbler Generic IDS alarm? We see them on a regular basis.

If so, please reply - as I would like to forward this on to TAC to make sure they get this fixed in the next release.

We are using WLC-4.x and WCS 4.x with LAP-1131AG access points.

- John

7 Replies 7

tmoffett
Cisco Employee
Cisco Employee

I have been seeing Disassociation attack alarms from one particular site where the attacker's address is the MAC address of one of the APs in the building.

I would almost consider the fact that someone could be impersonating the AP, but it has been the base radio MAC of many APs. This is a mixture of 1131 and 1231 APs...

The Disassociation attack is a known bug acknowledged by Cisco TAC. (That is not a guarantee that it is a false alarm - that is what has been especially frustrating in troubleshooting these).

Specifically, though, I am trying to confirm that others are experiencing the NetStumbler attack as we suspect this is another false alarm since it came from the MAC address of a trusted laptop that was confirmed to not be running NetStumbler - and, yes, I realize that the MAC address can be spoofed, but with the high number of false positives on the other types of alarms mentioned earlier, it would seem more likely that the WLC's IDS subsystem needs tweaking.

I would really like to get this fixed within the next release, and am hoping that additional confirmation may help get Cisco to resolve it more quickly.

- John

Please be advised that upgrading to 4.0.206.0 (which we later found out is "not a stable version" according to Cisco) does appear to fix two of the false alarms, but we are still observing false positives on "AP Impersonation" and "Disassoc Flood" alarms.

- John

We are running wcs version 4.0.96.0 and we are seeing the NetStumbler generic signature attacks. We are also seeing the Disassociation Flood attacks, which I am looking into to try and verify if this is a false alarm.

Have you been able to get anywhere with Cisco on the NetStumbler signatures?

So version 4.0.217.0 is now out. Has anyone tried this yet, and is it considered stable?

I have 4 WLCs running 4.0.217.0 with no issues.

Do you have a WCS also? If so, which version? I am getting a few signature messages that might be false alarms, and would save troubleshooting time if I could verify that against what others are seeing.

signatures like the netstumbler and the disassociation flood.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: