In the first three alarms, Cisco has acknowledged that there are known issues with false IDS alarms that are supposed to be fixed in an upcoming "BE-MR2" in mid-December, and a new IDS signature in January.
Is anyone else experiencing the NetStumbler Generic IDS alarm? We see them on a regular basis.
If so, please reply - as I would like to forward this on to TAC to make sure they get this fixed in the next release.
We are using WLC-4.x and WCS 4.x with LAP-1131AG access points.
The Disassociation attack is a known bug acknowledged by Cisco TAC. (That is not a guarantee that it is a false alarm - that is what has been especially frustrating in troubleshooting these).
Specifically, though, I am trying to confirm that others are experiencing the NetStumbler attack as we suspect this is another false alarm since it came from the MAC address of a trusted laptop that was confirmed to not be running NetStumbler - and, yes, I realize that the MAC address can be spoofed, but with the high number of false positives on the other types of alarms mentioned earlier, it would seem more likely that the WLC's IDS subsystem needs tweaking.
I would really like to get this fixed within the next release, and am hoping that additional confirmation may help get Cisco to resolve it more quickly.
Please be advised that upgrading to 220.127.116.11 (which we later found out is "not a stable version" according to Cisco) does appear to fix two of the false alarms, but we are still observing false positives on "AP Impersonation" and "Disassoc Flood" alarms.
We are running wcs version 18.104.22.168 and we are seeing the NetStumbler generic signature attacks. We are also seeing the Disassociation Flood attacks, which I am looking into to try and verify if this is a false alarm.
Have you been able to get anywhere with Cisco on the NetStumbler signatures?
Do you have a WCS also? If so, which version? I am getting a few signature messages that might be false alarms, and would save troubleshooting time if I could verify that against what others are seeing.
signatures like the netstumbler and the disassociation flood.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...