Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

Silver

Disassoc flood - false alarms - IDS signature file needs adjustment

Another interesting observation regarding Disassociation flood wireless IDS alarms:

When a wireless client goes out of range of an AP, is that it is not uncommon for a burst of 64 disassociation frames to be sent in order to ensure that the client/AP are no longer associated.

However, the threshold in the WLC's IDS signature file is 50. It is unclear why this value was chosen by the developers. However, at Cisco's recommendation, we have adjusted the signature file to a value of FREQ=80 (instead of 50) for the following alarms:

Disassociation, Deauth Flood, and Bcast Deauth

This has resulted in fewer false alarms (except for Bcast deaut which is the result of the WLC alarming on its own containment messages - see previous thread!).

Additional Note: When making changes to the IDS signature file, it would appear that a REBOOT ended up being necessary in our case in order to get the WLCs to recognize the changes to the IDS signature file. When we merely upgraded the signature file, it did not make a difference.

Also, it would appear that the name of the signature file is important (since the parsing of the file does not take place unless a specific file name is given).

- John

6 REPLIES
Anonymous
N/A

Re: Disassoc flood - false alarms - IDS signature file needs adj

After adjusting the signature file to a value of FREQ=80 (instead of 50), are the alarms generating the correct burst??.

Silver

Re: Disassoc flood - false alarms - IDS signature file needs adj

I don't understand the question.

We are seeing the alarms kick off after 30 or 80. It is not consistent.

- John

Re: Disassoc flood - false alarms - IDS signature file needs adj

How & where did you do this?

(running 4.1.185.0)

thanks,

Eric

Silver

Re: Disassoc flood - false alarms - IDS signature file needs adj

I'm sorry, but I don't understand the question.

Could you be more specific?

Re: Disassoc flood - false alarms - IDS signature file needs adj

Where in the controller menu did you adjust the freq? (FREQ=80)

I dug around a bit and did not find the command to change the freq from 50 to 80

New Member

Re: Disassoc flood - false alarms - IDS signature file needs adj

Hi,

I'm getting a lot of false positive rogue APs (I've checked the MAC addresses and they are definitely ours), is it possible that a similar problem with signatures is causing this?

Scott

754
Views
0
Helpful
6
Replies
CreatePlease to create content