Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
837
Views
0
Helpful
2
Replies

IDS Signature attacks

jbecker1867
Level 1
Level 1

‎05-07-2008 04:20 AM - edited ‎07-03-2021 03:49 PM

Hi, I've recently installed a WLC 4402 and about 19 1242AG APs. The wireless clients accessing the network are all Symbol MC-9090 handheld scanners. Several times a day I get the following alert in the WLC Log, followed by a cleared message about 10 minutes later:

"IDS Signature attack detected. Signature Type: Standard, Name: Auth flood, Description: Authentication Request flood, Track: per-signature, Detecting AP Name: VINTower02, Radio Type: 802.11b/g, Preced: 5, Hits: 50, Channel: 11, srcMac: 00:1E:7A:18:C8:B0 "

The AP name and MAC changes, and usually 4 or 5 of our APs send this message all at once. The MAC addresses being listed are the Symbol scanners and other APs in the general area of the detecting AP. The scanners are accessing an SAP application via HTTP.

What is causing these messages, and how do I adjust the WLC to not think these scanners/APs are trying to attack the network?

Labels:
0 Helpful
2 Replies 2

smalkeric
Level 6
Level 6

‎05-13-2008 06:20 AM

It could be an issue with rougue clinet in the network: have look at this bug:CSCsg44344

0 Helpful

johnruffing
Level 4
Level 4
In response to smalkeric

‎05-23-2008 09:37 AM

More likely, this is another example of a false-positive generated by the wireless IDS.

From discussions with Cisco TAC it would appear that there are a number of client behaviors that vary from wireless client to wireless client.

At times, while not actual attacks (in the sense that someone is attempting to attack your network), the RF traffic generated by these clients will match some of the pre-programmed criteria in the Wireless IDS signature file - resulting in a false positive.

The values in the signature file can be adjusted. For example, you might want to adjust some of the parameters so that more of these messages need to happen in the same time frame before they are considered an alarm, etc.

However, you will want to be careful so as not to adjust the values in such a way that the alarm is effectively disabled.

If your experience is like ours, questions to Cisco TAC (even their tier 3 personnel) regarding how to tune this signature file without accidentally disabling an alarm will result in an awkward silence at the other end of the phone - as they do not appear to have any idea as to how to tweak the file.

Also, as pointed out in the forum in other posts, there does not appear to be any meaningful documentation pertainint to what these alarms are (their actual potential security threat, etc.) as well as what might cause them (intentionally and accidentally).

To date, I have been unable to find any meaningful published documentation, urban legend, or colorful anectdote providing guidance as to how an administrator might "tune" these parameters without breaking the system.

Currently, the best (i.e.: lease sparse) form of documentation is in the comments section of the signature file itself.

I hope this helps...

John

(please remember to rate helpful posts)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card