Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

The wireless system has detected a possible intrusion attack by signature..

We are getting the following "critical" alert with the following:

Description

NULL Probe Response - Zero length SSID element

Message

{controller} IDS 'NULL probe resp 1' Signature attack detected on AP 'AP Name' protocol '802.11b/g' on Controller 'x.x.x.x'. The Signature description is 'NULL Probe Response - Zero length SSID element', with precedence '2'. The attacker's mac address is 'xx:xx:xx:xx:xx:xx', channel number is '6', and the number of detections is '1'.

Help

The wireless system has detected a possible intrusion attack by signature detection for a specific attacker. Immediate attention is required.

I'm trying to find more information on this and am wondering if this is a false/positive.

Thanks for help in advance.

4 REPLIES

Re: The wireless system has detected a possible intrusion attack

I would point more towards a false positive alert here.

NULL Probe Response - Zero length SSID element:

Some frames are permitted to carry a null (zero length) SSID, called a broadcast SSID. For example, a station can send a probe request that carries a broadcast SSID; the AP must return its actual SSID in the probe response. Some APs can be configured to send a zero-length broadcast SSID in beacon frames instead of sending their actual SSID. However, it is not possible to keep an SSID value secret, because the actual SSID (ESS name) is carried in several frames.

As far as how to modify the IDS sensor in the WLC:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008063e5d0.shtml

HTH

New Member

Re: The wireless system has detected a possible intrusion attack

In reference to the link, the document indicates "These IDS signatures ship with the controller as “standard IDS signatures”."

With this statement, does this imply that the critical alert on the controller is in fact a false/positive?

Thank you for your response.

Re: The wireless system has detected a possible intrusion attack

I'm not sure enough to provide you a firm answer on that question.

However, the explanation I have for the SSID message does not seem to be alarming.

From experience, the IDS sensor in the WLC is very sensitive and usually the default values are generating a lot of alarms in a real world production environment and tweaking those settings can reduce the amount of alarms you will get. You can always put a wireless sniffer to find out if it really undergoes an attack.

I would be more worried of auth/ de auth flood than a broadcast SSID. It's possible that some frames have a zero-length SSID value, it does not involve that the AP and network undergoes an attack.

New Member

Re: The wireless system has detected a possible intrusion attack

Is there a way to exclude a mac from being reported on? Support told me to disable the reporting.... I'd rather not.

12551
Views
0
Helpful
4
Replies
CreatePlease login to create content