Controller Based WLANs

How do I configure an IDS signature-matching profile and new signatures?

Product and Software: This article applies to all Aruba controllers and ArubaOS versions.


What is the purpose of an intrusion detection signature (IDS)?
Many WLAN intrusion and attack tools generate characteristic signatures that can be detected by the Aruba network. The system is preconfigured with several known signatures, and it includes the ability for you to create new signatures.


Why might you need to create your own signature?
You want to be alerted when a certain WLAN pattern occurs. Perhaps you're seeing some odd traffic on your network and you want to be alerted the next time it occurs. You've noticed that it has unusual header characteristics, and you want to write a signature that will match this known pattern. Or perhaps you are interested in configuring your IDS to identify abnormal or suspicious traffic in general, not just attacks or probes. Some signatures may tell you which specific attack is occurring or what vulnerability the attacker is trying to exploit, while other signatures may just indicate that unusual behavior is occurring, without specifying a particular attack.


How can I identify the tool that causes the attack?
It will often take significantly more time and resources to identify the tool that is causing malicious activity, but it will give you more information as to why you are being attacked and what the intent of the attack is.


What are the predefined signatures?



Signature Description
ASLEAP A tool created for Linux systems that has been used to attack Cisco LEAP authentication protocol.
Null-Probe-Response An attack with the potential to crash or lock up the firmware of many 802.11 NICs. In this attack, a client probe-request frame will be answered by a probe response containing a null SSID. A number of popular NIC cards will lock up upon receiving such a probe response
AirJack Originally a suite of device drivers for
802.11(a/b/g) raw frame injection and reception. It was intended to be used as a development tool for all 802.11 applications that need to access the raw protocol, however one of the tools included allowed users to force off all users on an access point.
NetStumbler Generic NetStumbler is a popular wardriving
application used to locate 802.11 networks.
When used with certain NICs (such as
Orinoco), NetStumbler generates a characteristic frame that can be detected.
NetStumbler Version 3.3.0x Version 3.3.0 of NetStumbler changed the characteristic frame slightly. This signature detects the updated frame.
Deauth-Broadcast A deauth broadcast attempts to disconnect all stations in range - rather than sending a spoofed deauth to a specific MAC address, this attack sends the frame to a broadcast address.



How do I configure an IDS signature-matching profile?


To use the WebUI to configure the IDS signature-matching profile, follow these steps:


1) Navigate to Configuration > AP Configuration. Select either AP Group or AP Specific.

  • If you select AP Group, click Edit for the AP group name for which you want to configure IDS.
  • If you select AP Specific, select the name of the AP for which you want to configure IDS.

2) Select the IDS profile to display the IDS profiles that are contained in the top-level profile.
3) Select the IDS Signature Matching profile.
You can select a predefined profile from the drop-down menu. Or you can modify parameters and click Save As to create an IDS signature-matching profile instance.

Note: If you selected a predefined IDS profile, you cannot select or create a different IDS signature-matching profile instance. You can modify parameters within the IDS signature-matching profile instance.

4) Click Apply.


To use the CLI to configure the IDS signature-matching profile, issue the following command:


ids signature-matching-profile <profile>
signature <predefined-signature>




How do I Create a New Signature?


Signature rules match an attribute to a value. For example, you can add a rule that matches the BSSID to the value 00:00:00:00:00:0a. The following table describes the attributes and values you can configure for a signature rule.

Attribute Description
BSSID BSSID field in the 802.11 frame header.
destination MAC address Destination MAC address in 802.11 frame header.
frame type Type of 802.11 frame. For each type of frame further details can be specified to filter and detect only the required frames. It can be one of the following:
- association
- auth
- beacon
- control (all control frames)
- data (all data frames)
- deauth
- deassoc
- management (all management frames)
- probe-request
- probe-response
SSID For beacon, probe-request, and probe-response frame types, specify the SSID as either a string or hex pattern.
SSID-length For beacon, probe-request, and probe-response frame types, specify the SSID length. Maximum length is 32 bytes.
 
payload Pattern at a fixed offset in the payload of an 802.11 frame. Specify the pattern to be matched as a string or hex pattern. Maximum length is 32 bytes.
 
offset When a payload pattern is configured, specify the offset in the payload where the pattern is expected to be found in the frame.
sequence number Sequence number of the frame.
source MAC address Source MAC address of the 802.11 frame.




To use the WebUI to create a new signature, follow these steps:


1) Navigate to Configuration > Advanced Services > All Profiles.
2) Scroll the list of profiles and select IDS Signature Profile. Enter the name of the new signature profile and click Add.
3) Select the new signature profile name to display profile details.
4) Click New to add a rule to the profile.
5) After you finish configuring the rule to be added, click Add to add the rule.
6) Click Apply.



To use the CLI to add a new signature, issue the following command:


ids signature-profile <profile>
<rule>



What syslog message is generated when a signature match is detected?


Example in logs:


May 27 08:26:17 <sapd 326227> <ERRS> |AP kys-carnie5f-arb-vap3@10.132.234.213 sapd| AM 00:0b:86:34:ea:e0: Signature Match detected. SignatureName="Null-Probe-Response" src=00:90:fe:5e:45:6f Dst=00:0e:9b:a3:63:09 Bssid=00:90:fe:5e:45:6f Channel=6 RSSI=0

Version History
Revision #:
1 of 1
Last update:
‎07-05-2014 09:47 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.