RAPIDS rogue threat scores. Are these cumulative ?
For instance, if I have a set of rules that say assigns a score of 5 for an AP detected at -75dB RSSI, and a rule that says must be heard of at least 3 APs, and both of these are true for a potential rogue, do these add together to make a score of 10, and equate to high confidence that the device is a rogue?
The RAPIDS rules are not cumulative. The rules are a top down checklist. Once a rule applies, then the processing stops there, only 1 rule applies to a rogue. So you want to have your most specific rules at the top, and then the more general rules in the middle with a few catch all rules at the bottom. Customers have chosen various methods of how they use the threat rating, some use 1 as the highest threat, others use 10 for the highest thread. This is personal preference, and then they set the more severe to email alert.
Also RAPIDS rules are global. We cannot apply any rule to a small subset of devices.