07-01-2016 09:20 AM
I'm trying to find a baseline of what is acceptable in terms of tripped IDS signatures on our Aruba 7205 controller. We were getting several PowerSaveDosAttack alerts, so I increased the threshold so that it would only trip if we saw an anomaly past our usual baseline.
I am now trying to find out a good baseline for wlsxNDisconnectStationAttack, which we also see frequently. In some cases, we see it almost 10 times per hour using the default settings. Another signature, wlsxOmertaAttack, we also see less frequently but sometimes many come in within a short period of time.
When increasing the thresholds of these signatures, what is an acceptable level? I don't want to set the thresholds too high so that we may miss an active attack. Should I simply double the thresholds until we see few snmp traps or syslog messages, or are there Aruba recommended settings beyond the defaults?
07-09-2016 04:44 AM - edited 07-09-2016 04:44 AM
You should avoid enabling those three signatures, because they could produce quite a few false positives, depending on the drivers of the clients.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base