Network Management

Reply
Frequent Contributor I

IDS signatures seen frequently in logs

I'm trying to find a baseline of what is acceptable in terms of tripped IDS signatures on our Aruba 7205 controller.  We were getting several PowerSaveDosAttack alerts, so I increased the threshold so that it would only trip if we saw an anomaly past our usual baseline.

 

I am now trying to find out a good baseline for wlsxNDisconnectStationAttack, which we also see frequently.  In some cases, we see it almost 10 times per hour using the default settings.  Another signature, wlsxOmertaAttack, we also see less frequently but sometimes many come in within a short period of time.

 

When increasing the thresholds of these signatures, what is an acceptable level? I don't want to set the thresholds too high so that we may miss an active attack.  Should I simply double the thresholds until we see few snmp traps or syslog messages, or are there Aruba recommended settings beyond the defaults?

Wireless newb
Guru Elite

Re: IDS signatures seen frequently in logs

You should avoid enabling those three signatures, because they could produce quite a few false positives, depending on the drivers of the clients.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: