Network Management

Reply
Contributor II
Posts: 53
Registered: ‎03-17-2016

IDS signatures seen frequently in logs

I'm trying to find a baseline of what is acceptable in terms of tripped IDS signatures on our Aruba 7205 controller.  We were getting several PowerSaveDosAttack alerts, so I increased the threshold so that it would only trip if we saw an anomaly past our usual baseline.

 

I am now trying to find out a good baseline for wlsxNDisconnectStationAttack, which we also see frequently.  In some cases, we see it almost 10 times per hour using the default settings.  Another signature, wlsxOmertaAttack, we also see less frequently but sometimes many come in within a short period of time.

 

When increasing the thresholds of these signatures, what is an acceptable level? I don't want to set the thresholds too high so that we may miss an active attack.  Should I simply double the thresholds until we see few snmp traps or syslog messages, or are there Aruba recommended settings beyond the defaults?

Wireless newb
Guru Elite
Posts: 19,970
Registered: ‎03-29-2007

Re: IDS signatures seen frequently in logs

[ Edited ]

You should avoid enabling those three signatures, because they could produce quite a few false positives, depending on the drivers of the clients.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: