Network Management

Hi all,

I need suggestion about Airwave trigger for WIPS events.

What WIPS event are most minatorial?

What WIPS event should be trigger if it had been detected during a peiod of time.

For example: set trigger if deauth attack had been detect 10 times in one day.

Thanks

I get this question a lot when doing Airwave.

For the unfamiliar customer (with Airwave), I always ask myself what I'd want retrospectively (having seen things after the event, that it would have been nice to alert on).

I'd definately recommend alerting on full rogue classification (i.e. 100% confidence).

Moving on from that, to a large extent, it depends on how much time you can dedicate yourself (or via a team-member) to pro-actively supporting the WiFi.

Alerting on e.g. de-auth's and suspects is fine, but if you don't have time to go and investigate these alerts, there's not a lot of point in alerting. Assuming you do have time...

Clients associating to suspect rogues is interesting, as is detecting ad-hocs and wifi-bridges (if that's frowned upon in your business). Oh, and EAP related alerts can be handy actually for client troubleshooting.

Some of the RAPIDS rules I use are as follows

1. Duplicate SSID detected on the WLAN

2. Detected wirelessly and on LAN

3. Ad-hoc contained

For Triggers, I setup the following:

Rogue Contained

SNMP Trap IDS event ad-hoc