Network Management

Reply
Contributor I
Posts: 29
Registered: ‎09-09-2013

Need suggestion about Airwave trigger for WIPS events

Hi all,

I need suggestion about Airwave trigger for WIPS events.

What WIPS event are most minatorial?

What WIPS event should be trigger if it had been detected during a peiod of time.

For example: set trigger if deauth attack had been detect 10 times in one day.

Thanks

 

MVP
Posts: 562
Registered: ‎11-28-2011

Re: Need suggestion about Airwave trigger for WIPS events

I get this question a lot when doing Airwave.

 

For the unfamiliar customer (with Airwave), I always ask myself what I'd want retrospectively (having seen things after the event, that it would have been nice to alert on).

 

I'd definately recommend alerting on full rogue classification (i.e. 100% confidence).

 

Moving on from that, to a large extent, it depends on how much time you can dedicate yourself (or via a team-member) to pro-actively supporting the WiFi.

 

Alerting on e.g. de-auth's and suspects is fine, but if you don't have time to go and investigate these alerts, there's not a lot of point in alerting. Assuming you do have time...

 

Clients associating to suspect rogues is interesting, as is detecting ad-hocs and wifi-bridges (if that's frowned upon in your business). Oh, and EAP related alerts can be handy actually for client troubleshooting.

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
MVP
Posts: 1,435
Registered: ‎10-25-2011

Re: Need suggestion about Airwave trigger for WIPS events

Some of the RAPIDS rules I use are as follows

 

1. Duplicate SSID detected on the WLAN

Capture.PNG

2. Detected wirelessly and on LAN

Capture1.PNG

 

3. Ad-hoc contained

Capture2.PNG

 

 

For Triggers, I setup the following:

 

Rogue Contained

rogue1.PNG

 

SNMP Trap IDS event ad-hoc

roguie2.PNG

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Search Airheads
Showing results for 
Search instead for 
Did you mean: