02-11-2016 10:36 PM
I have recently enabled IDS on one of my clients iAP clusters which is reporting to Airwave. Checking Airwave I see the below (Screen Snip) IDS events being logged.
In my own opinion there are to many IDS events to ignore them -- from researching the reported items I can safely say that 6 of them are false positives -- however the rest are worrying me a bit - especially the logged Omerta and Hotspotter items.
I do not want to start a "fire" and say we are being attacked so I am asking te community for their opinions. Below is a list of the reported IDS Events.
02-12-2016 04:56 AM
If the RF environment is bad, due to a lot of frame corruption false positives can be expected. These are probably false positives.
How freqently are the attacks reported. Is it happening only at a specific time or only during the work hours or is it happening all day?
02-12-2016 05:07 AM
I might be mistaken, but it does appear to be quite constant (all day).
The Omerka attack mentioned has only been logged twice and both logs came in quite early this morning.
Though I have only enabled IDS the last 3 days because the WiFi experience degraded suddenly about a week ago. One of the main reasons I enabled it was users were reporting that they can't connect in the one section of the building (3 APs that was covering that specific area - where of the one AP seemed to be giving alot of problems).
Haven't had reports of poor WiFi since I enabled it, but that just adds to my suspisions.
02-12-2016 06:31 AM
I would start with looking at the RF utilization in those areas. If it is high (30% or more), that could be the problem. I would try enabling Broadcast Filter ARP in the Advanced Section of all of your SSIDs to see if the RF utilization goes down. As was said before, RF issues could show up as IDS/IPS attacks, so check to make sure that the RF is good, first (low utilization).
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
02-21-2016 11:45 PM
Understood. I am currently working with TAC on this --- thus far it does appear to be RF related, we are still investigating a bit further, but it does appear if it is going to come down to fixing RF in the areas.......
Will report back once TAC has reported back.