Wireless Access

Reply
New Contributor

Available information for specific IDS events

Hello all.

 

I am wondering if anyone would have some (sanitized) examples of WIPS(Rapids)  logs concerning windows bridge, and ad-hoc with valid ssid. either CLI output or something copied from the GUI would be fine. I just need to know which categories of information are available

 

I am preparing a matrix of available event info to pass off to the feet-on-the-ground security team for a client, and I need to be able to tell them in advance how much information they would receive when they are triggered to seek and destroy the offending device.

 

 

I have been able to find examples of most attacks in one or another of our client's event logs, but it seems that neither of these has ever happend on any aruba network we maintain.

 

Thanks in advance for your time,

 

-J

 

 

[edited for clarity]

Guru Elite

Re: Available information for specific IDS events

You can download the Aruba Syslog Messages 6.1 guide that gives you examples of all syslog messages.  Hopefully someone will chime in with some syslogs, though.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP

Re: Available information for specific IDS events

I have a CSV export from Airwave of two suspected rogues I haven't tracked down yet (attached)

and here's a snippet from syslog messages from our master controller: (we're doing minimal logging, sinc we offload to RAPIDS on Airwave)

 

Jul 12 17:15:46 10.21.0.65 wms[1587]: <126048> <WARN> <000boiid-wc2 10.21.0.65> |ids| Suspect Rogue AP: The system detected a suspected rogue access point (BSSID 00:a0:c8:45:23:0b, SSID  on CHANNEL 40). The access point is suspected to be rogue with a confidence level of (60). Additional Info: .
Jul 12 17:15:46 10.21.0.65 wms[1587]: <126048> <WARN> <000boiid-wc2 10.21.0.65> |ids| Suspect Rogue AP: The system detected a suspected rogue access point (BSSID 00:a0:c8:45:24:a9, SSID  on CHANNEL 149). The access point is suspected to be rogue with a confidence level of (60). Additional Info: .
Jul 12 17:15:46 10.21.0.65 wms[1587]: <126048> <WARN> <000boiid-wc2 10.21.0.65> |ids| Suspect Rogue AP: The system detected a suspected rogue access point (BSSID 00:a0:c8:45:23:65, SSID  on CHANNEL 36). The access point is suspected to be rogue with a confidence level of (60). Additional Info: .
Jul 12 17:15:46 10.21.0.65 wms[1587]: <126048> <WARN> <000boiid-wc2 10.21.0.65> |ids| Suspect Rogue AP: The system detected a suspected rogue access point (BSSID 00:a0:c8:45:23:4a, SSID  on CHANNEL 48). The access point is suspected to be rogue with a confidence level of (60). Additional Info: .
Jul 12 17:15:47 10.21.0.65 wms[1587]: <126048> <WARN> <000boiid-wc2 10.21.0.65> |ids| Suspect Rogue AP: The system detected a suspected rogue access point (BSSID 00:a0:c8:42:6d:4b, SSID  on CHANNEL 165). The access point is suspected to be rogue with a confidence level of (60). Additional Info: .
Jul 12 17:25:52 10.21.0.65 wms[1587]: <126048> <WARN> <000boiid-wc2 10.21.0.65> |ids| Suspect Rogue AP: The system detected a suspected rogue access point (BSSID 00:a0:c8:49:20:46, SSID store-devices on CHANNEL 48). The access point is suspected to be rogue with a confidence level of (40). Additional Info: .

 

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: