Wireless Access

 View Only
last person joined: 4 days ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

Signature Match: Disassoc Broadcast

This thread has been viewed 23 times
  • 1.  Signature Match: Disassoc Broadcast

    Posted Oct 12, 2023 09:07 AM

    What course of action can/should be taken when seeing these types of events:  Signature Match: Disassoc Broadcast



    ------------------------------
    Peter
    ------------------------------


  • 2.  RE: Signature Match: Disassoc Broadcast

     
    Posted Oct 12, 2023 09:10 AM

    I would disable the detection.  At one point in the past it would be the precursor to an attack, but many clients when they simply disassociate have the same signature.  In the majority of circumstances it is a false positive.



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 3.  RE: Signature Match: Disassoc Broadcast

    Posted Oct 12, 2023 09:18 AM

    How do I disable that detection?  I thought Aruba recommended enabling it.



    ------------------------------
    Peter
    ------------------------------



  • 4.  RE: Signature Match: Disassoc Broadcast

     
    Posted Oct 12, 2023 09:23 AM

    It should be in the IDS portion:  https://www.arubanetworks.com/techdocs/ArubaOS_8.10.0_Web_Help/Content/arubaos-solutions/wireless-intrus-prev/unde-infr-intr-dete.htm?Highlight=disassociation%20broadcast#new_wip_1365762209_1029498

    It is default and is optional.  Please let me know where you see that Aruba recommends it, so that we can correct it.

    Back in the day, the only "encryption" was WEP and IDS/IPS relied on signatures to understand if they were being attacked.  This signature is a holdover from that period of time and should not be used, in my opinion, because it fills up logs and most of the detection is false positives.



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 5.  RE: Signature Match: Disassoc Broadcast

    Posted Oct 12, 2023 09:27 AM

    Ok, looks like I can disable it via the CLI?   

    One other question - I see I have "Detect AP Impersonation" enabled, should I also have "Protect from AP Impersonation" enabled?  Or just disable "Detect AP Impersonation"?



    ------------------------------
    Peter
    ------------------------------



  • 6.  RE: Signature Match: Disassoc Broadcast

     
    Posted Oct 12, 2023 09:32 AM

    There is an IDS signature matching profile called "default".  by default it has broadcast-association signature.  You have to create a new signature matching profile.



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 7.  RE: Signature Match: Disassoc Broadcast

    Posted Oct 12, 2023 09:33 AM

    Thank you for your help. Much appreciated. 



    ------------------------------
    Peter
    ------------------------------



  • 8.  RE: Signature Match: Disassoc Broadcast

     
    Posted Oct 12, 2023 09:34 AM

    Detect AP impersonation just sends a message.  Protect will send out an IDS/IPS deauth to protect the network.  I would not enable all of it until you test in the lab.  In some circumstances, it is also illegal to deny service, so I would consult an attorney before turning on anything with "protect".



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------