Network Management

Frequent Contributor II

IDS signatures seen frequently in logs

I'm trying to find a baseline of what is acceptable in terms of tripped IDS signatures on our Aruba 7205 controller.  We were getting several PowerSaveDosAttack alerts, so I increased the threshold so that it would only trip if we saw an anomaly past our usual baseline.


I am now trying to find out a good baseline for wlsxNDisconnectStationAttack, which we also see frequently.  In some cases, we see it almost 10 times per hour using the default settings.  Another signature, wlsxOmertaAttack, we also see less frequently but sometimes many come in within a short period of time.


When increasing the thresholds of these signatures, what is an acceptable level? I don't want to set the thresholds too high so that we may miss an active attack.  Should I simply double the thresholds until we see few snmp traps or syslog messages, or are there Aruba recommended settings beyond the defaults?

rwin = 0
Guru Elite

Re: IDS signatures seen frequently in logs

You should avoid enabling those three signatures, because they could produce quite a few false positives, depending on the drivers of the clients.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Search Airheads
Showing results for 
Search instead for 
Did you mean: