Network Management

Contributor I

Need suggestion about Airwave trigger for WIPS events

Hi all,

I need suggestion about Airwave trigger for WIPS events.

What WIPS event are most minatorial?

What WIPS event should be trigger if it had been detected during a peiod of time.

For example: set trigger if deauth attack had been detect 10 times in one day.



Valued Contributor I

Re: Need suggestion about Airwave trigger for WIPS events

I get this question a lot when doing Airwave.


For the unfamiliar customer (with Airwave), I always ask myself what I'd want retrospectively (having seen things after the event, that it would have been nice to alert on).


I'd definately recommend alerting on full rogue classification (i.e. 100% confidence).


Moving on from that, to a large extent, it depends on how much time you can dedicate yourself (or via a team-member) to pro-actively supporting the WiFi.


Alerting on e.g. de-auth's and suspects is fine, but if you don't have time to go and investigate these alerts, there's not a lot of point in alerting. Assuming you do have time...


Clients associating to suspect rogues is interesting, as is detecting ad-hocs and wifi-bridges (if that's frowned upon in your business). Oh, and EAP related alerts can be handy actually for client troubleshooting.


Kudos appreciated, but I'm not hunting! (ACMX 104)

Re: Need suggestion about Airwave trigger for WIPS events

Some of the RAPIDS rules I use are as follows


1. Duplicate SSID detected on the WLAN


2. Detected wirelessly and on LAN



3. Ad-hoc contained




For Triggers, I setup the following:


Rogue Contained



SNMP Trap IDS event ad-hoc


Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACCA
[If you found my post helpful, please give kudos!]
Search Airheads
Showing results for 
Search instead for 
Did you mean: