Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Available information for specific IDS events

This thread has been viewed 3 times

  • 1.  Available information for specific IDS events

    Posted May 22, 2013 10:02 AM

    Hello all.

     

    I am wondering if anyone would have some (sanitized) examples of WIPS(Rapids)  logs concerning windows bridge, and ad-hoc with valid ssid. either CLI output or something copied from the GUI would be fine. I just need to know which categories of information are available

     

    I am preparing a matrix of available event info to pass off to the feet-on-the-ground security team for a client, and I need to be able to tell them in advance how much information they would receive when they are triggered to seek and destroy the offending device.

     

     

    I have been able to find examples of most attacks in one or another of our client's event logs, but it seems that neither of these has ever happend on any aruba network we maintain.

     

    Thanks in advance for your time,

     

    -J

     

     

    [edited for clarity]



  • 2.  RE: Available information for specific IDS events

    EMPLOYEE
    Posted May 27, 2013 09:21 AM

    You can download the Aruba Syslog Messages 6.1 guide that gives you examples of all syslog messages.  Hopefully someone will chime in with some syslogs, though.



  • 3.  RE: Available information for specific IDS events

    Posted Jul 12, 2013 07:43 PM
      |   view attached

    I have a CSV export from Airwave of two suspected rogues I haven't tracked down yet (attached)

    and here's a snippet from syslog messages from our master controller: (we're doing minimal logging, sinc we offload to RAPIDS on Airwave)

     

    Jul 12 17:15:46 10.21.0.65 wms[1587]: <126048> <WARN> <000boiid-wc2 10.21.0.65> |ids| Suspect Rogue AP: The system detected a suspected rogue access point (BSSID 00:a0:c8:45:23:0b, SSID  on CHANNEL 40). The access point is suspected to be rogue with a confidence level of (60). Additional Info: .
Jul 12 17:15:46 10.21.0.65 wms[1587]: <126048> <WARN> <000boiid-wc2 10.21.0.65> |ids| Suspect Rogue AP: The system detected a suspected rogue access point (BSSID 00:a0:c8:45:24:a9, SSID  on CHANNEL 149). The access point is suspected to be rogue with a confidence level of (60). Additional Info: .
Jul 12 17:15:46 10.21.0.65 wms[1587]: <126048> <WARN> <000boiid-wc2 10.21.0.65> |ids| Suspect Rogue AP: The system detected a suspected rogue access point (BSSID 00:a0:c8:45:23:65, SSID  on CHANNEL 36). The access point is suspected to be rogue with a confidence level of (60). Additional Info: .
Jul 12 17:15:46 10.21.0.65 wms[1587]: <126048> <WARN> <000boiid-wc2 10.21.0.65> |ids| Suspect Rogue AP: The system detected a suspected rogue access point (BSSID 00:a0:c8:45:23:4a, SSID  on CHANNEL 48). The access point is suspected to be rogue with a confidence level of (60). Additional Info: .
Jul 12 17:15:47 10.21.0.65 wms[1587]: <126048> <WARN> <000boiid-wc2 10.21.0.65> |ids| Suspect Rogue AP: The system detected a suspected rogue access point (BSSID 00:a0:c8:42:6d:4b, SSID  on CHANNEL 165). The access point is suspected to be rogue with a confidence level of (60). Additional Info: .
Jul 12 17:25:52 10.21.0.65 wms[1587]: <126048> <WARN> <000boiid-wc2 10.21.0.65> |ids| Suspect Rogue AP: The system detected a suspected rogue access point (BSSID 00:a0:c8:49:20:46, SSID store-devices on CHANNEL 48). The access point is suspected to be rogue with a confidence level of (40). Additional Info: .

     

    Attachment(s)

    zip
    csv_export.csv.zip   640 B 1 version