Wireless

What course of action can/should be taken when seeing these types of events:  Signature Match: Disassoc Broadcast

I would disable the detection.  At one point in the past it would be the precursor to an attack, but many clients when they simply disassociate have the same signature.  In the majority of circumstances it is a false positive.

What course of action can/should be taken when seeing these types of events:  Signature Match: Disassoc Broadcast

How do I disable that detection?  I thought Aruba recommended enabling it.

I would disable the detection.  At one point in the past it would be the precursor to an attack, but many clients when they simply disassociate have the same signature.  In the majority of circumstances it is a false positive.

What course of action can/should be taken when seeing these types of events:  Signature Match: Disassoc Broadcast

It should be in the IDS portion:  https://www.arubanetworks.com/techdocs/ArubaOS_8.10.0_Web_Help/Content/arubaos-solutions/wireless-intrus-prev/unde-infr-intr-dete.htm?Highlight=disassociation%20broadcast#new_wip_1365762209_1029498

It is default and is optional.  Please let me know where you see that Aruba recommends it, so that we can correct it.

Back in the day, the only "encryption" was WEP and IDS/IPS relied on signatures to understand if they were being attacked.  This signature is a holdover from that period of time and should not be used, in my opinion, because it fills up logs and most of the detection is false positives.

How do I disable that detection?  I thought Aruba recommended enabling it.

I would disable the detection.  At one point in the past it would be the precursor to an attack, but many clients when they simply disassociate have the same signature.  In the majority of circumstances it is a false positive.

What course of action can/should be taken when seeing these types of events:  Signature Match: Disassoc Broadcast

Ok, looks like I can disable it via the CLI?   

One other question - I see I have "Detect AP Impersonation" enabled, should I also have "Protect from AP Impersonation" enabled?  Or just disable "Detect AP Impersonation"?

It should be in the IDS portion:  https://www.arubanetworks.com/techdocs/ArubaOS_8.10.0_Web_Help/Content/arubaos-solutions/wireless-intrus-prev/unde-infr-intr-dete.htm?Highlight=disassociation%20broadcast#new_wip_1365762209_1029498

It is default and is optional.  Please let me know where you see that Aruba recommends it, so that we can correct it.

Back in the day, the only "encryption" was WEP and IDS/IPS relied on signatures to understand if they were being attacked.  This signature is a holdover from that period of time and should not be used, in my opinion, because it fills up logs and most of the detection is false positives.

How do I disable that detection?  I thought Aruba recommended enabling it.

I would disable the detection.  At one point in the past it would be the precursor to an attack, but many clients when they simply disassociate have the same signature.  In the majority of circumstances it is a false positive.

What course of action can/should be taken when seeing these types of events:  Signature Match: Disassoc Broadcast

There is an IDS signature matching profile called "default".  by default it has broadcast-association signature.  You have to create a new signature matching profile.

Ok, looks like I can disable it via the CLI?   

One other question - I see I have "Detect AP Impersonation" enabled, should I also have "Protect from AP Impersonation" enabled?  Or just disable "Detect AP Impersonation"?

It should be in the IDS portion:  https://www.arubanetworks.com/techdocs/ArubaOS_8.10.0_Web_Help/Content/arubaos-solutions/wireless-intrus-prev/unde-infr-intr-dete.htm?Highlight=disassociation%20broadcast#new_wip_1365762209_1029498

It is default and is optional.  Please let me know where you see that Aruba recommends it, so that we can correct it.

Back in the day, the only "encryption" was WEP and IDS/IPS relied on signatures to understand if they were being attacked.  This signature is a holdover from that period of time and should not be used, in my opinion, because it fills up logs and most of the detection is false positives.

How do I disable that detection?  I thought Aruba recommended enabling it.

I would disable the detection.  At one point in the past it would be the precursor to an attack, but many clients when they simply disassociate have the same signature.  In the majority of circumstances it is a false positive.

What course of action can/should be taken when seeing these types of events:  Signature Match: Disassoc Broadcast

Ok, looks like I can disable it via the CLI?   

One other question - I see I have "Detect AP Impersonation" enabled, should I also have "Protect from AP Impersonation" enabled?  Or just disable "Detect AP Impersonation"?

It should be in the IDS portion:  https://www.arubanetworks.com/techdocs/ArubaOS_8.10.0_Web_Help/Content/arubaos-solutions/wireless-intrus-prev/unde-infr-intr-dete.htm?Highlight=disassociation%20broadcast#new_wip_1365762209_1029498

It is default and is optional.  Please let me know where you see that Aruba recommends it, so that we can correct it.

Back in the day, the only "encryption" was WEP and IDS/IPS relied on signatures to understand if they were being attacked.  This signature is a holdover from that period of time and should not be used, in my opinion, because it fills up logs and most of the detection is false positives.

How do I disable that detection?  I thought Aruba recommended enabling it.

I would disable the detection.  At one point in the past it would be the precursor to an attack, but many clients when they simply disassociate have the same signature.  In the majority of circumstances it is a false positive.

What course of action can/should be taken when seeing these types of events:  Signature Match: Disassoc Broadcast