Alarm fatigue with Threat Active / External Honeypot in WIPS / RADAR

  • 0
  • 1
  • Question
  • Updated 1 month ago
Hello folks,

I have a sprawling wireless network that covers a lot of acres in town. Aside from the insanely high number of guest wireless users, I also run alongside a lot of public buildings that have their own WiFi networks (such as a large car lot).

I seem to have a nagging collection of threats for "external honeypots". Which is OK if the device lingers. But I seem to get an alert for drive-by users. And I know sometimes a user requesting a network can result in a false detection. In other words, they fire open their laptop and Windows says "is there a dlink SSID in the house?" which then results in an External Honeypot message of "there is a dlink SSID!". I also seem so pick up a lot of cars from the car lot that have their own SSID's for the driver, passengers, and mechanics.

My question is, how do I make these threats self-clear? I have a bunch where the first/last seen is all in the same time/minutes/seconds? I went into XMC and edited the Alarm Definition. Then under Other Options I checked the box for Cleared by Alarms "Threat Inactive". And then I also tried checking "No Curent Alarm". But neither one seemed to clear up all my old alarms. I still need to manually right-click and clear selected alarm.
Photo of Steve Ballantyne

Steve Ballantyne

  • 5,566 Points 5k badge 2x thumb

Posted 1 month ago

  • 0
  • 1

Be the first to post a reply!