cancel
Showing results for 
Search instead for 
Did you mean: 

WIPS and "ap-ssid-broadcast-in-beacon" event

WIPS and "ap-ssid-broadcast-in-beacon" event

el_magneto
New Contributor

Hi,

I recently enabled onboard WIPS functionality on my WING 7.2.1. (Rogue AP detection plus all wips events) and got a lot of "ap-ssid-broadcast-in-beacon" events with MAC addresses of APs out of my system/control. 

I cannot find any explenation of this event in WING documentation. Do you know what does it mean exactly? Is it dangerous? Do you know any place where wips evets are described more

extensively?

 

Regards

1 ACCEPTED SOLUTION

Ron_Galien
Extreme Employee

This appears to be an informational event seen by your onboard wips > WING AP / sensors which are detecting neighboring devices / APs that have their SSID’s configuration set to broadcast. Every wireless router (or wireless access point) has a network name assigned to it. The technical term is a Service Set Identifier (SSID). By default, a router will broadcast its SSID in beacons, so all users within its range can see the network on their PC or other device.For your own security purposes you should not have your own SSID’s configured to “broadcast” . 

View solution in original post

9 REPLIES 9

ckelly
Extreme Employee

el_magneto:

 

The idea here is that the system has detected a wireless client that is scanning (probe requests) for wireless networks at a higher than normal/expected rate.  The concern is that this is a malicious user scanning for networks for the purpose of collecting information for a future attack.

There’s some uncertainty here though because some older clients operated this way as part of their normal behavior (newer clients don’t scan this aggressively).  This would be considered a reconnaissance threat (attacker is collecting information for a future attack). The caveat here though is that even the newer wireless reconnaissance tools no longer scan like this either.  So the assumption is that this is either coming from a ‘safe’ old client or an older version of reconnaissance software.

 

 

el_magneto
New Contributor

Hi,

Next one I can see is “aggresive-scanning”

ckelly
Extreme Employee

el_magneto,

I think you’re correct in that there’s no documentation for the WiNG WIPS events.

If you have any questions about a particular one though, feel free to ask about it here though.

el_magneto
New Contributor

That make sense. This is why I saw this event orginated from other APs but also from my own APs. At first I thought that this event says that my own SSID are broadcastet by other APs (SSID spoofing).

In such case this is usles for me and I tried to disable this event BUT I probably hit on a bug.

I disabled this event for specific RF-domain but nothing happened. Then I disabled all event and leave only Rouge AP detection but the event is generated all the time:

baf3507ec2ac4301adca876344931504_63613309-d149-4075-a9f6-4ea7b875246f.png

Although in configuration all events are disabled:

>show running-config device xxx

wips-policy Rogue_AP_detect
ap-detection


ap505 xx-xx-xx-xx-xx-xx
...
use wips-policy Rogue_AP_detect
...

What do you think of that? My Wing version is 7.2.1.8-005R.

 

And last question. I read in other articles that there is no description for onboadr WIPS events in any Extreme documentation ( maybe Extreme should think about doing this) but there are similar events in AirDefence documentation wich are described more extensively. Can you show me where exactly? I cannot find it.

Thank you in advance!

Ron_Galien
Extreme Employee

This appears to be an informational event seen by your onboard wips > WING AP / sensors which are detecting neighboring devices / APs that have their SSID’s configuration set to broadcast. Every wireless router (or wireless access point) has a network name assigned to it. The technical term is a Service Set Identifier (SSID). By default, a router will broadcast its SSID in beacons, so all users within its range can see the network on their PC or other device.For your own security purposes you should not have your own SSID’s configured to “broadcast” . 

GTM-P2G8KFN