05-28-2020 01:46 PM
Hi,
I recently enabled onboard WIPS functionality on my WING 7.2.1. (Rogue AP detection plus all wips events) and got a lot of "ap-ssid-broadcast-in-beacon" events with MAC addresses of APs out of my system/control.
I cannot find any explenation of this event in WING documentation. Do you know what does it mean exactly? Is it dangerous? Do you know any place where wips evets are described more
extensively?
Regards
Solved! Go to Solution.
05-28-2020 09:25 PM
This appears to be an informational event seen by your onboard wips > WING AP / sensors which are detecting neighboring devices / APs that have their SSID’s configuration set to broadcast. Every wireless router (or wireless access point) has a network name assigned to it. The technical term is a Service Set Identifier (SSID). By default, a router will broadcast its SSID in beacons, so all users within its range can see the network on their PC or other device.For your own security purposes you should not have your own SSID’s configured to “broadcast” .
06-03-2020 02:11 PM
el_magneto:
The idea here is that the system has detected a wireless client that is scanning (probe requests) for wireless networks at a higher than normal/expected rate. The concern is that this is a malicious user scanning for networks for the purpose of collecting information for a future attack.
There’s some uncertainty here though because some older clients operated this way as part of their normal behavior (newer clients don’t scan this aggressively). This would be considered a reconnaissance threat (attacker is collecting information for a future attack). The caveat here though is that even the newer wireless reconnaissance tools no longer scan like this either. So the assumption is that this is either coming from a ‘safe’ old client or an older version of reconnaissance software.
06-03-2020 12:39 PM
Hi,
Next one I can see is “aggresive-scanning”
06-01-2020 01:42 PM
el_magneto,
I think you’re correct in that there’s no documentation for the WiNG WIPS events.
If you have any questions about a particular one though, feel free to ask about it here though.
05-29-2020 07:46 AM
That make sense. This is why I saw this event orginated from other APs but also from my own APs. At first I thought that this event says that my own SSID are broadcastet by other APs (SSID spoofing).
In such case this is usles for me and I tried to disable this event BUT I probably hit on a bug.
I disabled this event for specific RF-domain but nothing happened. Then I disabled all event and leave only Rouge AP detection but the event is generated all the time:
Although in configuration all events are disabled:
>show running-config device xxx
wips-policy Rogue_AP_detect
ap-detection
ap505 xx-xx-xx-xx-xx-xx
...
use wips-policy Rogue_AP_detect
...
What do you think of that? My Wing version is 7.2.1.8-005R.
And last question. I read in other articles that there is no description for onboadr WIPS events in any Extreme documentation ( maybe Extreme should think about doing this) but there are similar events in AirDefence documentation wich are described more extensively. Can you show me where exactly? I cannot find it.
Thank you in advance!
05-28-2020 09:25 PM
This appears to be an informational event seen by your onboard wips > WING AP / sensors which are detecting neighboring devices / APs that have their SSID’s configuration set to broadcast. Every wireless router (or wireless access point) has a network name assigned to it. The technical term is a Service Set Identifier (SSID). By default, a router will broadcast its SSID in beacons, so all users within its range can see the network on their PC or other device.For your own security purposes you should not have your own SSID’s configured to “broadcast” .