https://community.cisco.com/t5/wireless/wlc-signature-attack-detected/m-p/2191935#M7374 <HTML><HEAD></HEAD><BODY><P>We found that this message was received whenever one of our APs could hear a rogue AP that had a hidden SSID.<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Thu, 28 Feb 2013 01:58:20 GMT thomas03usmcsf 2013-02-28T01:58:20Z https://community.cisco.com/t5/wireless/wlc-signature-attack-detected/m-p/2191934#M7373 <P>Hi, we have a WLC detecting every 15 min this attack for months. What does it mean? maybe a false positive? something to worry about? any workaround? Thanks</P><P></P><P></P><P></P><P>IDS 'NULL probe resp 1' Signature attack detected on AP 'AP1' protocol '802.11b/g' on Controller '192.168.128.17'. The Signature description is 'NULL Probe Response - Zero length SSID element', with precedence '2'. The attacker's mac address is '06:xx:xx:xx:xx:xx', channel number is '11', and the number of detections is '1'.</P><P></P><P> (2 times)</P> Sun, 04 Jul 2021 06:37:16 GMT https://community.cisco.com/t5/wireless/wlc-signature-attack-detected/m-p/2191934#M7373 jmprats 2021-07-04T06:37:16Z https://community.cisco.com/t5/wireless/wlc-signature-attack-detected/m-p/2191935#M7374 <HTML><HEAD></HEAD><BODY><P>We found that this message was received whenever one of our APs could hear a rogue AP that had a hidden SSID.<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Thu, 28 Feb 2013 01:58:20 GMT https://community.cisco.com/t5/wireless/wlc-signature-attack-detected/m-p/2191935#M7374 thomas03usmcsf 2013-02-28T01:58:20Z https://community.cisco.com/t5/wireless/wlc-signature-attack-detected/m-p/2191936#M7375 <HTML><HEAD></HEAD><BODY><P>Hi Thomas or anyone from CISCO,</P><P></P><P>Is this the official answer from CISCO that this error message is whenever an AP configured to WLAN Controller can hear a rogue AP with a non-broadcast SSID??</P><P></P><P>Thanks!</P><P></P><P>the_guardian</P></BODY></HTML> Wed, 08 May 2013 09:17:52 GMT https://community.cisco.com/t5/wireless/wlc-signature-attack-detected/m-p/2191936#M7375 the_guardian 2013-05-08T09:17:52Z https://community.cisco.com/t5/wireless/wlc-signature-attack-detected/m-p/2191937#M7376 <HTML><HEAD></HEAD><BODY><P><A href="http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_01000001.pdf">http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_01000001.pdf</A></P><P></P><P><SPAN style="font-size: 10pt;">NULL probe response signatures—During a NULL probe response attack, a hacker sends a NULL</SPAN></P><P>probe response to a wireless client adapter. As a result, the client adapter locks up. When aNULLprobe</P><P>response signature is used to detect such an attack, the access point identifies the wireless client and</P><P>alerts the controller. The NULL probe response signatures are as follows:</P><P>◦NULL probe resp 1 (precedence 2)</P><P>◦NULL probe resp 2 (precedence 3)</P><P></P><P>Remove the attacker from the network to avoid client lockup.</P></BODY></HTML> Sun, 19 May 2013 05:08:50 GMT https://community.cisco.com/t5/wireless/wlc-signature-attack-detected/m-p/2191937#M7376 Saravanan Lakshmanan 2013-05-19T05:08:50Z