Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2740
Views
0
Helpful
1
Replies

NULL probe resp 1 Alert on Cisco vWLC and Prime

klopez138
Level 1
Level 1

‎10-02-2019 06:33 AM - edited ‎07-05-2021 11:04 AM

We've recently been getting the following alert on our Cisco Prime: 

Message: IDS 'NULL probe resp 1' Signature attack detected on AP 'SERV-RM-AP-9_(3800)' protocol '802.11a' on Controller '172.xxx.xxx.xxx'. The Signature description is 'NULL Probe Response - Zero length SSID element', with precedence '2'. The attacker's mac address is '8a:15:14:f9:6c:3f', channel number is '149', and the number of detections is '1'.

Failure Source: WLAN Controller WIRELESSCTLR/172.xxx.xxx.xxx.

 

We're in a multi-tenant building and I've confirmed with the wireless admin in our neighboring office that the APs generating these alerts are part of his Meraki deployment and I've set them as friendly external rogues in our WLC. 

I've referenced several discussions in the forums that mention that this signature can be disabled in the WLC settings because Cisco WLCs don't respond to NULL probes with their hidden SSIDs. But, I've been unable to locate this fact in any documentation. I'd like to know if someone knows where in Cisco's technical documentation this is stated, that Cisco WLCs don't respond to NUILL probes with their hidden SSIDs. This way I can show my compliance/security folks that it's not a security concern to disable this signature in the WLC. Any help is appreciated. 

 

 

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Chris C'Leon
Cisco Employee
Cisco Employee

‎11-17-2020 03:33 PM - edited ‎11-17-2020 03:33 PM

Here is the official cisco guidelines that review IDS signatures in details 

 

Cisco Wireless LAN Controller Configuration Guide || Chapter: Configuring IDS Signatures

https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_010111100.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card