Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4082
Views
10
Helpful
3
Replies

IDS Signature Attack

Go to solution
michael_prejean
Level 1
Level 1

‎09-16-2021 08:11 AM

Hi all,

 

While troubleshooting an issue with an AP at one of my sites, I came across this error message in WLC logs. Was curious as to what it means, and if there's an issue it's pointing to.

 

"IDS Signature attack cleared. Signature Type: Standard, Name: NULL probe resp 1, Description: NULL Probe Response - Zero length SSID element, Track: per-Mac, Detecting AP Name: USMPWAP100, Radio Type: 802.11a, Preced: 2, Channel: 149"

 

Thanks for any help

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni

‎09-17-2021 05:39 AM

These are WIPS system related alarms. As per the documentation below is the description for this attack. How critical this attack needs to be determined by your organization after a risk evaluation.

 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/wireless_intrusion_detection_system.html

NULL probe response signatures—During a NULL probe response attack, a hacker sends a NULL probe response to a wireless client adapter. As a result, the client adapter locks up. When a NULL probe response signature is used to detect such an attack, the access point identifies the wireless client and alerts the controller. The NULL probe response signatures are as follows:

  • NULL probe resp 1 (precedence 2)

  • NULL probe resp 2 (precedence 3)

 

 

Note

Controller does not log historical NULL Probe IDS events within the Signature Events Summary output.

 

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

View solution in original post

3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-16-2021 08:38 AM

Since you have enable the Security that Logs generated, personally i looked at the logs, not much i have done other than supress the logs or disable.

 

image.png

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni

‎09-17-2021 05:39 AM

These are WIPS system related alarms. As per the documentation below is the description for this attack. How critical this attack needs to be determined by your organization after a risk evaluation.

 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/wireless_intrusion_detection_system.html

NULL probe response signatures—During a NULL probe response attack, a hacker sends a NULL probe response to a wireless client adapter. As a result, the client adapter locks up. When a NULL probe response signature is used to detect such an attack, the access point identifies the wireless client and alerts the controller. The NULL probe response signatures are as follows:

  • NULL probe resp 1 (precedence 2)

  • NULL probe resp 2 (precedence 3)

 

 

Note

Controller does not log historical NULL Probe IDS events within the Signature Events Summary output.

 

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Go to solution
michael_prejean
Level 1
Level 1
In response to Arshad Safrulla

‎09-18-2021 09:24 AM

Thank you for the quick reply. I will look into these further. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card