Solved: Re: IDS Signature Attack

michael_prejean · ‎09-16-2021

Hi all,

While troubleshooting an issue with an AP at one of my sites, I came across this error message in WLC logs. Was curious as to what it means, and if there's an issue it's pointing to.

"IDS Signature attack cleared. Signature Type: Standard, Name: NULL probe resp 1, Description: NULL Probe Response - Zero length SSID element, Track: per-Mac, Detecting AP Name: USMPWAP100, Radio Type: 802.11a, Preced: 2, Channel: 149"

Thanks for any help

Arshad Safrulla · ‎09-17-2021

These are WIPS system related alarms. As per the documentation below is the description for this attack. How critical this attack needs to be determined by your organization after a risk evaluation.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/wireless_intrusion_detection_system.html

NULL probe response signatures—During a NULL probe response attack, a hacker sends a NULL probe response to a wireless client adapter. As a result, the client adapter locks up. When a NULL probe response signature is used to detect such an attack, the access point identifies the wireless client and alerts the controller. The NULL probe response signatures are as follows:

NULL probe resp 1 (precedence 2)
NULL probe resp 2 (precedence 3)

Note

Controller does not log historical NULL Probe IDS events within the Signature Events Summary output.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

View solution in original post

balaji.bandi · ‎09-16-2021

Since you have enable the Security that Logs generated, personally i looked at the logs, not much i have done other than supress the logs or disable.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Arshad Safrulla · ‎09-17-2021