To create a new WIDS profile:
- From the WIDS profiles page, select Create New. The New Wireless Intrusion Detection System Profile window opens.
New WIDS profile
Enter the following information:
Name | Type a name for the profile. |
Comments | Optionally, type comments. |
Enable Rogue AP Detection | Select to enable rogue AP detection. |
Background Scan Every Second(s) | Type a value in the text field. |
Disable Background Scan During Specified Time | When selected, select the day of week, start, and stop time. |
Enable Passive Scan Mode | Select to enable passive scan mode. |
Enable On-Wire Rogue AP Detection | Select to enable on-wire rogue AP detection. When enabled you can select to auto suppress rogue APs in foreground scan. |
Intrusion Type | The intrusion types that can be detected. See “Provisioning Templates” on page 236 for information on the available types. |
Status | Select the status of the intrusion type (enable it). |
Threshold | If applicable, type a threshold for reporting the intrusion, in seconds except where specified. |
Interval (sec) | If applicable, type the interval for reporting the intrusion, in seconds. |
- Select OK to create the new WIDS profile.
Intrusion types provides a list of intrusion types and the description.
Intrusion types
Intrusion Type | Description |
Asleap Attack | ASLEAP is a tool used to perform attacks against LEAP authentication. |
Association Frame Flooding | A Denial of Service attack using association requests. The default detection threshold is 30 requests in 10 seconds. |
Authentication Frame Flooding | A Denial of Service attack using association requests. The default detection threshold is 30 requests in 10 seconds. |
Broadcasting De-authentication | This is a type of Denial of Service attack. A flood of spoofed deauthentication frames forces wireless clients to de-authenticate, then re-authenticate with their AP. |
EAPOL Packet Flooding
(to AP) |
Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the AP with these packets can be a denial of service attack.
Several types of EAPOL packets can be detected: EAPOL-FAIL, EAPOL-LOGOFF, EAPOL-START, and EAPOL-SUCC. |
Invalid MAC OU | Some attackers use randomly-generated MAC addresses. The first three bytes of the MAC address are the Organizationally Unique Identifier (OUI), administered by IEEE. Invalid OUIs are logged. |
Long Duration Attack | To share radio bandwidth, WiFi devices reserve channels for brief periods of time. Excessively long reservation periods can be used as a denial of service attack. You can set a threshold between 1000 and 32 767 microseconds. The default is 8200. |
Null SSID Probe Response | When a wireless client sends out a probe request, the attacker sends a response with a null SSID. This causes many wireless cards and devices to stop responding. |
Premature EAPOL Packet
Flooding (to client) |
Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the client with these packets can be a denial of service attack.
Two types of EAPOL packets can be detected: EAPOL-FAIL, and EAPOL-SUCC. |
Intrusion Type | Description |
Spoofed De-authentication | Spoofed de-authentication frames form the basis for most denial of service attacks. |
Weak WEP IV Detection | A primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs) that are known to be weak. WIDS detects known weak WEP IVs in on-air traffic. |
Wireless Bridge | WiFi frames with both the FromDS and ToDS fields set indicate a wireless bridge. This will also detect a wireless bridge that you intentionally configured in your network. |