event

Configures events, filters and threshold values for this WIPS policy. Events are grouped into three categories, AP anomaly, client anomaly, and excessive. WLANs are baselined for matching criteria. Any deviation from this baseline is considered an anomaly and logged as an event.
Note

Note

By default all event monitoring is disabled.

Supported in the following platforms:

Syntax

event [ap-anomaly|client-anomaly|enable-all-events|excessive]
event ap-anomaly [ad-hoc-violation|airjack|ap-ssid-broadcast-in-beacon|asleap|
impersonation-attack|null-probe-response|transmitting-device-using-invalid-mac|
unencrypted-wired-leakage|wireless-bridge]
event client-anomaly [dos-broadcast-deauth|fuzzing-all-zero-macs|
fuzzing-invalid-frame-type|fuzzing-invalid-mgmt-frames|fuzzing-invalid-seq-num|
identical-src-and-dest-addr|invalid-8021x-frames|netstumbler-generic|
non-conforming-data|wellenreiter] {filter-ageout <0-86400>}
event enable-all-events
event excessive [80211-replay-check-failure|aggressive-scanning|auth-server-failures|
decryption-failures|dos-assoc-or-auth-flood|dos-eapol-start-storm|dos-unicast-deauth-or-disassoc|
eap-flood|eap-nak-flood|frames-from-unassoc-station] {filter-ageout <0-86400>|
threshold-client <0-65535>|threshold-radio <0-65535>}

Parameters

event ap-anomaly [ad-hoc-violation|airjack|ap-ssid-broadcast-in-beacon|asleap|
impersonation-attack|null-probe-response|transmitting-device-using-invalid-mac|
unencrypted-wired-leakage|wireless-bridge]

ap-anomaly

Enables AP anomaly event tracking

An AP anomaly event refers to suspicious frames sent by neighboring APs. An administrator enables or disables the filtering of each listed event and sets the thresholds for the generation of event notification and filtering.

ad-hoc-violation

Tracks ad-hoc network violations

airjack

Tracks AirJack attacks

ap-ssid-broadcast-in-beacon

Tracks AP SSID broadcasts in beacon events

asleap

Tracks ASLEAP attacks. These attacks break LEAP (Lightweight Extensible Authentication Protocol) passwords

impersonation-attack

Tracks impersonation attacks. These are also referred to as spoofing attacks, where the attacker assumes the address of an authorized device.

null-probe-response

Tracks null probe response attacks

transmitting-device-using- invalid-mac

Tracks the transmitting device using an invalid MAC address

unencrypted-wired-leakage

Tracks unencrypted wired leakage

wireless-bridge

Tracks WDS (wireless bridge) frames

event client-anomaly [dos-broadcast-deauth|fuzzing-all-zero-macs|fuzzing-invalid-frame-type|
fuzzing-invalid-mgmt-frames|fuzzing-invalid-seq-num|identical-src-and-dest-addr|invalid-8021x-frames|
netstumbler-generic|non-conforming-data|wellenreiter] {filter-ageout <0-86400>}

client-anomaly

Enables client anomaly event tracking

These are suspicious events performed by wireless clients that compromising the security of the network. An administrator can enable or disable the filtering of each listed event and set the thresholds required for the generation of the event notification and filtering action applied.

dos-broadcast-deauth

Tracks DoS broadcast deauthentication events

fuzzing-all-zero-macs

Tracks Fuzzing: All zero MAC addresses observed

fuzzing-invalid-frame-type

Tracks Fuzzing: Invalid frame type detected

fuzzing-invalid-mgmt-frames

Tracks Fuzzing: Invalid management frame detected

fuzzing-invalid-seq-num

Tracks Fuzzing: Invalid sequence number detected

identical-src-and-dest-addr

Tracks identical source and destination addresses detection

invalid-8021x-frames

Tracks Fuzzing: Invalid 802.1x frames detected

netstumbler-generic

Tracks Netstumbler (v3.2.0, 3.2.3, 3.3.0) events

non-changing-wep-iv

Tracks unchanging WEP IV events

non-conforming-data

Tracks non conforming data packets

wellenreiter

Tracks Wellenreiter events

filter-ageout <0-86400>

The following keywords are common to all of the above client anomaly events:

  • filter-ageout <0-86400> – Optional. Configures the filter expiration time in seconds

    • <0-86400> – Sets the filter ageout time from 0 - 86400 seconds. The default is 0 seconds.

Note: For each violation define a filter time in seconds, which determines how long the packets (received from an attacking device) are ignored once a violation has been triggered. Ignoring frames from an attacking device minimizes the effectiveness of the attack and the impact to the site until permanent mitigation can be performed.

The filter ageout value is applicable across the entire RF Domain using this WIPS policy. If an MU is detected performing an attack and is filtered by one of the APs, the information is passed on to all APs and controllers within the RF Domain through the domain manager. Consequently the MU is filtered, for the specified period of time, across all devices.

event enable-all-events

enable-all-events

Enables tracking of all intrusion events (client anomaly and excessive events)

event excessive [80211-replay-check-failure|aggressive-scanning|
auth-server-failures|decryption-failures|dos-assoc-or-auth-flood|dos-eapol-start-storm|
dos-unicast-deauth-or-disassoc|eap-flood|eap-nak-flood|frames-from-unassoc-station] 
{filter-ageout [<0-86400>]|threshold-client [<0-5535>]|threshold-radio <0-65535>}

excessive

Enables the tracking of excessive events. Excessive events are actions performed continuously and repetitively. These events can impact the performance of the controller managed network. DoS attacks come under this category.

80211-replay-check-failure

Tracks 802.11replay check failure

aggressive-scanning

Tracks aggressive scanning events

auth-server-failures

Tracks failures reported by authentication servers

decryption-failures

Tracks decryption failures

dos-assoc-or-auth-flood

Tracks DoS association or authentication floods

dos-eapol-start-storm

Tracks DoS EAPOL start storms

dos-unicast-deauth-or- disassoc

Tracks DoS dissociation or deauthentication floods

eap-flood

Tracks EAP floods

eap-nak-flood

Tracks EAP NAK floods

frames-from-unassoc-station

Tracks frames from unassociated clients

filter-ageout <0-86400>

The following keywords are common to all excessive events:

  • filter-ageout <0-86400> – Optional. Configures a filter expiration time in seconds. It sets the duration for which the client is filtered. The client is added to a ACL as a special entry and frames received from this client are dropped.

    • <0-86400> – Sets a filter ageout time from 0 - 86400 seconds. The default is o seconds.

Note: This value is applicable across the RF Domain. If a client is detected performing an attack and is filtered by one of the APs, the information is passed to the domain controller. The domain controller then propagates this information to all APs and wireless controllers in the RF Domain.

threshold-client <0-65535>

The following keywords are common to all excessive events:

  • threshold-client <0-65535> – Optional. Configures a client threshold value after which the filter is triggered and an event is recorded

    • <0-65535> – Sets a wireless client threshold value from 0 - 65535 seconds

threshold-radio <0-65535>

The following keywords are common to all excessive events:

  • threshold-radio <0-65535> – Optional. Configures a radio threshold value after which the filter is triggered and an event is recorded

    • <0-65535> – Sets a radio threshold value from 0 - 65535 seconds

Examples

nx9500-6C8809(config-wips-policy-test)#event excessive 80211-replay-check-failure 
filter-ageout 9 threshold-client 8 threshold-radio 99
nx9500-6C8809(config-wips-policy-test)#show context
wips-policy test
 event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9
 event client-anomaly wellenreiter filter-ageout 99
 ap-detection-ageout 50
 ap-detection-wait-time 15
nx9500-6C8809(config-wips-policy-test)#

Related Commands

no (wips-policy-config-mode-command)

Disables WIPS policy events tracking