WCS IDS False Alarms - NetStumbler Generic Attack

We have a particular installation where we are seeing four (4) types of IDS errors constantly reappearing:
"IDS Signature attack detected. Signature Type: Standard"
"Disassoc flood, Description: Disassociation flood
"AP impersonation"
"NetStumbler Generic Attack"
In the first three alarms, Cisco has acknowledged that there are known issues with false IDS alarms that are supposed to be fixed in an upcoming "BE-MR2" in mid-December, and a new IDS signature in January.
Is anyone else experiencing the NetStumbler Generic IDS alarm? We see them on a regular basis.
If so, please reply - as I would like to forward this on to TAC to make sure they get this fixed in the next release.
We are using WLC-4.x and WCS 4.x with LAP-1131AG access points.
- John

The Disassociation attack is a known bug acknowledged by Cisco TAC. (That is not a guarantee that it is a false alarm - that is what has been especially frustrating in troubleshooting these).
Specifically, though, I am trying to confirm that others are experiencing the NetStumbler attack as we suspect this is another false alarm since it came from the MAC address of a trusted laptop that was confirmed to not be running NetStumbler - and, yes, I realize that the MAC address can be spoofed, but with the high number of false positives on the other types of alarms mentioned earlier, it would seem more likely that the WLC's IDS subsystem needs tweaking.
I would really like to get this fixed within the next release, and am hoping that additional confirmation may help get Cisco to resolve it more quickly.
- John

Similar Messages

Persistent, chronic, false alarms for the past eight months

We now have two installations that utilize a unified wireless (WLC or WiSM - AIR-LAP1131AG, AIR-LAP1231G, AIR-LAP1242AG access points) that have been exhibiting the following IDS false alarms:
Disassoc Flood
AP Impersonation
We have TAC cases going back to October 2006 to address them and have upgraded to the latest/greatest version 4.0.206.0 in hopes of getting this solved.
Version 4.0.206.0 was supposed to have fixed these problems, and it did reduce some of the other false alarms (not listed). However, the two mentioned above persist.
Is anyone else out there experiencing this?
- John

Thank you for confirming this behavior.
In answer to your question, upgrading to 4.0.206.0 did get rid of the "Generic Netstumbler" IDS alarm that turned out to be another false positive.
As it turns out, there have been comments from Cisco that now indicate that .206 has stability issues (nice to know that now). However, we have not experienced any of these issues at the two installations where this version is operating.
I also wanted to point out that we went ahead and opened TAC cases for each error at each customer site.
Currently, most of them have reached a status of "Release Pending". (Now as to *WHICH* release....)
If you have not opened a TAC case for these issues, taking the time to do so will help Cisco be aware of the extent to which this problem exists in the field and, hopefully, will help them prioritize the fix to this problem.
John

Disassoc flood - false alarms - IDS signature file needs adjustment

Another interesting observation regarding Disassociation flood wireless IDS alarms:
When a wireless client goes out of range of an AP, is that it is not uncommon for a burst of 64 disassociation frames to be sent in order to ensure that the client/AP are no longer associated.
However, the threshold in the WLC's IDS signature file is 50. It is unclear why this value was chosen by the developers. However, at Cisco's recommendation, we have adjusted the signature file to a value of FREQ=80 (instead of 50) for the following alarms:
Disassociation, Deauth Flood, and Bcast Deauth
This has resulted in fewer false alarms (except for Bcast deaut which is the result of the WLC alarming on its own containment messages - see previous thread!).
Additional Note: When making changes to the IDS signature file, it would appear that a REBOOT ended up being necessary in our case in order to get the WLCs to recognize the changes to the IDS signature file. When we merely upgraded the signature file, it did not make a difference.
Also, it would appear that the name of the signature file is important (since the parsing of the file does not take place unless a specific file name is given).
- John

Hi,
I'm getting a lot of false positive rogue APs (I've checked the MAC addresses and they are definitely ours), is it possible that a similar problem with signatures is causing this?
Scott

RTMT sending false Alarms?

Hello,
We have randomly receiving following alerts on RTMT
MGCP DChannel is out-of-service
Number of registered gateways decreased in consecutive polls.
Number of registered gateways increased between consecutive polls.
We have,
CUCM: 9.1.2.11008-1
Voice Router: 15.1(2) T1
I log into the router and the controllers/ports show no errors on that PRI.
I checked isdn service, status and logs but still no sign of down.
Also we can see active calls on that PRI from RTMT.
Is RTMT sending false Alarms?

RTMT is probably not sending false alarms. What level do you have your logging set to?

IOS IPS - Sig 4050 UDP Bomb apparent false alarms?

Hi,
I'm trying the IOS IPS solution out in a lab environment and I seem to be getting lots of false alarms on sig 4050 - UDP bomb. Looking at the signature description via go/mysdn, and looking at it's configuration on the router via SDM, I can see it is simply looking for small UDP packets. But I don't know what size (The parameter is named ShortUDPLength and it's set to True).
All NTP traffic kicks of this signature. Using Ethereal to capture the NTP exchange, I see that the communication in each direction is a single packet. The layer 2 frame lenght is 90 bytes. The UDP data length is 56 bytes. All of this seems fine. The NTP server is a Cisco router. The NTP client is running on a Windows 2000 workstation.
Also, any TFTP to/from the router with IPS enabled also triggers the alert. Specifically it is the Ack's from the TFTP server that trigger the alert. They are indeed small packets - the UDP data size is only 12 bytes.
Note, this same traffic does not cause alerts from a 5.0 IPS sensor. Looking at the signature definition on the sensor, it doesn't have a parameter named SnortUDPLength. Instead it has a parameter named udp-length-mismatch which is set to true. This doesn't seem to be keying off of a particular data size, but instead conflicting reports in the UDP header compared to the actual packet size.
Any information that anyone could provide to shed light on this subject would be appreciated. Such as:
1) Do you find that IOS IPS sig 4050 false alarms are common?
2) What is the UDP data length that triggers the alert? It has to be bigger than 90 bytes!
3) Does Cisco have any recommendations on what to do with this built in signature?
Thanks,
KEP

On the sensor appliance side, the udp-length-mismatch checks for discrepancies between the ip header length and udp length of the packet. You were dead on, the signature triggers when the UDP length specified is less than the IP length specified. I'm not positive of exactly what the IOS ShortUDPLength parameter is.
You provided some valuable information in that the same traffic doesn't trigger the alerts on the appliance, so we know that this is not the signature, but rather the implementation of it in IOS.
I'm taking a bit of a leap here not knowing what IOS version you are running, but I'm guessing you may be running into CSCeh32935. The title states multicast, but the bug is not limited to just multicast traffic. This affectes some 12.3T releases and early 12.4. Looks like 12.4(2)T or higher has fixes implemented.
Since you're in a lab environment, I'd go ahead and upgrade the IOS on the router and see if that doesn't resolve the issue. If it's still there, open up a TAC case, and they'll be able to recreate the issue and file a new bug if neccessary.

Customizing sensor from filtering false alarms.

hi,
How can i filter the false alarms coming out from my dhcp server and dns servers. Iam getting a lot of frag overlap signature alarms.Can anyone help me to avoid these false alarms ? Please help.

Hi,
You cna configure event action filter for those host you do not want the sensor to do any further action for the specific signatures.
This is described here : http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/idmguide/dmevtrul.htm#wp1063299
I hope this helps you.

ANM 5.2.1 Device Down False Alarms

Hello all,
I am just checking if anyone out there is facing false alarm issues with ANM 5.2.1. Basically ANM is sending device down (ACE-30 module) messages occasionally, but in real the device has never went down.
I haven't found any bug related to this issue. Please share your experiences with ANM 5.2.1 ?
Message:
ANM Server Host Name        : anm-1
ANM Server IP Address        : 10.9.20.1
Device ID                              : AGG-B:3
Component Name                  : AGG-B:3
Severity                               : info
Time                                   : 04-Jan-2013 13:49:59 GST
Alarm Name                        : Device Status
Alarm Value                       : Down
Threshold Assert Value       : Down
Threshold Group Name         : ANM-Alerts
Alarm State                       : Active
Details                           : AGG-B:3's Device Status reached the Down state defined in threshold group 'ANM-Alerts'
ACE-30 uptime:
ACE-B kernel uptime is 267 days 0 hour 13 minute(s) 11 second(s)
Regards,
Akhtar

Yes, me. On 5.2.2 and just a couple of hours ago, the passive sent this:
Device State and Resource Monitoring Alarm of severity info has occurred.
ANM Server Host Name               :
ANM Server IP Address                :
Device ID                                             : sw000:1
Component Name                          : sw000:1
Severity                                               : info
Time                                                      : 21-Feb-2013 05:40:39 CET
Alarm Name                                       : Device State and Resource Monitoring
Alarm Value                                       : Down
Threshold Assert Value : Down
Threshold Group Name                : TEST
Alarm State                                        : Active
Details                                  : sw000:1's Device State and Resource Monitoring reached the Down state defined in threshold group 'TEST'

K8N Neo BIOS 1.5 released -- sorry FALSE ALARM

I haven't yet tried it, but BIOS 1.5 appears to be posted on LiveUpdate, along with a new version of the LiveUpdate software itself. This is for the K8N Neo; I don't know about the Neo2.
Anyone tried it yet?

Well this is weird. It tells me 1.5 is released, I try to install it. It first says it needs to install a new version of LiveUpdate. Fine...reboot...then back to LiveUpdate and there's no new version of the BIOS showing up anymore. Or maybe I was just imagining things. Sorry for the false alarm.

WCS error in alarm summary

Hi all.
I've installed WCS last version.
I've connected my controller to it.
WCS connected to Controller and imported configurations.
Now I've renamed some APs, and into Alarm Summary these AP appear like disconnected from controller (but with old name).
With new name they appear properly in monitor-->AP and configure-->AP.
I can't found these ap with old names anywhere.
I've tried to remove controller from WCS and reinsert it, but problem remains.
Any suggestion will be appreciated.
Thanks
Daniele

Hi,
Please check Note No. : 1522009 regarding the issue mentioned by you.
The issue is fixed on SAP Business One 8.8 PL19.
Kindly check.
Kind Regards,
Jitin
SAP Business One Forum Team

WCS Rogue AP Alarms

Over the weekend, I moved a bunch of rogue APs into the "Unclassified Rogue AP" group that I felt were not interfering with my network because they were being detected at -80 and above. When I arrived today, I was surprised to find all of those alarms back in "Malicious Rogue AP" alarms. When the rogues aren't detected for a short amount of time, they become "Removed" state and I suspect what's happening is that they lose their grouping when they go undetected and when they are detected again, they are re-grouped into "Malicious." Is anyone else suffering from this? Is there a workaround, or even, a better way to filter out distant rogue APs?

By the way, I'm running WCS version 6.0.181.0.

WCS disc space alarm

Hi All,
I'm running WCS 7.0 on a WLSE appliance. Lately WCS has produced the following alarm:
WCS '150.3.101.7' does not meet the minimum hardware requirements for disk space. Available: '29'GB. Minimum requirement: '30'GB.
Doesn't sound critical but I was wondering if anyone had any advice. I have old WCS versions (3, 4, 5 and 6) so could delete those but I'm wary in case I take out the data too.
Many Thanks,
Scott

It really is informational. The old wlse had a 30 gb hard drive and the requirement in 7.0 is minimum of 50 gb on a low end server. You will receive this message almost immediately when running 7.x on a converted wlse. If you are running 7.0 and have multiple installation directories for old versions you could safely delete the old ones. I would always recommend a backup but with a 30 gb drive if you have a big db that could be problematic.

False Alarms?

Hi,
We have noticed alarms being displayed on Cisco Prime Collaboration for endpoints that seem as if they are false.. Has anyone experienced this before?
For example we have a Cisco C90 Codec that is displaying Microphone errors on inputs that are utilised and inputs that are not however upon using the system it seems fine.
Below is an example error we are getting
Would this have anything to do with the version the endpoint is on maybe?

I forgot to put above which version we are running which is version 9.5.34267

WCS not Emailing Alarms

Hi everyone,
I have been using WCS to monitor the wireless environement and to email me when a failure occurs. I noticed that the emails have stopped being sent out for any alarm. The mail relay is still working correctly and test emails work fine. Has anyone else experienced this before?
Thank you,
Chris

Hi,
Never got the issue. But you can check the email account on the server.
You can also try remove config from WCS and do it again.
Was there any config the network lately that could cause this issue?
What is your version?
Sent from Cisco Technical Support iPad App

False alarm error messages when Linking from e-mail to web

About 30-40% of the time that I try to link to the web from a URL embedded in an e-mail, an error message comes up saying that the program's unable to connect to that particular URL (which it cites). But then it almost always goes ahead and takes me to the right website. Why is this happening and is there a way I can stop it? It's a nuisance to always have to read the alarm and then needlessly worry that the connection to the website cannot be made. Thanks.

Hi,
you have something like:
end_of_data = ' '.
first_call = 'X'.
WHILE end_of_data = ' '.
        CALL FUNCTION 'RSDRI_INFOPROV_READ'
          EXPORTING i_infoprov             = ....
                     i_th_sfc               = ...
                     i_th_sfk               = ...
                     i_t_range              = ...
                     i_reference_date       = ...
                     i_save_in_table        = ....
                     i_save_in_file         = ....
                     I_USE_DB_AGGREGATION   = ...
                     i_packagesize          = 100000
                     i_authority_check      = ...
          IMPORTING e_t_data               = .....
                     e_end_of_data          = end_of_data
          CHANGING   c_first_call           = first_call
          EXCEPTIONS illegal_input          = 1
                     illegal_input_sfc      = 2
                     illegal_input_sfk      = 3
                     illegal_input_range    = 4
                     illegal_input_tablesel = 5
                     no_authorization       = 6
                     ncum_not_supported     = 7
                     illegal_download       = 8
                     illegal_tablename      = 9
                     OTHERS                 = 11.
ENDWHILE.
hope this helps...
Olivier.

False alarm when processing reconciliation events.

Hi,
I use OIM 11.1.1.3. I create reconciliation event and process it with tcReconciliationOperationsIntf.processReconciliationEvent(). It works like a charm, but always produces annoying log error messages
<Nov 23, 2011 5:55:00 PM MSK> <Error> <oracle.iam.reconciliation.dao> <IAM-5010001> <Calling stored procedure - XL_SP_RECONEVALUATEUSER
strTargetTableName_in=RA_HRDEMO30
strRequiredAttributesList_in=RECON_USR_TYPE,RECON_USR_EMP_TYPE,RECON_USR_LOGIN,RECON_USR_EMAIL,RECON_HRLASTNAME504F823F,RECON_H> RFIRSTNAME920A3B11,RECON_ORG_NAME
strMatchingRule_in=(((UPPER(USR.USR_LOGIN)=UPPER(RA_HRDEMO30.RECON_USR_LOGIN))))
intEventKey_in=91
intUserKey_in=1>Does anybody know if Oracle has fixed this in some new releases or patches?
Regards,
Vladimir

Dewan.Rajiv wrote:
You can login into support.oracle.com and if you have access then you can have a option to create SR.I do not see anything like "Create SR", so probably I do not have this option (only the button "SRs Created by Me" available :-)).
>
GTC means Generic Technology Connector. Go to Advance Console there you'll find it.Yes I know, my question is what GTC creates as output. If it creates reconciliation events, then the problem will persist, since it happens during recon event processing.

WCS IDS False Alarms - NetStumbler Generic Attack

Similar Messages

Maybe you are looking for