Switch to the view Advanced profiles.
and open the dialogOpen the dialog Wireless IDS profiles. A profile named "DEFAULT" is already available and contains preassigned values that are typical for specific attack scenarios. Click Edit to modify this profile. Click Add to create a new WIDS profile.
The General tab is used to configure the general profile settings:
- Profile name
- Enter a unique profile name.
- Entry active
- Enables or disables this profile.
- Wireless-IDS active
- Activates or deactivates the Wireless Intrusion Detection System.
- Promiscuous mode
- With the ("promiscuous mode") enabled, the AP additionally receives packets that were addressed to other network participants. Among other things, this affects data packets that are not broadcasts and that have a target MAC address different from the address of the AP. This fact ensures that some of the attack types mentioned below can be detected. However, this mode affects the performance of the device. For this reason, frame aggregation is automatically disabled when the promiscuous mode is enabled.
- Messaging via SYSLOG
- Activates or deactivates the messaging via SYSLOG. The generated SYSLOG message has the severity level "INFO" and contains the timestamp, the interface, and the trigger (type of attack and passed threshold).
- Messaging via SNMP traps
- Activates or deactivates the WIDS messaging via SNMP traps.
- Messaging via e-mail
- Activates or deactivates the messaging via e-mail.
Important: An SMTP account has to be configured in order to use messaging via e-mail.
- E-mail recipient
- The e-mail address of the recipient when messaging via e-mail is activated. The field must contain a valid e-mail address.
- E-mail aggregate interval
- This setting sets the delay in seconds before a new e-mail is sent if the WIDS is triggered again. This prevents flooding by e-mail in case of extensive attacks.
The two Signature tabs are used to configure the various thresholds and measuring intervals (packets per second) of the different WIDS alarm functions. These settings are used by the WIDS to determine if an attack is taking place.
The following attack scenarios can be detected by configuring the thresholds and measuring intervals:
- EAPOL-Start
- Broadcast probe
- Authentication request
- Deauthentication request (*)
- Broadcast deauthentication
- Association request
- Reassociation request
- Disassociation request (*)
- Broadcast disassociate
- Out-of-window
- Block Ack after DelBA
- Null data flood
- Null data PS buffer overflow
- Multi stream data
- Premature EAPOL success (*)
- Premature EAPOL failure (*)
- PS poll TIM interval
- Listen interval difference
There are typical default values set for the different attack scenarios.
Note: (*): Only if the promiscuous mode is active.