Login
- Table of Contents
-
- 14-WLAN Command Reference (AC)
- 00-Preface
- 01-Compatibility of hardware and AC functionality
- 02-AP management commands
- 03-Radio management commands
- 04-WLAN access commands
- 05-WLAN security commands
- 06-WLAN authentication commands
- 07-WIPS commands
- 08-WLAN QoS commands
- 09-WLAN roaming commands
- 10-WLAN load balancing commands
- 11-WLAN radio resource measurement commands
- 12-Channel scanning commands
- 13-Band navigation commands
- 14-WLAN multicast optimization commands
- 15-WLAN RRM commands
- 16-WLAN IP snooping commands
- 17-WLAN probe commands
- 18-Spectrum management commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 07-WIPS commands | 483.53 KB |
Contents
client-association fast-learn enable
countermeasure attack deauth-broadcast
countermeasure attack disassoc-broadcast
countermeasure attack honeypot-ap
countermeasure attack hotspot-attack
countermeasure attack ht-40-mhz-intolerance
countermeasure attack malformed-packet
countermeasure attack man-in-the-middle
countermeasure attack power-save
countermeasure attack unencrypted-trust-client
countermeasure attack windows-bridge
countermeasure misassociation-client
countermeasure misconfigured-ap
countermeasure packet-sending-interval
countermeasure potential-authorized-ap
countermeasure potential-external-ap
countermeasure potential-rogue-ap
countermeasure unauthorized-client
countermeasure uncategorized-ap
countermeasure uncategorized-client
detect dissociate-client enable
display wips virtual-security-domain countermeasure record
display wips virtual-security-domain device
malformed invalid-address-combination
malformed invalid-disassoc-code
match all (AP classification rule view)
reset wips virtual-security-domain
reset wips virtual-security-domain countermeasure record
ssid (AP classification rule view)
wlan nat-detect countermeasure
WIPS commands
For information about MSR routers that can function as ACs, see "Compatibility of hardware and AC functionality."
access-scan
Use access-scan enable to configure APs to perform WIPS scanning while providing access services.
Use undo access-scan enable to disable APs from performing WIPS scanning while providing access services.
Syntax
Default
APs do not perform WIPS scanning while they are providing access services.
Views
WIPS view
Predefined user roles
network-admin
Usage guidelines
This command enhances the WIPS detection and protection capabilities but decreases the access service capability.
Examples
# Configure APs to perform WIPS scanning while providing access services.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] access-scan enable
ap-channel-change
Use ap-channel-change to configure channel change detection.
Use undo ap-channel-change to disable channel change detection.
Syntax
ap-channel-change [ quiet quiet-value ]
undo ap-channel-change
Default
Channel change detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a channel change. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a channel change within the quiet time.
Examples
# Configure channel change detection.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] ap-channel-change quiet 5
ap-classification rule
Use ap-classification rule to create an AP classification rule and enter its view, or enter the view of an existing AP classification rule.
Use undo ap-classification rule to remove an AP classification rule.
Syntax
ap-classification rule rule-id
undo ap-classification rule rule-id
Default
No AP classification rules exist.
Views
WIPS view
Predefined user roles
network-admin
Parameters
rule-id: Specifies an AP classification rule ID in the range of 1 to 65535.
Examples
# Create AP classification rule 1 and enter its view.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] ap-classification rule 1
ap-flood
Use ap-flood to configure AP flood attack detection.
Use undo ap-flood to disable AP flood attack detection.
Syntax
ap-flood [ apnum apnum-value | exceed exceed-value | quiet quiet-value ] *
undo ap-flood
Default
AP flood attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
apnum apnum-value: Specifies the AP number threshold in the range of 10 to 200. The default AP number threshold is 80.
exceed exceed-value: Specifies the maximum number of excessive APs allowed. The value range for the exceed-value argument is 10 to 200 and the default value is 80. If the number of APs exceeds the sum of the AP number threshold and the maximum number of excessive APs allowed, WIPS triggers an AP flood attack alarm.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an AP flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an AP flood attack within the quiet time.
Examples
# Enable AP flood attack detection, and set the apnum-value, exceed-value, and quiet-value arguments to 50, 50, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] ap-flood apnum 50 exceed 50 quiet 100
ap-impersonation
Use ap-impersonation to configure AP impersonation attack detection.
Use undo ap-impersonation to disable AP impersonation attack detection.
Syntax
ap-impersonation [ quiet quiet-value ]
undo ap-impersonation
Default
AP impersonation attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an AP impersonation attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an AP impersonation attack within the quiet time.
Examples
# Enable AP impersonation attack detection, and set the quiet time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] ap-impersonation quiet 360
apply ap-classification rule
Use apply ap-classification rule to bind an AP classification rule to a classification policy.
Use undo apply ap-classification rule to cancel the configuration.
Syntax
apply ap-classification rule rule-id { authorized-ap | { { external-ap | misconfigured-ap | rogue-ap } [ severity-level level ] } }
undo apply ap-classification rule rule-id
Default
No AP classification rule is bound to a classification policy.
Views
Classification policy view
Predefined user roles
network-admin
Parameters
rule-id: Specifies an AP classification rule by its ID in the range of 1 to 65535.
authorized-ap: Specifies APs that match the AP classification rule as authorized APs.
external-ap: Specifies APs that match the AP classification rule as external APs.
misconfigured-ap: Specifies APs that match the AP classification rule as misconfigured APs.
rogue-ap: Specifies APs that match the AP classification rule as rogue APs.
level: Specifies a severity level for the AP that matches the AP classification rule, in the range of 1 to 100. The default severity level is 50.
Examples
# Bind AP classification rule 1 to classification policy home, specify APs that match AP classification rule 1 as rogue APs, and set the severity level to 80.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] classification policy home
[Sysname-wips-cls-home] apply ap-classification rule 1 rogue-ap severity-level 80
Related commands
ap-classification rule
apply classification policy
Use apply classification policy to apply a classification policy to a virtual security domain (VSD).
Use undo apply classification policy to remove a classification policy from a VSD.
Syntax
apply classification policy policy-name
undo apply classification policy policy-name
Default
No classification policy is applied to a VSD.
Views
VSD view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a classification policy by its name, a case-sensitive string of 1 to 63 characters.
Examples
# Apply classification policy policy1 to VSD home.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] virtual-security-domain home
[Sysname-wips-vsd-home] apply classification policy policy1
apply countermeasure policy
Use apply countermeasure policy to apply a countermeasure policy to a VSD.
Use undo apply countermeasure policy to remove a countermeasure policy from a VSD.
Syntax
apply countermeasure policy policy-name
undo apply countermeasure policy policy-name
Default
No countermeasure policy is applied to a VSD.
Views
VSD view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a countermeasure policy by its name, a case-sensitive string of 1 to 63 characters.
Examples
# Apply countermeasure policy policy2 to VSD home.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] virtual-security-domain home
[Sysname-wips-vsd-home] apply countermeasure policy policy2
apply detect policy
Use apply detect policy to apply an attack detection policy to a VSD.
Use undo apply detect policy to remove an attack detection policy from a VSD.
Syntax
apply detect policy policy-name
undo apply detect policy policy-name
Default
No attack detection policy is applied to a VSD.
Views
VSD view
Predefined user roles
network-admin
Parameters
policy-name: Specifies an attack detection policy by its name, a case-sensitive string of 1 to 63 characters.
Examples
# Apply attack detection policy policy2 to VSD home.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] virtual-security-domain home
[Sysname-wips-vsd-home] apply detect policy policy2
apply signature policy
Use apply signature policy to apply a signature policy to a VSD.
Use undo apply signature policy to remove a signature policy from a VSD.
Syntax
apply signature policy policy-name
undo apply signature policy policy-name
Default
No signature policy is applied to a VSD.
Views
VSD view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a signature policy by its name, a case-sensitive string of 1 to 63 characters.
Examples
# Apply signature policy policy1 to VSD home.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] virtual-security-domain home
[Sysname-wips-vsd-home] apply signature policy policy1
apply signature rule
Use apply signature rule to bind a signature to a signature policy.
Use undo apply signature rule to unbind a signature from a signature policy.
Syntax
apply signature rule rule-id
undo apply signature rule rule-id
Default
No signature is bound to a signature policy.
Views
Signature policy view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a signature by its ID in the range of 1 to 65535.
Examples
# Bind signature 1 to signature policy office.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] signature policy office
[Sysname-wips-sig-office] apply signature rule 1
ap-rate-limit
Use ap-rate-limit to rate limit AP entry learning.
Use undo ap-rate-limit to restore the default.
Syntax
ap-rate-limit [ interval interval-value | quiet quiet-value | threshold threshold-value ] *
undo ap-rate-limit
Default
The statistics collection interval for learned AP entries is 60 seconds, the quiet time is 1200 seconds, and the AP entry threshold is 64.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for learned AP entries, in the range of 1 to 3600 seconds.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an AP entry attack. The value range for the quiet-value argument is 1200 to 3600 seconds. WIPS stops learning new entries and does not trigger an alarm even if it detects an AP entry attack within the quiet time.
threshold threshold-value: Specifies the number of AP entries that triggers an AP entry attack alarm. The value range for the threshold-value argument is 1 to 4096.
Examples
# Rate limit AP entry learning, and set the interval-value, quiet-value, and threshold-value arguments to 60, 1600, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] ap-rate-limit interval 60 quiet 1600 threshold 100
Related commands
ap-timer
ap-spoofing
Use ap-spoofing to enable AP spoofing attack detection.
Use undo ap-spoofing to disable AP spoofing attack detection.
Syntax
ap-spoofing [ quiet quiet-value ]
undo ap-spoofing
Default
AP spoofing attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an AP spoofing attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an AP spoofing attack within the quiet time.
Examples
# Enable AP spoofing attack detection and set the quiet time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] ap-spoofing quiet 360
ap-timer
Use ap-timer to set an AP entry timer.
Use undo ap-timer to restore the default.
Syntax
ap-timer inactive inactive-value aging aging-value
undo ap-timer
Default
The inactive time is 300 seconds, and the aging time is 600 seconds.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
inactive inactive-value: Specifies the inactive time in the range of 1 to 1200 seconds.
aging aging-value: Specifies the aging time for an AP entry, in the range of 1 to 86400 seconds.
Usage guidelines
When an AP does not receive or send frames within the specified inactive time, WIPS sets the AP to inactive state. When an AP does not receive or send frames within the specified aging time, WIPS deletes the entry.
The aging time must be equal to or greater than the inactive time. As a best practice, use the default inactive time and aging time.
Examples
# Set the inactive time to 120 seconds and the aging time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] ap-timer inactive 120 aging 360
Related commands
ap-rate-limit
association-table-overflow
Use association-table-overflow to configure association/reassociation DoS attack detection.
Use undo association-table-overflow to disable association/reassociation DoS attack detection.
Syntax
association-table-overflow [ quiet quiet-value ]
undo association-table-overflow
Default
Association/reassociation DoS attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an association/reassociation DoS attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an association/reassociation DoS attack within the quiet time.
Examples
# Enable association/reassociation DoS attack detection and set the quiet time to 100 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] association-table-overflow quiet 100
authentication
Use authentication to configure an AP classification rule to match APs by authentication mode.
Use undo authentication to restore the default.
Syntax
authentication { equal | include } { 802.1x | none | other | psk }
undo authentication
Default
An AP classification rule does not match APs by authentication mode.
Views
AP classification rule view
Predefined user roles
network-admin
Parameters
equal: Matches authentication modes equal to the specified authentication mode.
include: Matches authentication modes that include the specified authentication mode.
802.1x: Specifies the 802.1X authentication mode.
none: Specifies no authentication.
other: Specifies an authentication mode other than 802.1X and PSK.
psk: Specifies the PSK authentication mode.
Examples
# Configure AP classification rule 1 to match APs that use the PSK authentication mode.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] ap-classification rule 1
[Sysname-wips-cls-rule-1] authentication equal psk
block mac-address
Use block mac-address to add the MAC address of an AP or client to the static prohibited device list.
Use undo block mac-address to remove one or all MAC addresses from the static prohibited device list.
Syntax
block mac-address mac-address
undo block mac-address { mac-address | all }
Default
No MAC address is added to the static prohibited device list.
Views
Classification policy view
Predefined user roles
network-admin
Parameters
mac-address: Specifies an AP or client by its MAC address, in the H-H-H format.
all: Specifies all MAC addresses.
Examples
# Add MAC address 78AC-C0AF-944F to the static prohibited device list.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] classification policy home
[Sysname-wips-cls-home] block mac-address 78AC-C0AF-944F
classification policy
Use classification policy to create a classification policy and enter its view, or enter the view of an existing classification policy.
Use undo classification policy to remove a classification policy.
Syntax
classification policy policy-name
undo classification policy policy-name
Default
No classification policies exist.
Views
WIPS view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a classification policy name, a case-sensitive string of 1 to 63 characters.
Examples
# Create classification policy home and enter its view.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] classification policy home
[Sysname-wips-cls-home]
client-association fast-learn enable
Use client-association fast-learn enable to enable fast learning of client association entries.
Use undo client-association fast-learn enable to disable fast learning of client association entries.
Syntax
client-association fast-learn enable
undo client-association fast-learn enable
Default
Fast learning of client association entries is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Usage guidelines
Client association entries are entries saved on the AC after a client associates with an AP.
If this command is not configured, the sensor can learn the client association entries only after a client is associated with an AP successfully. After this command is configured, the sensor can learn the client association entries during the association process.
If the sensor learned the client association entries during the association process, the sensor will update the entries every time it detects an association request or response between the AP and the client.
This command improves the association efficiency but reduces the association accuracy. As a best practice, configure this command only when fast attack detection and countermeasures are required in the network.
Examples
# Enable fast learning of client association entries.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy 1
[Sysname-wips-dtc-1] client-association fast-learn enable
client-online
Use client-online to configure an AP classification rule to match APs by number of associated clients.
Use undo client-online to restore the default.
Syntax
client-online value1 [ to value2 ]
undo client-online
Default
An AP classification rule does not match APs by number of associated clients.
Views
AP classification rule view
Predefined user roles
network-admin
Parameters
value1 to value2: Specifies a value range for the number of associated clients for APs. The value1 and value2 arguments specify the start value and end value for the value range, respectively. The value range is 0 to 128 for both the value1 and value2 arguments, and value2 must be greater than value1.
Examples
# Configure AP classification rule 1 to match APs with 20 to 40 associated clients.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] ap-classification rule 1
[Sysname-wips-cls-rule-1] client-online 20 to 40
client-rate-limit
Use client-rate-limit to rate limit client entry learning.
Use undo client -rate-limit to restore the default.
Syntax
client-rate-limit [ interval interval-value | quiet quiet-value | threshold threshold-value ] *
undo client-rate-limit
Default
The statistics collection interval for learned client entries is 60 seconds, the quiet time is 1200 seconds, and the client entry threshold is 512.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for learned client entries, in the range of 1 to 3600 seconds.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a client entry attack. The value range for the quiet-value argument is 1200 to 3600 seconds. WIPS stops learning new entries and does not trigger an alarm even if it detects a client entry attack within the quiet time.
threshold threshold-value: Specifies the number of client entries that triggers a client entry attack alarm. The value range for the threshold-value argument is 1 to 4096.
Examples
# Rate limit client entry learning, and set the interval-value, quiet-value, and threshold-value arguments to 80, 1600, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] client-rate-limit interval 80 threshold 100 quiet 1600
Related commands
client-timer
client-spoofing
Use client-spoofing to enable client spoofing attack detection.
Use undo client-spoofing to disable client spoofing attack detection.
Syntax
client-spoofing [ quiet quiet-value ]
undo client-spoofing
Default
Client spoofing attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a client spoofing attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a client spoofing attack within the quiet time.
Examples
# Enable client spoofing attack detection and set the quiet time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] client-spoofing quiet 360
client-timer
Use client-timer to set a client entry timer.
Use undo client-timer to restore the default.
Syntax
client-timer inactive inactive-value aging aging-value
undo client-timer
Default
The inactive time is 300 seconds, and the aging time is 600 seconds.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
inactive inactive-value: Specifies the inactive time in the range of 1 to 1200 seconds.
aging aging-value: Specifies the aging time for a client entry, in the range of 1 to 86400 seconds.
Usage guidelines
When a client does not receive or send frames within the specified inactive time, WIPS sets the client to inactive state. When a client does not receive or send frames within the specified aging time, WIPS deletes the entry.
The aging time must be equal to or greater than the inactive time. As a best practice, use the default inactive time and aging time.
Examples
# Set the inactive time to 120 seconds, and set the aging time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] client-timer inactive 120 aging 360
Related commands
client-rate-limit
countermeasure adhoc
Use countermeasure adhoc to enable WIPS to take countermeasures against Ad hoc devices.
Use undo countermeasure adhoc to restore the default.
Syntax
countermeasure adhoc
undo countermeasure adhoc
Default
WIPS does not take countermeasures against Ad hoc devices.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against Ad hoc devices.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure adhoc
countermeasure attack all
Use countermeasure attack all to enable WIPS to take countermeasures against all attackers.
Use undo countermeasure attack all to restore the default.
Syntax
countermeasure attack all
undo countermeasure attack all
Default
WIPS does not take countermeasures against all attackers.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against all attackers.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure attack all
countermeasure attack deauth-broadcast
Use countermeasure attack deauth-broadcast to enable WIPS to take countermeasures against devices that launch broadcast deauthentication attacks.
Use undo countermeasure deauth-broadcast to restore the default.
Syntax
countermeasure attack deauth-broadcast
undo countermeasure attack deauth-broadcast
Default
WIPS does not take countermeasures against devices that launch broadcast deauthentication attacks.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against devices that launch broadcast deauthentication attacks.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure attack deauth-broadcast
countermeasure attack disassoc-broadcast
Use countermeasure attack disassoc-broadcast to enable WIPS to take countermeasures against devices that launch broadcast disassociation attacks.
Use undo countermeasure attack disassoc-broadcast to restore the default.
Syntax
countermeasure attack disassoc-broadcast
undo countermeasure attack disassoc-broadcast
Default
WIPS does not take countermeasures against devices that launch broadcast disassociation attacks.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against devices that launch broadcast disassociation attacks.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure attack disassoc-broadcast
countermeasure attack honeypot-ap
Use countermeasure attack honeypot-ap to enable WIPS to take countermeasures against honeypot APs.
Use undo countermeasure attack honeypot-ap to restore the default.
Syntax
countermeasure attack honeypot-ap
undo countermeasure attack honeypot-ap
Default
WIPS does not take countermeasures against honeypot APs.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against honeypot APs.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure attack honeypot-ap
countermeasure attack hotspot-attack
Use countermeasure attack hotspot-attack to enable WIPS to take countermeasures against devices that launch hotspot attacks.
Use undo countermeasure attack hotspot-attack to restore the default.
Syntax
countermeasure attack hotspot-attack
undo countermeasure attack hotspot-attack
Default
WIPS does not take countermeasures against devices that launch hotspot attacks.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against devices that launch hotspot attacks.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure attack hotspot-attack
countermeasure attack ht-40-mhz-intolerance
Use countermeasure attack ht-40-mhz-intolerance to enable WIPS to take countermeasures against devices with the 40 MHz bandwidth mode disabled.
Use undo countermeasure attack ht-40-mhz-intolerance to restore the default.
Syntax
countermeasure attack ht-40-mhz-intolerance
undo countermeasure attack ht-40-mhz-intolerance
Default
WIPS does not take countermeasures against devices with the 40 MHz bandwidth mode disabled.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against devices with the 40 MHz bandwidth mode disabled.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure attack ht-40-mhz-intolerance
countermeasure attack malformed-packet
Use countermeasure attack malformed-packet to enable WIPS to take countermeasures against devices that send malformed packets.
Use undo countermeasure attack malformed-packet to restore the default.
Syntax
countermeasure attack malformed-packet
undo countermeasure attack malformed-packet
Default
WIPS does not take countermeasures against devices that send malformed packets.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against devices that send malformed packets.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure attack malformed-packet
countermeasure attack man-in-the-middle
Use countermeasure attack man-in-the-middle to enable WIPS to take countermeasures against devices that launch MITM attacks.
Use undo countermeasure attack man-in-the-middle to restore the default.
Syntax
countermeasure attack man-in-the-middle
undo countermeasure attack man-in-the-middle
Default
WIPS does not take countermeasures against devices that launch MITM attacks.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against devices that launch MITM attacks.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure attack man-in-the-middle
countermeasure attack omerta
Use countermeasure attack omerta to enable WIPS to take countermeasures against devices that launch Omerta attacks.
Use undo countermeasure attack omerta to restore the default.
Syntax
countermeasure attack omerta
undo countermeasure attack omerta
Default
WIPS does not take countermeasures against devices that launch Omerta attacks.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against devices that launch Omerta attacks.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure attack omerta
countermeasure attack power-save
Use countermeasure attack power-save to enable WIPS to take countermeasures against devices that launch power save attacks.
Use undo countermeasure attack power-save to restore the default.
Syntax
countermeasure attack power-save
undo countermeasure attack power-save
Default
WIPS does not take countermeasures against devices that launch power save attacks.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against devices that launch power save attacks.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure attack power-save
countermeasure attack soft-ap
Use countermeasure attack soft-ap to enable WIPS to take countermeasures against soft APs.
Use undo countermeasure attack soft-ap to restore the default.
Syntax
countermeasure attack soft-ap
undo countermeasure attack soft-ap
Default
WIPS does not take countermeasures against soft APs.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against soft APs.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure attack soft-ap
countermeasure attack unencrypted-trust-client
Use countermeasure attack unencrypted-trust-client to enable WIPS to take countermeasures against unencrypted authorized clients.
Use undo countermeasure attack unencrypted-trust-client to restore the default.
Syntax
countermeasure attack unencrypted-trust-client
undo countermeasure attack unencrypted-trust-client
Default
WIPS does not take countermeasures against unencrypted authorized clients.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against unencrypted authorized clients.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure attack unencrypted-trust-client
countermeasure attack weak-iv
Use countermeasure attack weak-iv to enable WIPS to take countermeasures against devices that use weak IVs.
Use undo countermeasure weak-iv to restore the default.
Syntax
countermeasure attack weak-iv
undo countermeasure attack weak-iv
Default
WIPS does not take countermeasures against devices that use weak IVs.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against devices that use weak IVs.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure attack weak-iv
countermeasure attack windows-bridge
Use countermeasure attack windows-bridge to enable WIPS to take countermeasures against devices that launch Windows bridge attacks.
Use undo countermeasure attack windows-bridge to restore the default.
Syntax
countermeasure attack windows-bridge
undo countermeasure attack windows-bridge
Default
WIPS does not take countermeasures against devices that launch Windows bridge attacks.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against devices that launch Windows bridge attacks.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure attack windows-bridge
countermeasure enhance
Use countermeasure enhance to enable the enhanced countermeasure mode.
Use undo countermeasure enhance to restore the default.
Syntax
countermeasure enhance
undo countermeasure enhance
Default
The enhanced countermeasure mode is not enabled.
Views
Countermeasure policy view
Predefined user roles
network-admin
Usage guidelines
Configure this command to prevent dual-band clients from roaming between the two radios sharing the same SSID on a rogue AP.
Examples
# Enable the enhanced countermeasure mode.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure enhance
countermeasure external-ap
Use countermeasure external-ap to enable WIPS to take countermeasures against external APs.
Use undo countermeasure external-ap to restore the default.
Syntax
countermeasure external-ap
undo countermeasure external-ap
Default
WIPS does not take countermeasures against external APs.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against external APs.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure external-ap
countermeasure mac-address
Use countermeasure mac-address to enable WIPS to take countermeasures against the device with the specified MAC address.
Use undo countermeasure mac-address to remove the configuration.
Syntax
countermeasure mac-address mac-address [ except-authorized-ap ]
undo countermeasure mac-address { mac-address | all }
Default
WIPS does not take countermeasures against detected devices.
Views
Countermeasure policy view
Predefined user roles
network-admin
Parameters
mac-address: Specifies an AP or a client by its MAC address in the H-H-H format.
except-authorized-ap: Configures WIPS to not take countermeasures against wireless clients that have associated with authorized APs.
all: Specifies all APs and clients.
Usage guidelines
You can configure this command multiple times to enable WIPS to take countermeasures against multiple devices.
Examples
# Enable WIPS to take countermeasures against the device with MAC address 2a11-1fa1-141f.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure mac-address 2a11-1fa1-141f
countermeasure misassociation-client
Use countermeasure misassociation-client to enable WIPS to take countermeasures against misassociated clients.
Use undo countermeasure misassociation-client to restore the default.
Syntax
countermeasure misassociation-client
undo countermeasure misassociation-client
Default
WIPS does not take countermeasures against misassociated clients.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against misassociated clients.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure misassociation-client
countermeasure misconfigured-ap
Use countermeasure misconfigured-ap to enable WIPS to take countermeasures against misconfigured APs.
Use undo countermeasure misconfigured-ap to restore the default.
Syntax
countermeasure misconfigured-ap
undo countermeasure misconfigured-ap
Default
WIPS does not take countermeasures against misconfigured APs.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against misconfigured APs.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure misconfigured-ap
countermeasure packet-sending-interval
Use countermeasure packet-sending-interval to specify the interval at which sensors send countermeasure packets.
Use undo countermeasure packet-sending-interval to restore the default.
Syntax
countermeasure packet-sending-interval interval
undo countermeasure packet-sending-interval
Default
The interval at which sensors send countermeasure packets is 30 milliseconds.
Views
Countermeasure policy view
Predefined user roles
network-admin
Parameters
interval: Specifies the interval at which sensors send countermeasure packets. The value range is 1 to 100 milliseconds.
Usage guidelines
Configure this command to enable a sensor to send countermeasure packets in a channel if it has detected rogue devices in the channel. The sensor sends countermeasure packets in the channel only within scanning periods, and you can specify the interval at which sensors send countermeasure packets. For more information about channel scanning, see channel scanning configuration in Radio Resources Management Configuration Guide.
Examples
# Configure sensors to send countermeasure packets every 10 milliseconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure packet-sending-interval 10
countermeasure policy
Use countermeasure policy to create a countermeasure policy and enter its view, or enter the view of an existing countermeasure policy.
Use undo countermeasure policy to remove a countermeasure policy.
Syntax
countermeasure policy policy-name
undo countermeasure policy policy-name
Default
No countermeasure policies exist.
Views
WIPS view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a countermeasure policy by its name, a case-sensitive string of 1 to 63 characters.
Examples
# Create countermeasure policy home and enter its view.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home]
countermeasure potential-authorized-ap
Use countermeasure potential-authorized-ap to enable WIPS to take countermeasures against potential-authorized APs.
Use undo countermeasure potential-authorized-ap to restore the default.
Syntax
countermeasure potential-authorized-ap
undo countermeasure potential-authorized-ap
Default
WIPS does not take countermeasures against potential-authorized APs.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against potential-authorized APs.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure potential-authorized-ap
countermeasure potential-external-ap
Use countermeasure potential-external-ap to enable WIPS to take countermeasures against potential-external APs.
Use undo countermeasure potential-external-ap to restore the default.
Syntax
countermeasure potential-external-ap
undo countermeasure potential-external-ap
Default
WIPS does not take countermeasures against potential-external APs.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against potential-external APs.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure potential-external-ap
countermeasure potential-rogue-ap
Use countermeasure potential-rogue-ap to enable WIPS to take countermeasures against potential-rogue APs.
Use undo countermeasure potential-rogue-ap to restore the default.
Syntax
countermeasure potential-rogue-ap
undo countermeasure potential-rogue-ap
Default
WIPS does not take countermeasures against potential-rogue APs.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against potential-rogue APs.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure potential-rogue-ap
countermeasure rogue-ap
Use countermeasure rogue-ap to enable WIPS to take countermeasures against rogue APs.
Use undo countermeasure rogue-ap to restore the default.
Syntax
countermeasure rogue-ap
undo countermeasure rogue-ap
Default
WIPS does not take countermeasures against rogue APs.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against rogue APs.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure rogue-ap
countermeasure unauthorized-client
Use countermeasure unauthorized-client to enable WIPS to take countermeasures against unauthorized clients.
Use undo countermeasure unauthorized-client to restore the default.
Syntax
countermeasure unauthorized-client
undo countermeasure unauthorized-client
Default
WIPS does not take countermeasures against unauthorized clients.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against unauthorized clients.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure unauthorized-client
countermeasure uncategorized-ap
Use countermeasure uncategorized-ap to enable WIPS to take countermeasures against uncategorized APs.
Use undo countermeasure uncategorized-ap to restore the default.
Syntax
countermeasure uncategorized-ap
undo countermeasure uncategorized-ap
Default
WIPS does not take countermeasures against uncategorized APs.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against uncategorized APs.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure uncategorized-ap
countermeasure uncategorized-client
Use countermeasure uncategorized-client to enable WIPS to take countermeasures against uncategorized clients.
Use undo countermeasure uncategorized-client to restore the default.
Syntax
countermeasure uncategorized-client
undo countermeasure uncategorized-client
Default
WIPS does not take countermeasures against uncategorized clients.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to take countermeasures against uncategorized clients.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-cms-home] countermeasure uncategorized-client
deauthentication-broadcast
Use deauthentication-broadcast to configure broadcast deauthentication attack detection.
Use undo deauthentication-broadcast to disable broadcast deauthentication attack detection.
Syntax
deauthentication-broadcast [ interval interval-value | quiet quiet-value | threshold threshold-value ] *
undo deauthentication-broadcast
Default
Broadcast deauthentication attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for broadcast deauthentication frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a broadcast deauthentication attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a broadcast deauthentication attack within the quiet time.
threshold threshold-value: Specifies the number of broadcast deauthentication frames that triggers a broadcast deauthentication attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.
Examples
# Enable broadcast deauthentication attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100, 360, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] deauthentication-broadcast interval 100 threshold 100 quiet 360
deauth-spoofing
Use deauth-spoofing to configure spoof deauthentication frame detection.
Use undo deauth-spoofing to disable spoof deauthentication frame detection.
Syntax
deauth-spoofing [ quiet quiet ]
undo deauth-spoofing
Default
Spoof deauthentication frame detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet: Specifies the quiet time after WIPS triggers an alarm upon a spoof deauthentication frame. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects spoof deauthentication frames within the quiet time.
Examples
# Enable spoof deauthentication frame detection and set the quiet time to 100 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] deauth-spoofing quiet 100
detect dissociate-client enable
Use detect dissociate-client enable to enable WIPS to detect unassociated clients.
Use undo detect dissociate-client enable to disable WIPS from detecting unassociated clients.
Syntax
detect dissociate-client enable
undo detect dissociate-client enable
Default
WIPS does not detect unassociated clients.
Views
Attack detection policy view
Predefined user roles
network-admin
Examples
# Enable WIPS to detect unassociated clients.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] detect dissociate-client enable
detect policy
Use detect policy to create an attack detection policy and enter its view, or enter the view of an existing attack detection policy.
Use undo detect policy to remove an attack detection policy.
Syntax
detect policy policy-name
undo detect policy policy-name
Default
No attack detection policies exist.
Views
WIPS view
Predefined user roles
network-admin
Parameters
policy-name: Specifies an attack detection policy name, a case-sensitive string of 1 to 63 characters.
Examples
# Create attack detection policy home and enter its view.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home]
detect signature
Use detect signature to enable signature-based attack detection.
Use undo detect signature to disable signature-based attack detection.
Syntax
detect signature [ interval interval-value | quiet quiet-value | threshold threshold-value ] *
undo detect
Default
Signature-based attack detection is enabled.
Views
Signature policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for packets that match a signature. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an attack within the quiet time.
threshold threshold-value: Specifies the number of packets matching a signature that triggers an user-attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.
Examples
# Enable WIPS to detect packets that match a signature, and set the interval-value, threshold-value, and quiet-value arguments to 60, 100, and 360, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] signature policy home
[Sysname-wips-sig-home] detect signature interval 60 threshold 100 quiet 360
disassociation-broadcast
Use disassociation-broadcast to configure broadcast disassociation attack detection.
Use undo disassociation-broadcast to disable broadcast disassociation attack detection.
Syntax
disassociation-broadcast [ interval interval-value | quiet quiet-value | threshold threshold-value ] *
undo disassociation-broadcast
Default
Broadcast disassociation attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for broadcast disassociation frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a broadcast disassociation attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a broadcast disassociation attack within the quiet time.
threshold threshold-value: Specifies the number of broadcast disassociation frames that triggers a broadcast disassociation attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.
Examples
# Enable broadcast disassociation attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100, 360, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] disassociation-broadcast interval 100 threshold 100 quiet 360
discovered-ap
Use discovered-ap to configure an AP classification rule to match APs by number of sensors that detect the APs.
Use undo discovered-ap to restore the default.
Syntax
discovered-ap value1 [ to value2 ]
undo discovered-ap
Default
An AP classification rule does not match APs by number of sensors that detect the APs.
Views
AP classification rule view
Predefined user roles
network-admin
Parameters
value1 to value2: Specifies a value range for the number of sensors that detect an AP. The value 1 and value2 arguments specify the start value and end value for the value range, respectively. The value range is 1 to 128 for both the value1 and value2 arguments, and value2 must be greater than value1.
Examples
# Configure AP classification rule 1 to match APs that are detected by 10 to 128 sensors.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] ap-classification rule 1
[Sysname-wips-cls-rule-1] discovered-ap 10 to 128
display wips sensor
Use display wips sensor to display information about all sensors.
Syntax
display wips sensor
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display information about all sensors.
<Sysname> display wips sensor
Total number of sensors: 1
Sensor ID Sensor name VSD name Radio ID Status
3 ap1 aaa 1 Active
Table 1 Command output
|
Field |
Description |
|
VSD name |
Name of the VSD to which the AP belongs. |
|
Radio ID |
ID of the radio enabled with WIPS. |
|
Status |
Status of the sensor: · Active—The sensor is enabled with WIPS. · Inactive—The sensor is not enabled with WIPS. |
display wips statistics
Use display wips statistics to display WLAN attack detection statistics collected from sensors.
Syntax
display wips statistics [ receive | virtual-security-domain vsd-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
receive: Displays attack detection statistics information for all VSDs.
virtual-security-domain vsd-name: Displays attack detection statistics information for the specified VSD. The vsd-name argument specifies a VSD by its name, a case-sensitive string of 1 to 63 characters.
Examples
# Display attack detection statistics information for all VSDs.
<Sysname> display wips statistics receive
Information from sensor 1
Information about attack statistics:
Detected association-request flood messages: 0
Detected authentication flood messages: 0
Detected beacon flood messages: 0
Detected block-ack flood messages: 0
Detected cts flood messages: 0
Detected deauthentication flood messages: 0
Detected disassociation flood messages: 0
Detected eapol-start flood messages: 0
Detected null-data flood messages: 0
Detected probe-request flood messages: 0
Detected reassociation-request flood messages: 0
Detected rts flood messages: 0
Detected eapol-logoff flood messages: 0
Detected eap-failure flood messages: 0
Detected eap-success flood messages: 0
Detected duplicated-ie messages: 0
Detected fata-jack messages: 0
Detected illegal-ibss-ess messages: 0
Detected invalid-address-combination messages: 0
Detected invalid-assoc-req messages: 0
Detected invalid-auth messages: 0
Detected invalid-deauth-code messages: 0
Detected invalid-disassoc-code messages: 0
Detected invalid-ht-ie messages: 0
Detected invalid-ie-length messages: 0
Detected invalid-pkt-length messages: 0
Detected large-duration messages: 0
Detected null-probe-resp messages: 0
Detected overflow-eapol-key messages: 0
Detected overflow-ssid messages: 0
Detected redundant-ie messages: 0
Detected AP spoof AP messages: 0
Detected AP spoof client messages: 0
Detected AP spoof ad-hoc messages: 0
Detected ad-hoc spoof AP messages: 0
Detected client spoof AP messages: 0
Detected weak IV messages: 0
Detected excess AP messages: 0
Detected excess client messages: 0
Detected signature rule messages: 0
Detected 40MHZ messages: 0
Detected power save messages: 0
Detected omerta messages: 0
Detected windows bridge messages: 0
Detected soft AP messages: 0
Detected broadcast disassociation messages: 0
Detected broadcast deauthentication messages: 0
Detected AP impersonate messages: 0
Detected illegal channel 9 messages: 1
Table 2 Command output
|
Field |
Description |
|
Information from sensor n |
Information collected from sensor n, where n represents the ID of the sensor. |
|
Detected association-request flood messages |
Number of detected messages for association request flood attacks. |
|
Detected authentication flood messages |
Number of detected messages for authentication request flood attacks. |
|
Detected beacon flood messages |
Number of detected messages for beacon flood attacks. |
|
Detected block-ack flood messages |
Number of detected messages for Block Ack flood attacks. |
|
Detected cts flood messages |
Number of detected messages for CTS flood attacks. |
|
Detected deauthentication flood messages |
Number of detected messages for deauthentication flood attacks. |
|
Detected disassociation flood messages |
Number of detected messages for disassociation flood attacks. |
|
Detected eapol-start flood messages |
Number of detected messages for EAPOL-start flood attacks. |
|
Detected null-data flood messages |
Number of detected messages for null data flood attacks. |
|
Detected probe-request flood messages |
Number of detected messages for probe request flood attacks. |
|
Detected reassociation-request flood messages |
Number of detected messages for reassociation request flood attacks. |
|
Detected rts flood messages |
Number of detected messages for RTS flood attacks. |
|
Detected eapol-logoff flood messages |
Number of detected messages for EAPOL-logoff flood attacks. |
|
Detected eap-failure flood messages |
Number of detected messages for EAP-failure flood attacks. |
|
Detected eap-success flood messages |
Number of detected messages for EAP-success flood attacks. |
|
Detected duplicated-ie messages |
Number of detected messages for malformed packets with duplicated IE. |
|
Detected fata-jack messages |
Number of detected messages for FATA-Jack malformed packets. |
|
Detected illegal-ibss-ess messages |
Number of detected messages for malformed packets with abnormal IBSS and ESS setting. |
|
Detected invalid-address-combination messages |
Number of detected messages for malformed packets with invalid source address. |
|
Detected invalid-assoc-req messages |
Number of detected messages for malformed association request frames. |
|
Detected invalid-auth messages |
Number of detected messages for malformed authentication request frames. |
|
Detected invalid-deauth-code messages |
Number of detected messages for malformed packets with invalid deauthentication code. |
|
Detected invalid-disassoc-code messages |
Number of detected messages for malformed packets with invalid disassociation code. |
|
Detected invalid-ht-ie messages |
Number of detected messages for malformed packets with malformed HT IE. |
|
Detected invalid-ie-length messages |
Number of detected messages for malformed packets with invalid IE length. |
|
Detected invalid-pkt-length messages |
Number of detected messages for malformed packets with invalid packet length. |
|
Detected large-duration messages |
Number of detected messages for malformed packets with oversized duration. |
|
Detected null-probe-resp messages |
Number of detected messages for malformed probe response frames. |
|
Detected overflow-eapol-key messages |
Number of detected messages for malformed packets with oversized EAPOL key. |
|
Detected overflow-ssid messages |
Number of detected messages for malformed packets with oversized SSID. |
|
Detected redundant-ie messages |
Number of detected messages for malformed packets with redundant IE. |
|
Detected AP spoof AP messages |
Number of detected messages for AP spoofing (AP spoofs AP) attacks. |
|
Detected AP spoof client messages |
Number of detected messages for client spoofing (AP spoofs client) attacks. |
|
Detected AP spoof ad-hoc messages |
Number of detected messages for Ad hoc spoofing (AP spoofs Ad hoc) attacks. |
|
Detected ad-hoc spoof AP messages |
Number of detected messages for AP spoofing (Ad hoc spoofs AP) attacks. |
|
Detected client spoof AP messages |
Number of detected messages for AP spoofing (client spoofs AP) attacks. |
|
Detected weak IV messages |
Number of detected messages for weak IVs. |
|
Detected excess AP messages |
Number of detected messages for AP entry attacks. |
|
Detected excess client messages |
Number of detected messages for client entry attacks. |
|
Detected 40MHZ messages |
Number of detected messages for clients disabled with the 40 MHz bandwidth mode. |
|
Detected power save messages |
Number of detected messages for power saving attacks. |
|
Detected omerta messages |
Number of detected messages for Omerta attacks. |
|
Detected windows bridge messages |
Number of detected messages for Windows bridge. |
|
Detected soft AP messages |
Number of detected messages for soft APs. |
|
Detected broadcast disassociation messages |
Number of detected messages for broadcast disassociation attacks. |
|
Detected broadcast deauthentication messages |
Number of detected messages for broadcast deauthentication attacks. |
|
Detected AP impersonate messages |
Number of detected messages for AP impersonation attacks. |
|
Detected illegal channel n messages: |
Number of detected messages for prohibited channels. n represents the channel number. |
Related commands
reset wips statistics
display wips virtual-security-domain countermeasure record
Use display wips virtual-security-domain countermeasure record to display information about countermeasures that WIPS has taken against rogue devices.
Syntax
display wips virtual-security-domain vsd-name countermeasure record
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
vsd-name: Specifies a VSD by its name, a case-sensitive string of 1 to 63 characters.
Examples
# Display information about countermeasures that WIPS has taken against rogue devices for VSD office.
<Sysname> display wips virtual-security-domain office countermeasure record
Total 3 times countermeasure, current 3 countermeasure record in virtual-security-domain office
Reason: Att - attack; Ass - associated; Black - blacklist;
Class - classification; Manu - manual;
MAC address Type Reason Countermeasure AP Radio ID Time
1000-0000-00e3 AP Manu ap1 1 2016-05-03/09:32:01
1000-0000-00e4 AP Manu ap2 1 2016-05-03/09:32:11
2000-0000-f282 Client Black ap3 1 2016-05-03/09:31:56
Table 3 Command output
|
Field |
Description |
|
Total 3 times countermeasure, current 3 countermeasure record in virtual-security-domain office |
Number of successful countermeasures. This field can display up to 1024 countermeasure records. |
|
MAC Address |
MAC address of the wireless device against which WIPS has taken countermeasures. |
|
Type |
Type of the wireless device: AP or Client. |
|
Reason |
Reason why WIPS takes countermeasures against the wireless device: · Att—WIPS takes countermeasures against the device because it is an attacker. · Ass—WIPS takes countermeasures against the device because WIPS has taken countermeasures against its associated AP. · Black—After WIPS takes countermeasures against the client, the client is added to the blacklist when it associates with an AP. · Class—WIPS takes countermeasures against the device based on its device type. · Manu—WIPS takes countermeasures against the device based on its MAC address. |
|
Countermeasure AP |
Name of the sensor that takes countermeasures against the wireless device. |
|
Radio ID |
Radio ID of the sensor that takes countermeasures against the wireless device. |
|
Time |
Time when the AC informs the sensor of taking countermeasures against the wireless device. |
Related commands
reset wips virtual-security-domain countermeasure record
display wips virtual-security-domain device
Use display wips virtual-security-domain device to display information about wireless devices detected in a VSD.
Syntax
display wips virtual-security-domain vsd-name device [ ap [ ad-hoc | authorized | external | mesh | misconfigured | potential-authorized | potential-external | potential-rogue | rogue | uncategorized ] | client [ [ dissociative-client ] | [ authorized | misassociation | unauthorized | uncategorized ] ] | mac-address mac-address ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
vsd-name: Specifies a VSD by its name, a case-sensitive string of 1 to 63 characters.
device: Specifies wireless devices.
ap: Specifies APs.
ad-hoc: Specifies APs operating in Ad hoc mode.
authorized: Specifies authorized APs.
external: Specifies external APs.
mesh: Specifies MPs.
misconfigured: Specifies misconfigured APs.
potential-authorized: Specifies potential-authorized APs.
potential-rogue: Specifies potential-rogue APs.
potential-external: Specifies potential-external APs.
rogue: Specifies rogue APs.
uncategorized: Specifies uncategorized APs.
client: Specifies clients.
dissociative-client: Specifies unassociated clients.
authorized: Specifies authorized clients.
misassociation: Specifies misassociated clients.
unauthorized: Specifies unauthorized clients.
uncategorized: Specifies uncategorized clients.
mac-address mac-address: Specifies a wireless device by its MAC address in the H-H-H format.
verbose: Displays detailed device information.
Examples
# Display information about wireless devices detected in VSD office.
<Sysname> display wips virtual-security-domain office device
Total 3 detected devices in virtual-security-domain office
Class: Auth - authorization; Ext - external; Mis - mistake;
Unauth - unauthorized; Uncate - uncategorized;
(A) - associate; (C) - config; (P) - potential;
Ad-hoc; Mesh
MAC address Type Class Duration Sensors Channel Status
1000-0000-0000 AP Ext(P) 00h 10m 46s 1 11 Active
1000-0000-0001 AP Ext(P) 00h 10m 46s 1 6 Active
1000-0000-0002 AP Ext(P) 00h 10m 46s 1 1 Active
Table 4 Command output
|
Field |
Description |
|
Type |
Wireless device type: AP, Client, or Mesh. |
|
Class |
Category of the wireless device. |
|
Duration |
Duration since the wireless device entered the current state. |
|
Sensors |
Number of sensors that have detected the wireless device. |
|
Channel |
Channel on which the wireless device was most recently detected. |
|
Status |
Status of the AP or client: · Active—The AP or client is active. · Inactive—The AP or client is inactive. |
# Display detailed information about wireless devices detected in VSD a.
<Sysname> display wips virtual-security-domain a device verbose
Total 2 detected devices in virtual-security-domain a
AP: 1000-0000-0000
Mesh Neighbor: None
Classification: Mis(C)
Severity level: 0
Classify way: Auto
Status: Active
Status duration: 00h 27m 57s
Vendor: Not found
SSID: service
Radio type: 802.11g
Countermeasuring: No
Security: None
Encryption method: None
Authentication method: None
Broadcast SSID: Yes
QoS supported: No
Ad-hoc: No
Beacon interval: 100 TU
Up duration: 00h 27m 57s
Channel band-width supported: 20MHZ
Hotspot AP: No
Soft AP: No
Honeypot AP: No
Total number of reported sensors: 1
Sensor 1:
Sensor ID: 3
Sensor name: 1
Radio ID: 1
RSSI: 15
Channel: 149
First reported time: 2014-06-03/09:05:51
Last reported time: 2014-06-03/09:05:51
Total number of associated clients: 1
01: 2000-0000-0000
Client: 2000-0000-0000
Last reported associated AP: 1000-0000-0000
Classification: Uncate
Severity level: 0
Classify way: Auto
Dissociative status: No
Status: Active
Status duration: 00h 00m 02s
Vendor: Not found
Radio type: 802.11a
40MHz intolerance: No
Countermeasuring: No
Man in the middle: No
Total number of reported sensors: 1
Sensor 1:
Sensor ID: 2
Sensor name: 1
Radio ID: 1
RSSI: 50
Channel: 149
First reported time: 2014-06-03/14:52:56
Last reported time: 2014-06-03/14:52:56
Reported associated AP: 1000-0000-0000
Table 5 Command output
|
Field |
Description |
|
AP |
MAC address of the AP. |
|
Mesh Neighbor |
MAC address of the mesh AP's neighbor. |
|
Client |
MAC address of the client. |
|
Last reported associated AP |
MAC address of the associated AP that the client most recently reports. |
|
Classification |
Category of the AP or client: · AP category: ¡ ad_hoc. ¡ authorized. ¡ rogue. ¡ misconfigured. ¡ external. ¡ potential-authorized. ¡ potential-rogue. ¡ potential-external. ¡ uncategorized. · Client category: ¡ authorized. ¡ unauthorized. ¡ misassociated. ¡ uncategorized. |
|
Severity level |
Severity level of the device. |
|
Classify way |
AP or client classification method: · Manual—Manual classification. · Invalid OUI—Added to the invalid OUI list. · Block List—Added to the prohibited device list. · Associated—APs that are connected to the AC. · Trust List—Added to the permitted device list. · User Define—User-defined classification. · Auto—Automatic classification. |
|
Dissociative status |
Whether the client is an unassociated client. |
|
Status |
Status of the AP or client: · Active—The AP or client is active. · Inactive—The AP or client is inactive. |
|
Status duration |
Duration since the wireless device entered the current state. |
|
Vendor |
OUI of the device. This field displays the device OUI if the OUI matches an imported OUI. This field displays Not found if no OUI is configured for the device or the OUI does not match any imported OUIs. |
|
SSID |
SSID of the wireless service provided by the AP. |
|
Radio Type |
Radio mode of the wireless device. |
|
40MHz intolerance |
Whether the client supports 40 MHz bandwidth mode. |
|
Countermeasuring |
Whether WIPS is taking countermeasures against the wireless device: · No. · Yes. |
|
Man in the middle |
Whether an MITM attack is detected. |
|
Security |
Security method: · None. · WEP. · WPA. · WPA2. |
|
Encryption method |
Data encryption method: · TKIP. · CCMP. · WEP. · None. |
|
Authentication method |
Authentication method: · None. · PSK. · 802.1X. · Others—Authentication methods except for PSK authentication and 802.1X authentication. |
|
Broadcast SSID |
Whether the AP broadcasts the SSID. This field displays nothing if the AP does not broadcast the SSID. |
|
QoS supported |
Whether the wireless device supports QoS. |
|
Ad-hoc |
Whether the wireless device is in Ad hoc mode. |
|
Beacon interval |
Beacon interval in TUs. One TU is equal to 1024 microseconds. |
|
Channel band-width supported |
Supported channel bandwidth mode: · 20/40/80MHZ. · 20/40MHZ. · 20MHZ. |
|
Hotspot AP |
Whether the AP is a hotspot attack AP. |
|
Soft AP |
Whether the AP is a soft AP. |
|
Honeypot AP |
Whether the AP is a honeypot AP. |
|
Sensor n |
Sensor that detected the wireless device. n represents the ID assigned by the system. |
|
Channel |
Channel on which the sensor most recently detected the wireless device. |
|
First reported time |
Time when the sensor first detected the wireless device. |
|
Last reported time |
Time when the sensor most recently detected the wireless device. |
|
n: H-H-H |
MAC address of the client associated with the AP. n represents the number assigned by the system. |
|
Reported associated AP |
MAC address of the associated AP that the sensor reports. |
Related commands
reset wips virtual-security-domain device
display wlan nat-detect
Use display wlan nat-detect to display information about clients with NAT configured.
Syntax
display wlan nat-detect [ mac-address mac-address ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
mac-address mac-address: Specifies a client by its MAC address. If you do not specify this option, the command displays information about all detected NAT-configured clients.
Examples
# Display information about all detected NAT-configured clients.
<Sysname> display wlan nat-detect
Total 1 detected clients with NAT configured
MAC address Last report First report Duration
0a98-2044-0000 2017-08-24/11:05:23 2017-08-24/10:05:23 01h 15m 00s
Table 6 Command output
|
Field |
Description |
|
Total number detected clients with NAT configured |
Number of detected NAT-configured clients. |
|
MAC address |
MAC address of the detected client. |
|
Last report |
Time when the client was most recently detected. |
|
First report |
Time when the client was detected for the first time. |
|
Duration |
Duration since the client is configured with NAT. |
Related commands
reset wlan nat-detect
export oui
Use export oui to export all OUIs in the OUI library to an OUI configuration file.
Syntax
export oui file-name
Views
WIPS view
Predefined user roles
network-admin
Parameters
file-name: Specifies a configuration file by its name, a case-insensitive string of 1 to 255 characters. It cannot contain back slashes (\), slashes (/), colons (:), asterisks (*), question marks (?), quotation marks ("), left angle brackets (<), right angle brackets (>), or vertical bars (|).
Usage guidelines
This command exports all OUIs including embedded OUIs and imported OUIs.
The OUIs are exported in the following format:
000FE2 (base 16) New H3C Technologies Co., Ltd..
Examples
# Export all OUIs in the OUI library to configuration file OUIInfo.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] export oui OUIInfo
Related commands
import oui
reset wips embedded-oui
flood association-request
Use flood association-request to configure association request flood attack detection.
Use undo flood association-request to disable association request flood attack detection.
Syntax
flood association-request [ interval interval-value | quiet quiet-value | threshold threshold-value ] *
undo flood association-request
Default
Association request flood attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for association request frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an association request flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an association request flood attack within the quiet time.
threshold threshold-value: Specifies the number of association request frames that triggers an association request flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.
Examples
# Enable association request flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] flood association-request interval 100 threshold 100 quiet 360
flood authentication
Use flood authentication to configure authentication request flood attack detection.
Use undo flood authentication to disable authentication request flood attack detection.
Syntax
flood authentication [ interval interval-value | quiet quiet-value | threshold threshold-value ] *
undo flood authentication
Default
Authentication request flood attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for authentication request frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an authentication request flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an authentication request flood attack within the quiet time.
threshold threshold-value: Specifies the number of authentication request frames that triggers an authentication request flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.
Examples
# Enable authentication request flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] flood authentication interval 100 threshold 100 quiet 360
flood beacon
Use flood beacon to configure beacon flood attack detection.
Use undo flood beacon to disable beacon flood attack detection.
Syntax
flood beacon [ interval interval-value | quiet quiet-value | threshold threshold-value] *
undo flood beacon
Default
Beacon flood attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for beacon frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a beacon flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a beacon flood attack within the quiet time.
threshold threshold-value: Specifies the number of beacon frames that triggers a beacon flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.
Examples
# Enable beacon flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] flood beacon interval 100 threshold 100 quiet 360
flood block-ack
Use flood block-ack to configure Block Ack flood attack detection.
Use undo flood block-ack to disable Block Ack flood attack detection.
Syntax
flood block-ack [ interval interval-value | quiet quiet-value | threshold threshold-value ] *
undo flood block-ack
Default
Block Ack flood attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for Block Ack frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a Block Ack flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a Block Ack flood attack within the quiet time.
threshold threshold-value: Specifies the number of Block Ack frames that triggers a Block Ack flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.
Examples
# Enable Block Ack flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] flood block-ack interval 100 threshold 100 quiet 360
flood cts
Use flood cts to configure CTS flood attack detection.
Use undo flood cts to disable CTS flood attack detection.
Syntax
flood cts [ interval interval-value | quiet quiet-value | threshold threshold-value ] *
undo flood cts
Default
CTS flood attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for CTS frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a CTS flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a CTS flood attack within the quiet time.
threshold threshold-value: Specifies the number of CTS frames that triggers a CTS flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.
Examples
# Enable CTS flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] flood cts interval 100 threshold 100 quiet 360
flood deauthentication
Use flood deauthentication to configure deauthentication flood attack detection.
Use undo flood deauthentication to disable deauthentication flood attack detection.
Syntax
flood deauthentication [ interval interval-value | quiet quiet-value | threshold threshold-value ] *
undo flood deauthentication
Default
Deauthentication flood attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for deauthentication frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a deauthentication flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a deauthentication flood attack within the quiet time.
threshold threshold-value: Specifies the number of deauthentication frames that triggers a deauthentication flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.
Examples
# Enable deauthentication flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] flood deauthentication interval 100 threshold 100 quiet 360
flood disassociation
Use flood disassociation to configure disassociation flood attack detection.
Use undo flood disassociation to disable disassociation flood attack detection.
Syntax
flood disassociation [ interval interval-value | quiet quiet-value | threshold threshold-value ] *
undo flood disassociation
Default
Disassociation flood attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for disassociation frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a disassociation flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a disassociation flood attack within the quiet time.
threshold threshold-value: Specifies the number of disassociation frames that triggers a disassociation flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.
Examples
# Enable disassociation flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] flood disassociation interval 100 threshold 100 quiet 360
flood eap-failure
Use flood eap-failure to configure EAP-failure flood attack detection.
Use undo flood eap-failure to disable EAP-failure flood attack detection.
Syntax
flood eap-failure [ interval interval-value | quiet quiet-value | threshold threshold-value ] *
undo flood eap-failure
Default
EAP-failure flood attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for EAP-failure frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an EAP-failure flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an EAP-failure flood attack within the quiet time.
threshold threshold-value: Specifies the number of EAP-failure frames that triggers an EAP-failure flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.
Examples
# Enable EAP-failure flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100, 360, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] flood eap-failure interval 100 threshold 100 quiet 360
flood eapol-logoff
Use flood eapol-logoff to configure EAPOL-logoff flood attack detection.
Use undo flood eapol-logoff to disable EAPOL-logoff flood attack detection.
Syntax
flood eapol-logoff [ interval interval-value | quiet quiet-value | threshold threshold-value ] *
undo flood eapol-logoff
Default
EAPOL-logoff flood attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for EAPOL-logoff frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an EAPOL-logoff flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an EAPOL-logoff flood attack within the quiet time.
threshold threshold-value: Specifies the number of EAPOL-logoff frames that triggers an EAPOL-logoff flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.
Examples
# Enable EAPOL-logoff flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100, 360, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] flood eapol-logoff interval 100 threshold 100 quiet 360
flood eapol-start
Use flood eapol-start to configure EAPOL-start flood attack detection.
Use undo flood eapol-start to disable EAPOL-start flood attack detection.
Syntax
flood eapol-start [ interval interval-value | quiet quiet-value | threshold threshold-value ] *
undo flood eapol-start
Default
EAPOL-start flood attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for EAPOL-start frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an EAPOL-start flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an EAPOL-start flood attack within the quiet time.
threshold threshold-value: Specifies the number of EAPOL-start frames that triggers an EAPOL-start flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.
Examples
# Enable EAPOL-start flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] flood eapol-start interval 100 threshold 100 quiet 360
flood eap-success
Use flood eap-success to configure EAP-success flood attack detection.
Use undo flood eap-success to disable EAP-success flood attack detection.
Syntax
flood eap-success [ interval interval-value | quiet quiet-value | threshold threshold-value ] *
undo flood eap-success
Default
EAP-success flood attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for EAP-success frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an EAP-success flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an EAP-success flood attack within the quiet time.
threshold threshold-value: Specifies the number of EAP-success frames that triggers an EAP-success flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.
Examples
# Enable EAP-success flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100, 360, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] flood eap-success interval 100 threshold 100 quiet 360
flood null-data
Use flood null-data to configure null data flood attack detection.
Use undo flood null-data to disable null data flood attack detection.
Syntax
flood null-data [ interval interval-value | quiet quiet-value | threshold threshold-value ] *
undo flood null-data
Default
Null data flood attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for null data frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a null data flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a null data flood attack within the quiet time.
threshold threshold-value: Specifies the number of null data frames that triggers a null data flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.
Examples
# Enable null data flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] flood null-data interval 100 threshold 100 quiet 360
flood probe-request
Use flood probe-request to configure probe request flood attack detection.
Use undo flood probe-request to disable probe request flood attack detection.
Syntax
flood probe-request [ interval interval-value | quiet quiet-value | threshold threshold-value ] *
undo flood probe-request
Default
Probe request flood attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for probe request frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a probe request flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a probe request flood attack within the quiet time.
threshold threshold-value: Specifies the number of probe request frames that triggers a probe request flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.
Examples
# Enable probe request flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] flood probe-request interval 100 threshold 100 quiet 360
flood reassociation-request
Use flood reassociation-request to configure reassociation request flood attack detection.
Use undo flood reassociation-request to disable reassociation request flood attack detection.
Syntax
flood reassociation-request [ interval interval-value | quiet quiet-value | threshold threshold-value ] *
undo flood reassociation-request
Default
Reassociation request flood attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for reassociation request frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a reassociation request flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a reassociation request flood attack within the quiet time.
threshold threshold-value: Specifies the number of reassociation request frames that triggers a reassociation request flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.
Examples
# Enable reassociation request flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] flood reassociation-request interval 100 threshold 100 quiet 360
flood rts
Use flood rts to configure RTS flood attack detection.
Use undo flood rts to disable RTS flood attack detection.
Syntax
flood rts [ interval interval-value | quiet quiet-value | threshold threshold-value ] *
undo flood rts
Default
RTS flood attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for RTS frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an RTS flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an RTS flood attack within the quiet time.
threshold threshold-value: Specifies the number of RTS frames that triggers an RTS flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.
Examples
# Enable RTS flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] flood rts interval 100 threshold 100 quiet 360
frame-type
Use frame-type to configure a subsignature to match frame types.
Use undo frame-type to restore the default.
Syntax
frame-type { control | data | management [ frame-subtype { association-request | association-response | authentication | beacon | deauthentication | disassociation | probe-request } ] }
undo frame-type
Default
No subsignature is configured to match frame types.
Views
Signature view
Predefined user roles
network-admin
Parameters
control: Matches control frames.
data: Matches data frames.
management: Matches management frames.
frame-subtype: Specifies a frame subtype.
association-request: Matches association request frames.
association-response: Matches association response frames.
authentication: Matches authentication frames.
beacon: Matches beacon frames.
deauthentication: Matches deauthentication frames.
disassociation: Matches disassociation frames.
probe-request: Matches probe request frames.
Examples
# Configure a subsignature to match data frames for signature 1.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] signature rule 1
[wips-sig-rule-1] frame-type data
match all (signature rule view)
mac-address
pattern
seq-number
ssid (signature rule view)
ssid-length
honeypot-ap
Use honeypot-ap to configure honeypot AP detection.
Use undo honeypot-ap to disable honeypot AP detection.
Syntax
honeypot-ap [ similarity similarity-value | quiet quiet-value ] *
undo honeypot-ap
Default
Honeypot AP detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
similarity similarity-value: Specifies the similarity threshold that triggers a honeypot AP alarm, in the range of 70 to 100 in percentage. The default value is 80%. An AP is determined as a honeypot AP if the similarity between the SSID of the AP and the SSID of a legitimate AP reaches the threshold.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting a honeypot AP. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a honeypot AP within the quiet time.
Examples
# Enable honeypot AP detection, and set the similarity threshold and quiet time to 90% and 10 seconds, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] honeypot-ap similarity 90 quiet 10
hotspot-attack
Use hotspot-attack to configure hotspot attack detection.
Use undo hotspot-attack to disable hotspot attack detection.
Syntax
hotspot-attack [ quiet quiet-value ]
undo hotspot-attack
Default
Hotspot attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a hotspot attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a hotspot attack within the quiet time.
Examples
# Enable hotspot attack detection and set the quiet time to 100 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] hotspot-attack quiet 100
import hotspot
ht-40mhz-intolerance
Use ht-40mhz-intolerance to configure detection on clients with the 40 MHz bandwidth mode disabled.
Use undo ht-40mhz-intolerance to disable detection on clients with the 40 MHz bandwidth mode disabled.
Syntax
ht-40mhz-intolerance [ quiet quiet-value ]
undo ht-40mhz-intolerance
Default
Detection on clients with the 40 MHz bandwidth mode disabled is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting a client with the 40 MHz bandwidth mode disabled. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a client with the 40 MHz bandwidth mode disabled within the quiet time.
Examples
# Enable detection on clients with the 40 MHz bandwidth mode disabled and set the quiet time to 100 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] ht-40mhz-intolerance quiet 100
ht-greenfield
Use ht-greenfield to configure HT-greenfield AP detection.
Use undo ht-greenfield to disable HT-greenfield AP detection.
Syntax
ht-greenfield [ quiet quiet-value ]
undo ht-greenfield
Default
HT-greenfield AP detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting an HT-greenfield AP. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an HT-greenfield AP within the quiet time.
Examples
# Enable HT-greenfield AP detection and set the quiet time to 100 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] ht-greenfield quiet 100
ignorelist
Use ignorelist to add a MAC address to the alarm-ignored device list.
Use undo ignorelist to remove a specific or all MAC addresses from the alarm-ignored device list.
Syntax
ignorelist mac-address mac-address
undo ignorelist mac-address { mac-address | all }
Default
No MAC address is added to the alarm-ignored device list.
Views
WIPS view
Predefined user roles
network-admin
Parameters
mac-address: Specifies a MAC address in the H-H-H format.
all: Specifies all MAC addresses in the alarm-ignored device list.
Usage guidelines
For wireless devices in the alarm-ignored device list, WIPS does not generate any alarms.
Examples
# Add MAC address 2a11-1fa1-1311 to the alarm-ignored device list.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] ignorelist mac-address 2a11-1fa1-1311
import hotspot
Use import hotspot to import hotspots from a configuration file.
Use undo import hotspot to remove the configuration.
Syntax
import hotspot file-name
undo import hotspot
Default
No hotspots are imported.
Views
WIPS view
Predefined user roles
network-admin
Parameters
file-name: Specifies a configuration file by its name, a case-insensitive string of 1 to 255 characters. It cannot contain back slashes (\), slashes (/), colons (:), asterisks (*), question marks (?), quotation marks ("), left angle brackets (<), right angle brackets (>), or vertical bars (|).
Usage guidelines
You can import hotspots from only one configuration file.
Examples
# Import hotspots from configuration file hotspot_cfg.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] import hotspot hotspot_cfg
Related commands
hotspot-attack
import oui
Use import oui to import OUIs from a configuration file.
Use undo import oui to restore the default.
Syntax
import oui file-name
undo import oui
Default
No OUIs are imported.
Views
WIPS view
Predefined user roles
network-admin
Parameters
oui: Specifies a configuration file by its name, a case-insensitive string of 1 to 255 characters. It cannot contain back slashes (\), slashes (/), colons (:), asterisks (*), question marks (?), quotation marks ("), left angle brackets (<), right angle brackets (>), or vertical bars (|).
Usage guidelines
You can download the configuration file from the IEEE website.
You can import OUIs from only one configuration file.
Examples
# Import OUIs from configuration file oui_import_cfg.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] import oui oui_import_cfg
Related commands
export oui
reset wips embedded-oui
invalid-oui-classify illegal
Use invalid-oui-classify illegal to configure WIPS to classify devices with invalid OUIs as rogue devices.
Use undo invalid-oui-classify to restore the default.
Syntax
invalid-oui-classify illegal
undo invalid-oui-classify
Default
WIPS does not classify devices with invalid OUIs as rogue devices.
Views
Classification policy view
Predefined user roles
network-admin
Examples
# Configure WIPS to classify devices with invalid OUIs as rogue devices.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] classification policy home
[Sysname-wips-cls-home] invalid-oui-classify illegal
Related commands
import oui
mac-address
Use mac-address to configure a subsignature to match frames by MAC address.
Use undo mac-address to restore the default.
Syntax
mac-address { bssid | destination | source } mac-address
undo mac-address
Default
No subsignature is configured to match frames by MAC address.
Views
Signature view
Predefined user roles
network-admin
Parameters
bssid: Matches a BSSID.
destination: Matches a destination MAC address.
source: Matches a source MAC address.
mac-address: Specifies a MAC address in the H-H-H format.
Examples
# Configure a subsignature to match frames with source MAC address 000f-e201-0101 for signature 1.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] signature rule 1
[Sysname-wips-sig-rule-1] mac-address source 000f-e201-0101
Related commands
frame-type
match all (signature rule view)
pattern
seq-number
ssid (signature rule view)
ssid-length
malformed duplicated-ie
Use malformed duplicated-ie to enable duplicated IE detection.
Use undo malformed duplicated-ie to disable duplicated IE detection.
Syntax
malformed duplicated-ie [ quiet quiet-value ]
undo malformed duplicated-ie
Default
Duplicated IE detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a duplicated IE. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a duplicated IE within the quiet time.
Usage guidelines
This feature is applicable to all management frames. WIPS determines that a packet is malformed if the packet has an duplicated IE. This feature does not take effect on frames with vendor-defined IEs.
Examples
# Enable duplicated IE detection and set the quiet time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] malformed duplicated-ie quiet 360
malformed fata-jack
Use malformed fata-jack to enable FATA-Jack detection.
Use undo malformed fata-jack to disable FATA-Jack detection.
Syntax
malformed fata-jack [ quiet quiet-value ]
undo malformed fata-jack
Default
FATA-Jack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a FATA-Jack malformed packet. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a FATA-Jack malformed packet within the quiet time.
Usage guidelines
This feature is applicable to authentication frames. WIPS determines that an authentication frame is malformed if the value of the authentication algorithm number is 2.
Examples
# Enable FATA-Jack detection and set the quiet time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] malformed fata-jack quiet 360
malformed illegal-ibss-ess
Use malformed illegal-ibss-ess to enable abnormal IBSS or ESS setting detection.
Use undo malformed illegal-ibss-ess to disable abnormal IBSS or ESS setting detection.
Syntax
malformed illegal-ibss-ess [ quiet quiet-value ]
undo malformed illegal-ibss-ess
Default
Abnormal IBSS or ESS setting detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an abnormal IBSS and ESS setting. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an abnormal IBSS and ESS setting within the quiet time.
Usage guidelines
This feature is applicable to beacon frames and probe response frames. WIPS determines that a frame is malformed if both the IBSS and ESS are set to 1 in the frame.
Examples
# Enable abnormal IBSS or ESS setting detection and set the quiet time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] malformed illegal-ibss-ess quiet 360
malformed invalid-address-combination
Use malformed invalid-address-combination to enable invalid source address detection.
Use undo malformed invalid-address-combination to disable invalid source address detection.
Syntax
malformed invalid-address-combination [ quiet quiet-value ]
undo malformed invalid-address-combination
Default
Invalid source address detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an invalid source address. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an invalid source address within the quiet time.
Usage guidelines
This feature is applicable to all management frames. WIPS determines that a frame is malformed when the following conditions are met:
· The TO DS of the frame is 1, indicating that the frame is sent to the AP by a client.
· The source MAC address of the frame is a multicast or broadcast address.
Examples
# Enable invalid source address detection and set the quiet time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] malformed invalid-address-combination quiet 360
malformed invalid-assoc-req
Use malformed invalid-assoc-req to enable malformed association request frame detection.
Use undo malformed invalid-assoc-req to disable malformed association request frame detection.
Syntax
malformed invalid-assoc-req [ quiet quiet-value ]
undo malformed invalid-assoc-req
Default
Malformed association request frame detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a malformed association request frame. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a malformed association request frame within the quiet time.
Usage guidelines
This feature is applicable to association request frames. WIPS determines that a frame is malformed if the SSID length in the frame is 0.
Examples
# Enable malformed association request frame detection and set the quiet time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] malformed invalid-assoc-req quiet 360
malformed invalid-auth
Use malformed invalid-auth to enable malformed authentication request frame detection.
Use undo malformed invalid-auth to disable malformed authentication request frame detection.
Syntax
malformed invalid-auth [ quiet quiet-value ]
undo malformed invalid-auth
Default
Malformed authentication request frame detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a malformed authentication request frame. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a malformed authentication request frame within the quiet time.
Usage guidelines
This feature is applicable to authentication request frames. WIPS determines that a frame is malformed when the following conditions are met:
· The authentication algorithm number does not conform to the 802.11 protocol and is larger than 3.
· The authentication transaction sequence number, indicating the authentication process between the client and the AP, is 1 and the status code is not 0.
· The authentication transaction sequence number is larger than 4.
Examples
# Enable malformed authentication request frame detection and set the quiet time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] malformed invalid-auth quiet 360
malformed invalid-deauth-code
Use malformed invalid-deauth-code to enable invalid deauthentication code detection.
Use undo malformed invalid-deauth-code to disable invalid deauthentication code detection.
Syntax
malformed invalid-deauth-code [ quiet quiet-value ]
undo malformed invalid-deauth-code
Default
Invalid deauthentication code detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an invalid deauthentication code. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an invalid deauthentication code within the quiet time.
Usage guidelines
This feature is applicable to deauthentication frames. WIPS determines that a frame is malformed if the reason code in the frame is 0 or in the range of 67 to 65535.
Examples
# Enable invalid deauthentication code detection and set the quiet time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] malformed invalid-deauth-code quiet 360
malformed invalid-disassoc-code
Use malformed invalid-disassoc-code to enable invalid disassociation code detection.
Use undo malformed invalid-disassoc-code to disable invalid disassociation code detection.
Syntax
malformed invalid-disassoc-code [ quiet quiet-value ]
undo malformed invalid-disassoc-code
Default
Invalid disassociation code detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an invalid disassociation code. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an invalid disassociation code within the quiet time.
Usage guidelines
This feature is applicable to disassociation frames. WIPS determines that a frame is malformed if the reason code in the frame is 0 or in the range of 67 to 65535.
Examples
# Enable invalid disassociation code detection and set the quiet time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] malformed invalid-disassoc-code quiet 360
malformed invalid-ht-ie
Use malformed invalid-ht-ie to enable malformed HT IE detection.
Use undo malformed invalid-ht-ie to disable malformed HT IE detection.
Syntax
malformed invalid-ht-ie [ quiet quiet-value ]
undo malformed invalid-ht-ie
Default
Malformed HT IE detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a malformed HT IE. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a malformed HT IE within the quiet time.
Usage guidelines
This feature is applicable to beacon, probe response, association response, and reassociation response frames. WIPS determines that a frame is malformed when the following conditions are met:
· The SM power save value of the HT capabilities IE is 2.
· The secondary channel offset value of the HT operation IE is 2.
Examples
# Enable malformed HT IE detection and set the quiet time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] malformed invalid-ht-ie quiet 360
malformed invalid-ie-length
Use malformed invalid-ie-length to enable invalid IE length detection.
Use undo malformed invalid-ie-length to disable invalid IE length detection.
Syntax
malformed invalid-ie-length [ quiet quiet-value ]
undo malformed invalid-ie-length
Default
Invalid IE length detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an invalid IE length. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an invalid IE length within the quiet time.
Usage guidelines
This feature is applicable to all management frames. WIPS determines that a frame is malformed if the length of an IE in the frame does not conform to the 802.11 protocol.
Examples
# Enable invalid IE length detection and set the quiet time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] malformed invalid-ie-length quiet 360
malformed invalid-pkt-length
Use malformed invalid-pkt-length to enable invalid packet length detection.
Use undo malformed invalid-pkt-length to disable invalid packet length detection.
Syntax
malformed invalid-pkt-length [ quiet quiet-value ]
undo malformed invalid-pkt-length
Default
Invalid packet length detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an invalid packet length. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an invalid packet length within the quiet time.
Usage guidelines
This feature is applicable to all management frames. WIPS determines that a frame is malformed if the remaining length of the IE is not zero after the packet payload is resolved.
Examples
# Enable invalid packet length detection and set the quiet time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] malformed invalid-pkt-length quiet 360
malformed large-duration
Use malformed large-duration to enable oversized duration detection.
Use undo malformed large-duration to disable oversized duration detection.
Syntax
malformed large-duration [ quiet quiet-value | threshold value ]
undo malformed large-duration
Default
Oversized duration detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an oversized duration. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an oversized duration within the quiet time.
threshold value: Specifies the duration size that triggers WIPS to determine an oversized duration and trigger an alarm. The value range for the value argument is 1 to 32767 and the default value is 5000.
Usage guidelines
This feature is applicable to unicast management frames, unicast data frames, RTS, CTS, and ACK frames. WIPS determines that a frame is malformed if the duration value in the frame is larger than the specified threshold.
Examples
# Enable oversized duration detection and set the quiet time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] malformed large-duration quiet 360
malformed null-probe-resp
Use malformed null-probe-resp to enable malformed probe response frame detection.
Use undo malformed null-probe-resp to disable malformed probe response frame detection.
Syntax
malformed null-probe-resp [ quiet quiet-value ]
undo malformed null-probe-resp
Default
Malformed probe response frame detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a malformed probe response frame. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a malformed probe response frame within the quiet time.
Usage guidelines
This feature is applicable to probe response frames. WIPS determines that a frame is malformed if the frame is not a mesh frame and its SSID length is 0.
Examples
# Enable malformed probe response frame detection and set the quiet time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] malformed null-probe-resp quiet 360
malformed overflow-eapol-key
Use malformed overflow-eapol-key to enable oversized EAPOL key detection.
Use undo malformed overflow-eapol-key to disable oversized EAPOL key detection.
Syntax
malformed overflow-eapol-key [ quiet quiet-value ]
undo malformed overflow-eapol-key
Default
Oversized EAPOL key detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an oversized EAPOL key. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an oversized EAPOL key within the quiet time.
Usage guidelines
This feature is applicable to EAPOL-Key frames. WIPS determines that a frame is malformed if the TO DS is 1 and the key length is larger than 0 in the frame. A malicious EAPOL-Key frame might result in DOS attacks.
Examples
# Enable oversized EAPOL key detection and set the quiet time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] malformed overflow-eapol-key quiet 360
malformed overflow-ssid
Use malformed overflow-ssid to enable oversized SSID detection.
Use undo malformed overflow-ssid to disable oversized SSID detection.
Syntax
malformed overflow-ssid [ quiet quiet-value ]
undo malformed overflow-ssid
Default
Oversized SSID detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an oversized SSID. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an oversized SSID within the quiet time.
Usage guidelines
This feature is applicable to beacon, probe request, probe response, and association request frames. WIPS determines that a frame is malformed if the SSID length in the frame is larger than 32, which does not conform to the 802.11 protocol.
Examples
# Enable oversized SSID detection and set the quiet time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] malformed overflow-ssid quiet 360
malformed redundant-ie
Use malformed redundant-ie to enable redundant IE detection.
Use undo malformed redundant-ie to disable redundant IE detection.
Syntax
malformed redundant-ie [ quiet quiet-value ]
undo malformed redundant-ie
Default
Redundant IE detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a redundant IE. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a redundant IE within the quiet time.
Usage guidelines
This feature is applicable to all management frames. WIPS determines that a frame is malformed if an IE in the frame is neither a necessary IE to the frame nor a reserved IE.
Examples
# Enable redundant IE detection and set the quiet time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] malformed redundant-ie quiet 360
man-in-the-middle
Use man-in-the-middle to configure man-in-the-middle (MITM) attack detection.
Use undo man-in-the-middle to disable MITM attack detection.
Syntax
man-in-the-middle [ quiet quiet-value ]
undo man-in-the-middle
Default
MITM attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an MITM attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an MITM attack within the quiet time.
Usage guidelines
WIPS can detect MITM attacks only when you enable both honeypot AP detection and MITM attack detection.
Examples
# Enable MITM attack detection.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] honeypot-ap
[Sysname-wips-dtc-home] man-in-the-middle
manual-classify mac-address
Use manual-classify mac-address to classify APs by MAC address.
Use undo manual-classify mac-address to restore the default.
Syntax
manual-classify mac-address mac-address { authorized-ap | external-ap | misconfigured-ap | rogue-ap }
undo manual-classify mac-address { mac-address | all }
Default
APs are not classified by MAC address.
Views
Classification policy view
Predefined user roles
network-admin
Parameters
mac-address: Specifies an AP by its MAC address, in the H-H-H format.
authorized-ap: Specifies the AP as an authorized AP.
external-ap: Specifies the AP as an external AP.
misconfigured-ap: Specifies the AP as a misconfigured AP.
rogue-ap: Specifies the AP as a rogue AP.
all: Specifies all APs.
Examples
# Classify the AP whose MAC address is 000f-00e2-0001 as an authorized AP.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] classification policy home
[Sysname-wips-cls-home] manual-classify mac-address 000f-00e2-0001 authorized-ap
match all (AP classification rule view)
Use match all to configure the AP classification rule criteria to be in logical AND relationship.
Use undo match all to restore the default.
Syntax
Default
The AP classification rule criteria are in logical OR relationship. An AP matches an AP classification rule if it matches any of the criteria of the AP classification rule.
Views
AP classification rule view
Predefined user roles
network-admin
Examples
# Configure the criteria of AP classification rule 1 to be in logical AND relationship.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] ap-classification rule 1
[Sysname-wips-cls-rule-1] match all
match all (signature view)
Use match all to configure the subsignatures to be in logical AND relationship.
Use undo match all to restore the default.
Syntax
match all
undo match all
Default
The subsignatures are in logical OR relationship. A packet matches a signature if it matches any of the subsignatures of the signature.
Views
Signature view
Predefined user roles
network-admin
Examples
# Configure the subsignatures of signature 1 to be in logical AND relationship.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] signature rule 1
[wips-sig-rule-1] match all
Related commands
frame-type
mac-address
pattern
seq-number
ssid (signature rule view)
ssid-length
omerta
Use omerta to configure Omerta attack detection.
Use undo omerta to disable Omerta attack detection.
Syntax
omerta [ quiet quiet-value ]
undo omerta
Default
Omerta attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an Omerta attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an Omerta attack within the quiet time.
Examples
# Enable Omerta attack detection and set the quiet time to 100 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] omerta quiet 100
oui
Use oui to configure an AP classification rule to match APs by OUI information.
Use undo oui to restore the default.
Syntax
oui oui-info
undo oui
Default
An AP classification rule does not match APs by OUI information.
Views
AP classification rule view
Predefined user roles
network-admin
Parameters
oui-info: Specifies the OUI information in the XXXXXX format, a case-insensitive hexadecimal string.
Examples
# Configure AP classification rule 1 to match APs with OUI 000fe4.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] ap-classification rule 1
[Sysname-wips-cls-rule-1] oui 000fe4
pattern
Use pattern to configure a subsignature to match frames by specified bits.
Use undo pattern to restore the default.
Syntax
pattern pattern-number offset offset-value mask mask value1 [ to value2 ] [ from-payload ]
undo pattern { pattern-number | all }
Default
No subsignature is configured to match frames by specified bits.
Views
Signature view
Predefined user roles
network-admin
Parameters
pattern-number: Specifies a number for a subsignature that matches the specified bits of a frame, in the range of 0 to 65535.
offset offset-value: Specifies the offset from the specified bit to the reference bit. The value range for the offset-value argument is 0 to 2346 bits. The reference bit can be the first bit of the frame head (default) or the frame payload.
mask mask: Specifies a two-byte mask that is used for the AND operation with the specified bits. The mask is in hexadecimal format and the value range for the mask is 0 to ffff.
value1 [ to value2 ]: Specifies a value range for the specified bits. The value1 and value2 arguments specify the start value and end value for the value range, respectively. The value range is 0 to 65535 for both the value1 and value2 arguments, and value2 cannot be smaller than value1.
from-payload: Specifies the first bit of the frame payload as the reference bit. If you do not specify this keyword, the first bit of the frame head is the reference bit.
Examples
# Configure a subsignature to match the second and third bits from the frame head of a frame. If the values of the second and third bytes of a frame are within the range of 0x0015 to 0x0020, the frame matches the subsignature.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] signature rule 1
[Sysname-wips-sig-rule-1] pattern 1 offset 8 mask ffff 15 to 20
frame-type
match all (signature rule view)
mac-address
ssid (signature rule view)
seq-number
ssid-length
permit-channel
Use permit-channel to add one or multiple channels to the permitted channel list.
Use undo permit-channel to remove the specified or all channels from the permitted channel list.
Syntax
permit-channel channel-id-list
undo permit-channel { channel-id-list | all }
Default
No channels are added to the permitted channel list.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
channel-id-list: Specifies a space-separated list of up to 10 permitted channel items. Each item specifies a channel number or a range of channel numbers in the form of value1 to value2. The value range for channel numbers is 1 to 224. The value for the value2 argument must be equal to or greater than the value for the value1 argument.
all: Specifies all permitted channels.
Usage guidelines
To prevent WIPS from taking all channels as prohibited channels, use this command to configure a permitted channel list before you configure prohibited channel detection.
Examples
# Add channel 1 to the permitted channel list.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] permit-channel 1
Related commands
prohibited-channel
power-save
Use power-save to configure power saving attack detection.
Use undo power-save to disable power saving attack detection.
Syntax
power-save [ interval interval-value | minoffpacket packet-value | onoffpercent percent-value | quiet quiet-value ] *
undo power-save
Default
Power saving attack detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval interval-value: Specifies the statistics collection interval for power save frames. The value range for the interval-value argument is 1 to 3600 seconds, and the default value is 10 seconds.
minoffpacket packet-value: Specifies the threshold for the number of power save off frames that triggers power save attack analysis. If the number of off frames from a client reaches the threshold, WIPS analyzes the power save frames to determine whether a power save attack occurs. The value range for the argument is 10 to 150, and the default is 50.
onoffpercent percent-value: Specifies the threshold for the ratio between the power save on frames and off frames from a client. WIPS triggers an alarm for a power save attack when the threshold is reached. The value range for this argument is 0 to 100, and the default is 80.
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a power saving attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a power saving attack within the quiet time.
Examples
# Enable power saving attack detection, and set the interval-value, packet-value, percent-value, and quiet-value arguments to 20, 20, 90, and 100, respectively.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] power-save interval 20 minoffpacket 20 onoffpercent 90 quiet 100
prohibited-channel
Use prohibited-channel to configure prohibited channel detection.
Use undo prohibited-channel to disable prohibited channel detection.
Syntax
prohibited-channel [ quiet quiet-value ]
undo prohibited-channel
Default
Prohibited channel detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting a prohibited channel. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a prohibited channel within the quiet time.
Usage guidelines
To prevent WIPS from taking all channels as prohibited channels, use the permit-channel command to configure a permitted channel list before you configure prohibited channel detection.
Examples
# Enable prohibited channel detection and set the quiet time to 100 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] prohibited-channel quiet 100
Related commands
permit-channel
random-mac-scan
Use random-mac-scan enable to configure WIPS to not trigger alarms for Apple terminals that use a random MAC address.
Use undo random-mac-scan enable to restore the default.
Syntax
random-mac-scan enable
undo random-mac-scan enable
Default
WIPS triggers alarms for Apple terminals that use a random MAC address.
Views
Attack detection policy view
Predefined user roles
network-admin
Examples
# Configure WIPS to not trigger alarms for Apple terminals that use a random MAC address.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] random-mac-scan enable
report-interval
Use report-interval to set the interval at which APs report information about detected devices.
Use undo report-interval to restore the default.
Syntax
report-interval interval
undo report-interval
Default
APs report information about detected devices every 30000 milliseconds.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
interval: Specifies the interval at which APs report information about detected devices, in the range of 1000 to 300000 milliseconds.
Examples
# Set the interval at which APs report information about detected devices to 10000 milliseconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] report-interval 10000
reset wips embedded-oui
Use reset wips embedded-oui to delete all embedded OUIs in the OUI library.
Syntax
reset wips embedded-oui
Views
User view
Predefined user roles
network-admin
Examples
# Delete all embedded OUIs in the OUI library.
<Sysname> reset wips embedded-oui
Related commands
export oui
import oui
reset wips statistics
Use reset wips statistics to clear WLAN attack detection statistics collected from all sensors.
Syntax
reset wips statistics
Views
User view
Predefined user roles
network-admin
Examples
# Clear information collected by all sensors.
<Sysname> reset wips statistics
Related commands
display wips statistics receive
reset wips virtual-security-domain
Use reset wips virtual-security-domain to clear AP or client entries in a VSD.
Syntax
reset wips virtual-security-domain vsd-name device { ap { all | mac-address mac-address } | client { all | mac-address mac-address } | all }
Views
User view
Predefined user roles
network-admin
Parameters
vsd-name: Specifies a VSD by its name, a case-sensitive string of 1 to 63 characters.
device: Specifies device entries.
ap: Specifies AP entries.
all: Specifies all AP entries.
mac-address mac-address: Specifies an AP by its MAC address.
client: Specifies client entries.
all: Specifies all client entries.
mac-address mac-address: Specifies a client by its MAC address.
all: Specifies all APs and client entries.
Examples
# Clear all AP and client entries in VSD aaa.
<Sysname> reset wips virtual-security-domain aaa device all
Related commands
display wips virtual-security-domain device
reset wips virtual-security-domain countermeasure record
Use reset wips virtual-security-domain countermeasure record to clear information about countermeasures that WIPS has taken against rogue devices.
Syntax
reset wips virtual-security-domain vsd-name countermeasure record
Views
User view
Predefined user roles
network-admin
Parameters
vsd-name: Specifies a VSD by its name, a case-sensitive string of 1 to 63 characters.
Examples
# Clear information about countermeasures that WIPS has taken against rogue devices for VSD aaa.
<Sysname> reset wips virtual-security-domain aaa countermeasure record
Related commands
display wips virtual-security-domain countermeasure record
reset wlan nat-detect
Use reset wlan nat-detect to clear information about clients with NAT configured.
Syntax
reset wlan nat-detect
Views
User view
Predefined user roles
network-admin
network-operator
Examples
# Clear information about clients with NAT configured.
<Sysname> reset wlan nat-detect
Related commands
display wlan nat-detect
rssi-change-threshold
Use rssi-change-threshold to set the RSSI difference threshold for wireless device detection.
Use undo rssi-change-threshold to restore the default.
Syntax
rssi-change-threshold threshold-value
undo rssi-change-threshold
Default
The RSSI difference threshold is 20 for wireless device detection.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the RSSI difference threshold for wireless device detection, in the range of 1 to 100.
Examples
# Set the RSSI difference threshold to 80 for wireless device detection.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] rssi-change-threshold 80
rssi-threshold
Use rssi-threshold to set the RSSI threshold for clients or APs.
Use undo rssi-threshold to restore the default.
Syntax
rssi-threshold { ap ap-rssi-value | client client-rssi-value }
undo rssi-threshold { ap | client }
Default
No RSSI threshold is set for clients or APs.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
ap ap-rssi-value: Specifies the RSSI threshold for APs, in the range of 1 to 100.
client client-rssi-value: Specifies the RSSI threshold for clients, in the range of 1 to 100.
Examples
# Set the RSSI threshold for APs to 80.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] rssi-threshold ap 80
rssi
Use rssi to configure an AP classification rule to match APs by RSSI.
Use undo rssi to restore the default.
Syntax
rssi value1 [ to value2 ]
undo rssi
Default
An AP classification rule does not match APs by RSSI.
Views
AP classification rule view
Predefined user roles
network-admin
Parameters
value1 [ to value2 ]: Specifies a value range for the RSSI of APs. The value1 and value2 arguments specify the start value and end value for the value range, respectively. The value range is 0 to 100 for both the value1 and value2 arguments, and value2 cannot be smaller than value1.
Examples
# Configure AP classification rule 1 to match APs with an RSSI of 20 to 40.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] ap-classification rule 1
[Sysname-wips-cls-rule-1] rssi 20 to 40
security
Use security to configure an AP classification rule to match APs by security mode.
Use undo security to restore the default.
Syntax
security { equal | include } { clear | wep | wpa | wpa2 }
undo security
Default
No AP classification rule is configured to match APs by security mode.
Views
AP classification rule view
Predefined user roles
network-admin
Parameters
equal: Matches security modes equal to the specified security mode.
include: Matches security modes that include the specified security mode.
clear: Specifies the clear security mode.
wep: Specifies the WEP security mode.
wpa: Specifies the WPA security mode.
wpa2: Specifies the WPA2 security mode.
Examples
# Configure AP classification rule 1 to match APs that use the WEP security mode.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] ap-classification rule 1
[Sysname-wips-cls-rule-1] security equal wep
select sensor all
Use select sensor all to enable all sensors that detect an attacker to take countermeasures against the attacker.
Use undo select sensor all to remove the configuration.
Syntax
select sensor all
undo select sensor all
Default
Only the sensor that most recently detects an attacker takes countermeasures against the attacker.
Views
Countermeasure policy view
Predefined user roles
network-admin
Examples
# Enable all sensors that detect an attacker to take countermeasures against the attacker.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] countermeasure policy home
[Sysname-wips-ctm-home] select sensor all
seq-number
Use seq-number to configure a subsignature to match frames by sequence number.
Use undo seq-number to restore the default.
Syntax
seq-number seq-value1 [ to seq-value2 ]
undo seq-number
Default
No subsignature is configured to match frames by sequence number.
Views
Signature view
Predefined user roles
network-admin
Parameters
seq-value1 [ to seq-value2 ]: Specifies a value range for the sequence number of a frame. The seq-value1 and seq-value2 arguments specify the start value and end value for the value range, respectively. The value range is 0 to 4095 for both the seq-value1 and seq-value2 arguments, and seq-value2 cannot be smaller than seq-value1.
Examples
# Configure a subsignature to match frames with the sequence number 100.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] signature rule 1
[wips-sig-rule-1] seq-number 100
frame-type
match all (signature rule view)
mac-address
pattern
ssid (signature rule view)
ssid-length
signature policy
Use signature policy to create a signature policy and enter its view, or enter the view of an existing signature policy.
Use undo signature policy to remove a signature policy.
Syntax
signature policy policy-name
undo signature policy policy-name
Default
No signature policies exist.
Views
WIPS view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a signature policy name, a case-sensitive string of 1 to 63 characters.
Examples
# Create a signature policy named home and enter its view.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] signature policy home
signature rule
Use signature rule to create a signature and enter its view, or enter the view of an existing signature.
Use undo signature rule to remove a signature.
Syntax
signature rule rule-id
undo signature rule rule-id
Default
No signatures exist.
Views
WIPS view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a signature ID in the range of 1 to 65535.
Examples
# Create signature 1 and enter its view.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] signature rule 1
soft-ap
Use soft-ap to configure soft AP detection.
Use undo soft-ap to disable soft AP detection.
Syntax
soft-ap [ convert-time time-value ]
undo soft-ap
Default
Soft AP detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
convert-time time-value: Specifies the interval at which a soft AP switches between its role of client and AP. The value range for the time-value argument is 5 to 600 seconds, and the default is 10 seconds.
Examples
# Enable soft AP detection and set the time-value argument to 100 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] soft-ap convert-time 100
ssid (AP classification rule view)
Use ssid to configure an AP classification rule to match APs by SSID.
Use undo ssid to restore the default.
Syntax
ssid [ case-sensitive ] [ not ] { equal | include } ssid-string
undo ssid
Default
An AP classification rule does not match APs by SSID.
Views
AP classification rule view
Predefined user roles
network-admin
Parameters
case-sensitive: Concerns the case of the SSID.
not: Matches SSIDs that are not equal to or do not include the specified SSID.
equal: Matches SSIDs equal to the specified SSID.
include: Matches SSIDs that include the specified SSID.
ssid-string: Specifies an SSID, a case-sensitive string of 1 to 32 characters.
Examples
# Configure AP classification rule 1 to match APs using SSID abc.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] ap-classification rule 1
[Sysname-wips-cls-rule-1] ssid equal abc
ssid (signature view)
Use ssid to configure a subsignature to match frames by SSID.
Use undo ssid to restore the default.
Syntax
ssid [ case-sensitive ] [ not ] { equal | include } string
undo ssid
Default
No subsignature is configured to match frames by SSID.
Views
Signature view
Predefined user roles
network-admin
Parameters
case-sensitive: Concerns the case of the SSID.
not: Matches SSIDs that are not equal to or do not include the specified SSID.
equal: Matches SSIDs equal to the specified SSID.
include: Matches SSIDs that include the specified SSID.
string: Specifies an SSID, a case-sensitive string of 1 to 32 characters.
Examples
# Configure a subsignature to match frames with SSID office for signature 1.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] signature rule 1
[Sysname-wips-sig-rule-1] ssid equal office
frame-type
match all (signature rule view)
mac-address
pattern
seq-number
ssid-length
ssid-length
Use ssid-length to configure a subsignature to match frames by SSID length.
Use undo ssid-length to restore the default.
Syntax
ssid-length length-value1 [ to length-value2 ]
undo ssid-length
Default
No subsignature is configured to match frames by SSID length.
Views
Signature rule
Predefined user roles
network-admin
Parameters
length-value1 [ to length-value2 ]: Specifies the value range for the SSID length. The length-value1 and length-value2 arguments specify the start value and end value for the value range, respectively. The value range is 1 to 32 for both the length-value1 and length-value2 arguments, and length-value2 cannot be smaller than length-value1.
Examples
# Configure a subsignature to match frames in which the SSID length is 10.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] signature rule 1
[Sysname-wips-sig-1] ssid-length 10
Related commands
frame-type
match all (signature rule view)
mac-address
pattern
seq-number
ssid (signature rule view)
trust mac-address
Use trust mac-address to add the MAC address of an AP or client to the permitted device list.
Use undo trust mac-address to remove one or all MAC addresses from the permitted device list.
Syntax
trust mac-address mac-address
undo trust mac-address { mac-address | all }
Default
No MAC addresses exist in the permitted device list.
Views
Classification policy view
Predefined user roles
network-admin
Parameters
mac-address: Specifies a MAC address.
all: Specifies all MAC addresses.
Examples
# Add MAC address 78AC-C0AF-944F to the permitted device list.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] classification policy home
[Sysname-wips-cls-home] trust mac-address 78AC-C0AF-944F
trust oui
Use trust oui to add an OUI to the trusted OUI list.
Use undo trust oui to remove one or all OUIs from the trusted OUI list.
Syntax
trust oui oui
undo trust oui { oui | all }
Default
No OUIs exist in the trusted OUI list.
Views
Classification policy view
Predefined user roles
network-admin
Parameters
oui: Specifies an OUI by its name, a case-insensitive string of 6 characters.
all: Specifies all OUIs.
Examples
# Add OUIs 000fe4 and 000fe5 to the trusted OUI list.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] classification policy home
[Sysname-wips-cls-home] trust oui 000fe4
[Sysname-wips-cls-home] trust oui 000fe5
trust ssid
Use trust ssid to add an SSID to the trusted SSID list.
Use undo trust ssid to remove one or all SSIDs from the trusted SSID list.
Syntax
trust ssid ssid-name
undo trust ssid { ssid-name | all }
Default
No SSIDs exist in the trusted SSID list.
Views
Classification policy view
Predefined user roles
network-admin
Parameters
ssid-name: Specifies an SSID by its name, a case-sensitive string of 1 to 32 characters.
all: Specifies all SSIDs.
Examples
# Add SSID flood1 to the trusted SSID list.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] classification policy home
[Sysname-wips-cls-home] trust ssid flood1
unencrypted-authorized-ap
Use unencrypted-authorized-ap to configure unencrypted authorized AP detection.
Use undo unencrypted-authorized-ap to disable unencrypted authorized AP detection.
Syntax
unencrypted-authorized-ap [ quiet quiet-value ]
undo unencrypted-authorized-ap
Default
Unencrypted authorized AP detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting an unencrypted authorized AP. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an unencrypted authorized AP within the quiet time.
Examples
# Enable unencrypted authorized AP detection and set the quiet time to 10 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] unencrypted-authorized-ap quiet 10
unencrypted-trust-client
Use unencrypted-trust-client to configure unencrypted authorized client detection.
Use undo unencrypted-trust-client to disable unencrypted authorized client detection.
Syntax
unencrypted-trust-client [ quiet quiet-value ]
undo unencrypted-trust-client
Default
Unencrypted authorized client detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting an unencrypted authorized client. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an unencrypted authorized client within the quiet time.
Examples
# Enable unencrypted authorized client detection and set the quiet time to 10 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] unencrypted-trust-client quiet 10
up-duration
Use up-duration to configure an AP classification rule to match APs by running time.
Use undo up-duration to restore the default.
Syntax
up-duration value1 [ to value2 ]
undo up-duration
Default
An AP classification rule does not match APs by running time.
Views
AP classification rule view
Predefined user roles
network-admin
Parameters
value1 [ to value2 ]: Specifies the value range for the running time of APs. The value1 and value2 arguments specify the start value and end value for the value range, respectively. The value range is 0 to 2592000 seconds for both the value1 and value2 arguments, and value2 must be greater than value1.
Examples
# Configure AP classification rule 1 to match APs with a running time of 2000 to 40000 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] ap-classification rule 1
[Sysname-wips-cls-rule-1] up-duration 2000 to 40000
virtual-security-domain
Use virtual-security-domain to create a VSD and enter its view, or enter the view of an existing VSD.
Use undo virtual-security-domain to remove a VSD.
Syntax
virtual-security-domain vsd-name
undo virtual-security-domain vsd-name
Default
No VSDs exist.
Views
WIPS view
Predefined user roles
network-admin
Parameters
vsd-name: Specifies a VSD name, a case-sensitive string of 1 to 63 characters.
Examples
# Create VSD office and enter its view.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] virtual-security-domain office
[Sysname-wips-vsd-office]
weak-iv
Use weak-iv to configure weak IV detection.
Use undo weak-iv to disable weak IV detection.
Syntax
weak-iv [ quiet quiet-value ]
undo weak-iv
Default
Weak IV detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a weak IV. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a weak IV within the quiet time.
Examples
# Enable weak IV detection.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] weak-iv
windows-bridge
Use windows-bridge to configure Windows bridge detection.
Use undo windows-bridge to disable Windows bridge detection.
Syntax
windows-bridge [ quiet quiet-value ]
undo windows-bridge
Default
Windows bridge detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting a Windows bridge. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a Windows bridge within the quiet time.
Examples
# Enable Windows bridge detection and set the quiet time to 360 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] windows-bridge quiet 360
wips (system view)
Use wips to enter WIPS view.
Use undo wips to clear all configurations in WIPS view.
Syntax
wips
undo wips
Default
No WIPS view is configured.
Views
System view
Predefined user roles
network-admin
Examples
# Enter WIPS view.
<Sysname> system-view
[Sysname] wips
[Sysname-wips]
wips (radio view)
Use wips enable to enable WIPS.
Use wips disable to disable WIPS.
Use undo wips to restore the default.
Syntax
wips { disable | enable }
undo wips
Default
In radio view, a radio uses the configuration in an AP group's radio view.
In an AP group's radio view, WIPS is disabled.
Views
Radio view
AP group's radio view
Predefined user roles
network-admin
Examples
# Enable WIPS for radio 1 of AP ap1.
<Sysname> system-view
[Sysname] wlan ap ap1 model WA4320i-AGN
[Sysname-wlan-ap-ap1] radio 1
[Sysname-wlan-ap-ap1-radio-1] wips enable
# Enable WIPS for radio 1 of APs with model WA4320i-ACN in AP group apgroup1.
<Sysname> system-view
[Sysname] wlan ap-group apgroup1
[Sysname-wlan-ap-group-apgroup1] ap-model WA4320i-ACN
[Sysname-wlan-ap-group-apgroup1-ap-model-WA4320i-ACN] radio 1
[Sysname-wlan-ap-group-apgroup1-ap-model-WA4320i-ACN-radio-1] wips enable
wips virtual-security-domain
Use wips virtual-security-domain to add an AP to a VSD.
Use undo wips virtual-security-domain to remove an AP from the VSD.
Syntax
wips virtual-security-domain vsd-name
undo wips virtual-security-domain
Default
In AP view, an AP uses the configuration in AP group view.
In AP group view, an AP group is not added to any VSD.
Views
AP view
AP group view
Predefined user roles
network-admin
Parameters
vsd-name: Specifies a VSD by its name, a case-sensitive string of 1 to 63 characters.
Examples
# Add AP ap1 to VSD office.
<Sysname> system-view
[Sysname] wlan ap ap1 model WA4320i-AGN
[Sysname-wlan-ap-ap1] wips virtual-security-domain office
# Add AP group apgroup1 to VSD office.
<Sysname> system-view
[Sysname] wlan ap-group apgroup1
[Sysname-wlan-ap-group-apgroup1] wips virtual-security-domain office
wireless-bridge
Use wireless-bridge to configure wireless bridge detection.
Use undo wireless-bridge to disable wireless bridge detection.
Syntax
wireless-bridge [ quiet quiet-value ]
undo wireless-bridge
Default
Wireless bridge detection is disabled.
Views
Attack detection policy view
Predefined user roles
network-admin
Parameters
quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting a wireless bridge. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a wireless bridge within the quiet time.
Examples
# Enable wireless bridge detection and set the quiet time to 100 seconds.
<Sysname> system-view
[Sysname] wips
[Sysname-wips] detect policy home
[Sysname-wips-dtc-home] wireless-bridge quiet 100
wlan nat-detect
Use wlan nat-detect enable to enable detection on clients with NAT configured.
Use wlan nat-detect disable to disable detection on clients with NAT configured.
Use undo wlan nat-detect to restore the default.
Syntax
wlan nat-detect { disable | enable }
undo wlan nat-detect
Default
In AP view, an AP uses the configuration in AP group view.
In AP group view, detection on clients with NAT configured is disabled.
Views
AP view
AP group view
Predefined user roles
network-admin
Usage guidelines
The device generates an alarm when it detects a client configured with NAT. To view information about detected NAT-configured clients, use the display wlan nat-detect command.
Examples
# Enable detection on clients with NAT configured for AP ap1.
<Sysname> system-view
[Sysname] wlan ap ap1 model WA4320i-ACN
[Sysname-wlan-ap-ap1] wlan nat-detect enable
# Enable detection on clients with NAT configured for APs in AP group aaa.
<Sysname> system-view
[Sysname] wlan ap-group aaa
[Sysname-wlan-ap-group-aaa] wlan nat-detect enable
wlan nat-detect countermeasure
Use wlan nat-detect countermeasure to enable WIPS to take countermeasures against clients with NAT configured.
Use undo wlan nat-detect countermeasure to disable WIPS from taking countermeasures against clients with NAT configured.
Syntax
wlan nat-detect countermeasure
undo wlan nat-detect countermeasure
Default
In AP view, an AP uses the configuration in AP group view.
In AP group view, WIPS does not take countermeasures against clients with NAT configured.
Views
AP view
AP group view
Predefined user roles
network-admin
Usage guidelines
WIPS generates an alarm when a client with NAT configured is detected. After you configure this command, the AC adds the detected client with NAT configured to the blacklist to prevent the client from accessing the WLAN.
Examples
# Enable AP ap1 to take countermeasures against clients with NAT configured.
<Sysname> system-view
[Sysname] wlan ap ap1 model WA4320i-ACN
[Sysname-wlan-ap-ap1] wlan nat-detect countermeasure
# Enable APs in AP group aaa to take countermeasures against clients with NAT configured.
<Sysname> system-view
[Sysname] wlan ap-group aaa
[Sysname-wlan-ap-group-aaa] wlan nat-detect countermeasure
