- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
05-WLAN IDS Commands | 55.52 KB |
1 WLAN IDS Configuration Commands
WLAN Rouge AP Configuration Commands
WLAN Frame Filtering Configuration Commands
l The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to your region.
l Support of the H3C WA series WLAN access points (APs) for commands may vary by AP model. For more information, see Feature Matrix.
l The interface types and the number of interfaces vary by AP model.
WLAN Rouge AP Configuration Commands
attack-detection enable
Syntax
attack-detection enable { all | flood | weak-iv | spoof }
undo attack-detection enable
View
WLAN IDS view
Default Level
2: System level
Parameters
all: Enables detection of all kinds of attacks.
flood: Enables detection of flood attacks.
spoof: Enables detection of spoof attacks.
weak-iv: Enables weak-IV detection.
Description
Use the attack-detection enable command to enable the WIDS-IPS detection of various DoS attacks.
Use the undo attack-detection enable command to restore the default.
By default, no WIDS-IPS detection is enabled.
Examples
# Enable spoof attack detection.
<Sysname> system-view
[Sysname] wlan ids
[Sysname-wlan-ids] attack-detection enable spoof
display wlan ids history
Syntax
display wlan ids history
View
Any view
Default Level
1: Monitor level
Parameters
None
Description
Use the display wlan ids history command to display the history of attacks detected in the WLAN system. It supports a maximum of 512 entries.
Examples
# Display the history of attacks.
<Sysname> display wlan ids history
Total Number of Entries: 5
Flags:
act = Action Frame asr = Association Request
aur = Authentication Request daf = Deauthentication Frame
dar = Disassociation Request ndf = Null Data Frame
pbr = Probe Request rar = Reassociation Request
saf = Spoofed Disassociation Frame
sdf = Spoofed Deauthentication Frame
wiv = Weak IV Detected
AT - Attack Type, Ch - Channel Number, AR - Average RSSI
WIDS History Table
----------------------------------------------------------------------
MAC Address AT Ch AR Detected Time AP
----------------------------------------------------------------------
0027-E699-CA71 asr 8 44 2007-06-12/19:47:54 ap12
0015-E9A4-D7F4 wiv 8 45 2007-06-12/19:45:28 ap48
0027-E699-CA71 asr 8 20 2007-06-12/19:18:17 ap12
003d-B5A6-539F pbr 8 43 2007-06-12/19:10:48 ap56
0015-E9A4-D7F4 wiv 8 50 2007-06-12/19:01:28 ap48
----------------------------------------------------------------------
Table 1-1 display wlan ids history command output description
Field |
Description |
MAC-Address |
In case of spoof attacks, this field provides the BSSID which was spoofed. In case of other attacks, this field provides the MAC address of the device which initiated the attack. |
AT |
Type of attack |
Ch |
Channel in which the attack was detected |
AR |
Average RSSI of the attack frames |
Detected time |
Time at which this attack was detected |
AP |
Name of the AP that detected this attack |
display wlan ids statistics
Syntax
display wlan ids statistics
View
Any view
Default Level
2: System level
Parameters
None
Description
Use the display wlan ids statistics command to display the count of attacks detected.
Examples
# Display WLAN IDS statistics.
<Sysname> display wlan ids statistics
Current attack tracking since: 2007-06-21/12:46:33
----------------------------------------------------------------------
Type Current Total
----------------------------------------------------------------------
Probe Request Frame Flood Attack 2 7
Authentication Request Frame Flood Attack 0 0
Deauthentication Frame Flood Attack 0 0
Association Request Frame Flood Attack 1 1
Disassociation Request Frame Flood Attack 4 8
Reassociation Request Frame Flood Attack 0 0
Action Frame Flood Attack 0 0
Null Data Frame Flood Attack 0 0
Weak IVs Detected 12 21
Spoofed Deauthentication Frame Attack 0 0
Spoofed Disassociation Frame Attack 0 2
----------------------------------------------------------------------
Table 1-2 display wlan ids statistics command output description
Field |
Description |
current |
This field provides the count of attacks detected since the time specified by the current attack tracking time (specified in the field “Current attack tracking since:”). The current attack tracking time is started at the system startup and is refreshed each hour subsequently. |
total |
This field provides the total count of the attacks detected since the system startup. |
Probe Request Frame Flood Attack |
Number of probe request frame flood attacks detected |
Authentication Request Frame Flood Attack |
Number of authentication request frame flood attack detected |
Deauthentication Frame Flood Attack |
Number of deauthentication frame flood attacks detected |
Association Request Frame Flood Attack |
Number of association request frame flood attacks detected |
Disassociation Request Frame Flood Attack |
Number of disassociation request frame flood attacks detected |
Reassociation Request Frame Flood Attack |
Number of reassociation request frame flood attacks detected |
Action Frame Flood Attack |
Number of action frame flood attacks detected |
Null Data Frame Flood Attack |
Number of null data frame flood attacks detected |
Weak IVs Detected |
Number of weak IVs detected |
Spoofed Deauthentication Frame Attack |
Number of spoofed deauthentication frame attacks detected |
Spoofed Disassociation Frame Attack |
Number of spoofed disassociation frame attacks detected |
wlan ids
Syntax
wlan ids
View
System view
Default Level
2: System level
Parameters
None
Description
Use the wlan ids command to enter WLAN IDS view.
Examples
# Enter WLAN IDS view.
<Sysname> system-view
[Sysname] wlan ids
[Sysname-wlan-ids]
reset wlan ids history
Syntax
reset wlan ids history
View
User view
Default Level
2: System level
Parameters
None
Description
Use the reset wlan ids history command to clear the history information of attacks detected in the WLAN.
After this command is executed, all the history information regarding attacks will be cleared, and the history table will be empty.
Examples
# Clear all history information of attacks.
<Sysname> reset wlan ids history
reset wlan ids statistics
Syntax
reset wlan ids statistics
View
User view
Default Level
2: System level
Parameters
None
Description
Use the reset wlan ids statistics command to clear the statistics of attacks detected in the WLAN system.
This command will clear both the “current” and “total” of all attack types in the WLAN IDS statistics table.
Examples
# Clear WLAN IDS statistics.
<Sysname>reset wlan ids statistics
WLAN Frame Filtering Configuration Commands
display wlan blacklist
Syntax
display wlan blacklist { static | dynamic }
View
Any view
Default Level
1: System level
Parameters
static: Displays only statically configured blacklist entries.
dynamic: Displays all dynamically inserted blacklist entries.
Description
Use the display wlan blacklist command to display the statically or dynamically configured blacklist entries.
Examples
# Display the information of static-blacklist.
<Sysname> display wlan blacklist static
Total Number of Entries: 3
Static Blacklist
--------------------------------------------------------------------------
MAC-Address
--------------------------------------------------------------------------
0014-6c8a-43ff
0016-6F9D-61F3
0019-5B79-F04A
--------------------------------------------------------------------------
Table 1-3 display wlan blacklist static command output description.
Field |
Description |
MAC-Address |
MAC-Address of the client inserted into static-blacklist |
# Display the information of dynamic blacklist.
<Sysname> display wlan blacklist dynamic
Total Number of Entries: 3
Dynamic Blacklist
----------------------------------------------------------------------
MAC-Address Lifetime(s) Last Updated Since(hh:mm:ss) Reason
----------------------------------------------------------------------
000f-e2cc-0001 60 00:02:11 Assoc-Flood
000f-e2cc-0002 60 00:01:17 Deauth-Flood
000f-e2cc-0003 60 00:02:08 Auth-Flood
Table 1-4 display wlan blacklist dynamic command output description.
Field |
Description |
MAC-Address |
MAC address of the device inserted into dynamic-blacklist |
Lifetime(s) |
Lifetime of the corresponding entry in dynamic-blacklist (in seconds) |
Last Updated Since(hh:mm:ss) |
Time elapsed since the entry was last updated |
Reason |
Reason why the entry is added into dynamic-blacklist |
display wlan whitelist
Syntax
display wlan whitelist
View
Any view
Default Level
2: System level
Parameters
None
Description
Use the display wlan whitelist command to displays the configured white list entries.
Examples
# Display the information of whitelist.
<Sysname> display wlan whitelist
Total Number of Entries: 6
Whitelist
--------------------------------------------------------------------------
MAC-Address
--------------------------------------------------------------------------
0000-0000-000A
0000-0000-0066
0000-0000-00AA
0000-0000-00EE
0400-0000-0000
0400-0000-00EE
--------------------------------------------------------------------------
Table 1-5 display wlan whitelist command output description.
Field |
Description |
MAC-Address |
MAC-Address of the client inserted into whitelist. |
dynamic-blacklist enable
Syntax
dynamic-blacklist enable
undo dynamic-blacklist enable
View
WLAN IDS view
Default Level
2: System level
Parameters
enable: Enables the dynamic blacklist feature.
Description
Use the dynamic-blacklist enable command to enable the dynamic-blacklist feature to filter out unwanted clients from getting associated.
Use the undo dynamic-blacklist enable command to disable the dynamic-blacklist feature.
By default, the dynamic-blacklist feature will be disabled.
Examples
# Enable the dynamic-blacklist feature
<Sysname> system-view
[Sysname] wlan ids
[Sysname-wlan-ids] dynamic-blacklist enable
dynamic-blacklist lifetime
Syntax
dynamic-blacklist lifetime lifetime
undo dynamic-blacklist lifetime
View
WLAN IDS view
Default Level
2: System level
Parameters
lifetime: Interval in seconds after which an entry should be removed from dynamic-blacklist table. The value ranges from 60 to 3600 seconds.
Description
Use the dynamic-blacklist lifetime command to set the value of time interval in seconds, for the existence of a dynamic-blacklist entry in the table.
Use the undo dynamic-blacklist lifetime command to restore the default value.
By default, ageing duration is 300 seconds.
After this time interval expires, the device entry will be removed from the dynamic-blacklist table if the device is not detected.
Examples
# Specify the dynamic-blacklist lifetime as 1200 seconds.
<Sysname> system-view
[Sysname] wlan ids
[Sysname-wlan-ids] dynamic-blacklist lifetime 1200
reset wlan dynamic-blacklist
Syntax
reset wlan dynamic-blacklist { mac-address mac-address | all }
View
User view
Default Level
2: System level
Parameters
mac-address: MAC address of the client which should be deleted from the dynamic-blacklist.
all: Specifies to delete all the entries from dynamic-blacklist.
Description
Use the reset wlan dynamic-blacklist mac-address command to remove the client with the specified mac-address or all the clients from the dynamic-blacklist.
The maximum number of entries in the list is 128.
Examples
# Remove a client with mac-address aabb-cccc-dddd from the dynamic-blacklist.
<Sysname> reset wlan dynamic-blacklist mac-address aabb-cccc-dddd
static-blacklist mac-address
Syntax
static-blacklist mac-address mac-address
undo static-blacklist { mac-address mac-address | all }
View
WLAN IDS view
Default Level
2: System level
Parameters
mac-address: MAC address of the client which should be added or deleted from the static-blacklist.
all: Specifies to delete all the entries from the static-blacklist.
Description
Use the static-blacklist mac-address command to add a specified mac-address to the static-blacklist.
Use the undo static-blacklist mac-address to remove the client with the specified mac-address or all the clients from the static-blacklist.
The maximum number of entries in the list is 64.
Examples
# Add a client with mac-address aabb-cccc-dddd to the static-blacklist.
<Sysname> system-view
[Sysname] wlan ids
[Sysname-wlan-ids] static-blacklist mac-address aabb-cccc-dddd
whitelist mac-address
Syntax
whitelist mac-address mac-address
undo whitelist { mac-address mac-address | all }
View
WLAN IDS view
Default Level
2: System level
Parameters
mac-address: MAC address of the client which should be added or deleted from the whitelist.
all: Specifies to delete all the entries from whitelist.
Description
Use the whitelist mac-address command to add a client with specified mac-address to the white list.
Use the undo whitelist mac-address command to remove the client with the specified mac-address from the list or remove all the clients from the white list.
The maximum number of entries in the list is 256.
Examples
# Add a client with mac-address aabb-cccc-dddd to the white list.
<Sysname> system-view
[Sysname] wlan ids
[Sysname-wlan-ids] whitelist mac-address aabb-cccc-dddd