Login
- Table of Contents
-
- 02-WLAN Command Reference
- 00-Preface
- 01-WLAN Interface Commands
- 02-WLAN Access Commands
- 03-WLAN Security Commands
- 04-IACTP Tunnel and WLAN Roaming Commands
- 05-WLAN RRM Commands
- 06-WLAN IDS Commands
- 07-WLAN QoS Commands
- 08-WLAN Mesh Link Commands
- 09-Advanced WLAN Commands
- 10-WLAN High Availability Commands
- 11-WLAN IPS Commands
- 12-WLAN Optimization Commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 11-WLAN IPS Commands | 512.88 KB |
ap-classification-rule (virtual security domain view)
ap-classification-rule (WIPS view)
attack-detect-policy (virtual security domain view)
attack-detect-policy (WIPS view)
countermeasure misassociation-client
countermeasure misconfigured-ap
countermeasure potential-authorized-ap
countermeasure potential-external-ap
countermeasure potential-rogue-ap
countermeasure static (countermeasures policy view)
countermeasure static (WIPS view)
countermeasure unauthorized-client
countermeasure uncategorized-ap
countermeasure uncategorized-client
countermeasure-policy (virtual security domain view)
countermeasure-policy (WIPS view)
detect access-flow-scan enable
detect illegal-ibss-ess action
detect invalid-deauth-code action
detect invalid-disassoc-code action
detect invalid-ie-length action
detect invalid-pkt-length action
detect invalid-source-address action
detect malformed-assoc-req action
detect overflow-eapol-key action
detect unencrypted-authorized-ap
detect unencrypted-trust-client
detect wireless-device disable
display wlan ips ap-classification-rule
display wlan ips attack-detect-policy
display wlan ips countermeasure-devices
display wlan ips countermeasure-policy
display wlan ips malformed-detect-policy
display wlan ips signature-policy
display wlan ips static-trustoui
display wlan ips statistics sensor
malformed-detect-policy (virtual security domain view)
malformed-detect-policy (WIPS view)
manual-classify ap (virtual security domain view)
manual-classify ap (WIPS view)
match all (AP classification rule view)
quiet-time (malformed packet detection policy view)
reset wlan ips statistic sensor
signature (signature policy view)
signature-policy (virtual security domain view)
sub-rule (AP classification rule view)
WIPS commands
Support for the commands in this chapter depends on the device model. For more information, see About the H3C Access Controllers Command References.
action
Use action to specify the action that WIPS takes when the number of matching times for a signature reaches the detect threshold.
Syntax
action { none | report event-level level-value }
Default
The action for a user-defined signature is none, the action for a system-defined signature is report, and the alarm level depends on the signature.
Views
SIG view
Default command level
2: System level
Parameters
none: Configures WIPS to not take any action when the number of matching times for a signature reaches the detect-threshold within the statistics collection period.
report: Configures WIPS to generate signature alarms when the number of matching times for a signature reaches the detect-threshold within the statistics collection period.
event-level level-value: Sets the alarm level for a signature in the range of 0 to 7. A smaller value represents a higher precedence.
Usage guidelines
To modify the action for a signature that has been bound to a signature policy, remove the binding first.
If you configure an action multiple times, the most recent configuration overwrites the previous configuration.
You cannot modify the action for a system-defined signature, but you can modify the alarm level for that rule.
Examples
# Specify that WIPS generates signature alarms with level 6 when the number of matching times for the signature office reaches the detect-threshold.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] signature office
[Sysname-wlan-ips-sig-office] action report event-level 6
ados enable
Use ados enable to enable the anti-denial-of-service function.
Use undo ados enable to disable the anti-denial-of-service function.
Syntax
ados enable
undo ados enable
Default
The anti-denial-of-service function is disabled.
Views
WIPS view
Default command level
2: System level
Examples
# Enable the anti-denial-of-service function.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] ados enable
ap-classification-rule (virtual security domain view)
Use ap-classification-rule to add an AP classification rule to the current virtual security domain.
Use undo ap-classification-rule to remove the specified AP classification rule from the current virtual security domain.
Syntax
ap-classification-rule rule-name [ precedence number ]
undo ap-classification-rule { rule-name }
Default
No AP classification rule exists in a virtual security domain.
Views
Virtual security domain view
Default command level
2: System level
Parameters
rule-name: Specifies an AP classification rule by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines.
precedence number: Specifies the matching precedence for an AP classification rule, in the range of 0 to 15.
Usage guidelines
If you specify the precedence for a new AP classification rule, the rule uses the specified precedence. If you do not specify a precedence, the rule uses the default precedence 0. AP classification rules are matched in the order of precedence from high to low. Rules with the same precedence are matched according the order they are configured.
Examples
# Add an AP classification rule to the virtual security domain office, and specify its precedence as 15.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] virtual-security-domain office
[Sysname-wlan-ips-vsd-office]ap-classification-rule external-ap precedence 15
ap-classification-rule (WIPS view)
Use ap-classification-rule to create an AP classification rule and enter AP classification rule view. For an existing AP classification rule, this command enters the corresponding AP classification rule view.
Use undo ap-classification-rule to remove the specified AP classification rule view.
Syntax
ap-classification-rule rule-name
undo ap-classification-rule rule-name
Default
No AP classification rule exists.
Views
WIPS view
Default command level
2: System level
Parameters
rule-name: Specifies an AP classification rule by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines.
Examples
# Create an AP classification rule named invalid_ap.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] ap-classification-rule invalid_ap
[Sysname-wlan-ips-class-invalid_ap]
attack-detect-policy (virtual security domain view)
Use attack-detect-policy to configure an attack detection policy for the current virtual security domain.
Use undo attack-detect-policy to restore the default attack detection policy.
Syntax
attack-detect-policy policy-name
undo attack-detect-policy
Default
A virtual security domain uses the attack detection policy named default.
Views
Virtual security domain view
Default command level
2: System level
Parameters
policy-name: Specifies an attack detection policy by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines.
Examples
# Configure the virtual security domain office to use the attack detection policy office.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] virtual-security-domain office
[Sysname-wlan-ips-vsd-office]attack-detect-policy office
attack-detect-policy (WIPS view)
Use attack-detect-policy to create an attack detection policy and enter attack detection policy view. For an existing attack detection policy, this command directly enters the corresponding attack detection policy view.
Use undo attack-detect-policy to remove the specified attack detection policy.
Syntax
attack-detect-policy policy-name
undo attack-detect-policy policy-name
Default
An attack detection policy named default exists in the system. You cannot create or delete the default attack detection policy.
Views
WIPS view
Default command level
2: System level
Parameters
policy-name: Specifies an attack detection policy by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines.
Examples
# Create an attack detection policy named office and enter attack detection policy view.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-office]
blocklist-action block
Use blocklist-action block to disable wireless devices in the prohibited device list from accessing the WLAN.
Use undo blocklist-action block to enable wireless devices in the prohibited device list to access the WLAN.
Syntax
blocklist-action block
undo blocklist-action block
Default
Wireless devices in the prohibited device list are allowed to access the WLAN.
Views
WIPS view
Default command level
2: System level
Parameters
None
Usage guidelines
The blocklist-action block command takes effect only in a WIPS-compatible networking environment and does not take effect in an independent WIPS networking environment.
Examples
# Disable wireless devices in the prohibited device list from accessing the WLAN.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] blocklist-action block
classify-type
Use classify-type to specify the type of the AP that matches a specified AP classification rule.
Use undo classify-type to remove the specified AP type.
Syntax
classify-type { authorized-ap | external-ap | misconfigured-ap | rogue-ap }
undo classify-type
Default
No AP type is specified for an AP that matches an AP classification rule.
Views
AP classification rule view
Default command level
2: System level
Parameters
authorized-ap: Specifies an authorized AP.
external-ap: Specifies an external AP.
misconfigured-ap: Specifies a mis-configured AP.
rogue-ap: Specifies a rogue AP.
Usage guidelines
You do not necessarily need to set the type of the AP that matches an AP classification rule. If you do not set the AP type but specify the severity level, in the AP classification rule, the severity level takes effect.
Examples
# Specify the type of the AP that matches the invalid_ap classification rule as rogue-ap.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] ap-classification-rule invalid_ap
[Sysname-wlan-ips-class-invalid_ap] classify-type rogue-ap
countermeasure external-ap
Use countermeasure external-ap to take countermeasures against external APs.
Use undo countermeasure external-ap to restore the default.
Syntax
countermeasure external-ap [ precedence number ]
undo countermeasure external-ap
Default
No countermeasures are taken against external APs.
Views
Countermeasures policy view
Default command level
2: System level
Parameters
precedence number: Specifies the precedence for taking countermeasures against external APs, in the range of 0 to 9. The default is 1.
Examples
# Use countermeasures policy office to take countermeasures against external APs.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] countermeasure-policy office
[Sysname-wlan-ips-cmep-office] countermeasure external-ap
countermeasure fixed-channel
Use countermeasure fixed-channel enable to enable the sensor to take countermeasures against wireless devices on a fixed channel.
Use undo countermeasure fixed-channel enable to restore the default.
Syntax
countermeasure fixed-channel enable
undo countermeasure fixed-channel enable
Default
No countermeasures are taken against wireless devices on a fixed channel.
Views
Countermeasures policy view
Default command level
2: System level
Usage guidelines
This function enables a sensor to continually take countermeasures on a fixed channel where the target wireless devices are operating if other countermeasures are not effective.
The sensor stops scanning on other channels when it is taking countermeasures on a fixed channel.
Examples
# Use the countermeasures policy office to enable the sensor to take countermeasures on a fixed channel.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] countermeasure-policy office
[Sysname-wlan-ips-cmep-office] countermeasure fixed-channel enable
countermeasure misassociation-client
Use countermeasure misassociation-client to take countermeasures against misassociated clients.
Use undo countermeasure misassociation-client to restore the default.
Syntax
countermeasure misassociation-client [ precedence number ]
undo countermeasure misassociation-client
Default
No countermeasures are taken against misassociated clients.
Views
Countermeasures policy view
Default command level
2: System level
Parameters
precedence number: Specifies the precedence for taking countermeasures against misassociated clients, in the range of 0 to 9. The default is 6.
Examples
# Use countermeasures policy office to take countermeasures against misassociated clients.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] countermeasure-policy office
[Sysname-wlan-ips-cmep-office] countermeasure misassociation-client
countermeasure misconfigured-ap
Use countermeasure misconfigured-ap to take countermeasures against misconfigured APs.
Use undo countermeasure misconfigured-ap to restore the default.
Syntax
countermeasure misconfigured-ap [ precedence number ]
undo countermeasure misconfigured-ap
Default
No countermeasures are taken against misconfigured APs.
Views
Countermeasures policy view
Default command level
2: System level
Parameters
precedence number: Specifies the precedence for taking countermeasures against misconfigured APs, in the range of 0 to 9. The default is 3.
Examples
# Use countermeasures policy office to take countermeasures against misconfigured APs.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] countermeasure-policy office
[Sysname-wlan-ips-cmep-office] countermeasure misconfigured-ap
countermeasure potential-authorized-ap
Use countermeasure potential-authorized-ap to take countermeasures against potential-authorized APs.
Use undo countermeasure potential-authorized-ap to restore the default.
Syntax
countermeasure potential-authorized-ap [ precedence number ]
undo countermeasure potential-authorized-ap
Default
No countermeasures are taken against potential-authorized APs.
Views
Countermeasures policy view
Default command level
2: System level
Parameters
precedence number: Specifies the precedence for taking countermeasures against potential-authorized APs, in the range of 0 to 9. The default is 0.
Examples
# Use countermeasures policy office to take countermeasures against potential-authorized APs.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] countermeasure-policy office
[Sysname-wlan-ips-cmep-office] countermeasure potential-authorized-ap
countermeasure potential-external-ap
Use countermeasure potential-external-ap to take countermeasures against potential-external APs.
Use undo countermeasure potential-external-ap to restore the default.
Syntax
countermeasure potential-external-ap [ precedence number ]
undo countermeasure potential-external-ap
Default
No countermeasures are taken against potential-external APs.
Views
Countermeasures policy view
Default command level
2: System level
Parameters
precedence number: Specifies the precedence for taking countermeasures against potential-external APs, in the range of 0 to 9. The default is 2.
Examples
# Use countermeasures policy office to take countermeasures against potential-external APs.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] countermeasure-policy office
[Sysname-wlan-ips-cmep-office] countermeasure potential-external-ap
countermeasure potential-rogue-ap
Use countermeasure potential-rogue-ap to take countermeasures against potential-rogue APs.
Use undo countermeasure potential-rogue-ap to restore the default.
Syntax
countermeasure potential-rogue-ap [ precedence number ]
undo countermeasure potential-rogue-ap
Default
No countermeasures are taken against potential-rogue APs.
Views
Countermeasures policy view
Default command level
2: System level
Parameters
precedence number: Specifies the precedence for taking countermeasures against potential-rogue APs, in the range of 0 to 9. The default is 7.
Examples
# Use countermeasures policy office to take countermeasures against potential-rogue APs.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] countermeasure-policy office
[Sysname-wlan-ips-cmep-office] countermeasure potential-rogue-ap
countermeasure rogue-ap
Use countermeasure rogue-ap to take countermeasures against rogue APs.
Use undo countermeasure rogue-ap to restore the default.
Syntax
countermeasure rogue-ap [ precedence number ]
undo countermeasure rogue-ap
Default
No countermeasures are taken against rogue APs.
Views
Countermeasures policy view
Default command level
2: System level
Parameters
precedence number: Specifies the precedence for taking countermeasures against rogue APs, in the range of 0 to 9. The default is 9.
Examples
# Use countermeasures policy office to take countermeasures against rogue APs.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] countermeasure-policy office
[Sysname-wlan-ips-cmep-office] countermeasure rogue-ap
countermeasure static (countermeasures policy view)
Use countermeasure static to add the MAC address of a specific wireless device to the static countermeasures address list.
Use undo countermeasure static to remove all wireless devices or a wireless device with a specific MAC address from the static countermeasures address list.
Syntax
countermeasure static mac-addr
undo countermeasure static { mac-addr | all }
Default
No countermeasures are taken on wireless devices.
Views
Countermeasures policy view
Default command level
2: System level
Parameters
mac-address: Specifies the MAC address of the wireless device to be added to or removed from the static countermeasures address list.
all: Removes all entries from the static countermeasures list.
Usage guidelines
Only virtual security domains where a countermeasures policy is applied take countermeasures against the wireless devices in the static countermeasures list defined by the policy.
The precedence of the wireless devices in the static countermeasures list is 10.
Examples
# Add MAC address 1234-5678-90ab to the static countermeasures address list defined by the countermeasures policy office.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] countermeasure-policy office
[Sysname-wlan-ips-cmep-office] countermeasure static 1234-5678-90ab
countermeasure static (WIPS view)
Use countermeasure static to add the MAC address of a specific wireless device to the static countermeasures address list.
Use undo countermeasure static to remove all wireless devices or a wireless device with a specific MAC address from the static countermeasures address list.
Syntax
countermeasure static mac-address
undo countermeasure static { mac-address | all }
Default
No countermeasures are taken on wireless devices.
Views
WIPS view
Default command level
2: System level
Parameters
mac-address: Specifies the MAC address of the wireless device to be added to or removed from the static countermeasures address list.
all: Removes all entries from the static countermeasures list.
Usage guidelines
All virtual security domains will take countermeasures against the wireless devices that are added to the countermeasures list in WIPS view.
Examples
# Add MAC address 0016-6f9d-612e to the static countermeasures address list.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] countermeasure static 0016-6f9d-612e
countermeasure unauthorized-client
Use countermeasure unauthorized-client to take countermeasures against unauthorized clients.
Use undo countermeasure unauthorized-client to restore the default.
Syntax
countermeasure unauthorized-client [ precedence number ]
undo countermeasure unauthorized-client
Default
No countermeasures are taken against unauthorized clients.
Views
Countermeasures policy view
Default command level
2: System level
Parameters
precedence number: Specifies the precedence for taking countermeasures against unauthorized clients, in the range of 0 to 9. The default is 8.
Examples
# Use countermeasures policy office to take countermeasures against unauthorized clients.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] countermeasure-policy office
[Sysname-wlan-ips-cmep-office] countermeasure unauthorized-client
countermeasure uncategorized-ap
Use countermeasure uncategorized-ap to take countermeasures against uncategorized APs.
Use undo countermeasure uncategorized-ap to restore the default.
Syntax
countermeasure uncategorized-ap [ precedence number ]
undo countermeasure uncategorized-ap
Default
No countermeasures are taken against uncategorized APs.
Views
Countermeasures policy view
Default command level
2: System level
Parameters
precedence number: Specifies the precedence for taking countermeasures against uncategorized APs, in the range of 0 to 9. The default is 5.
Examples
# Use countermeasures policy office to take countermeasures against uncategorized APs.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] countermeasure-policy office
[Sysname-wlan-ips-cmep-office] countermeasure uncategorized-ap
countermeasure uncategorized-client
Use countermeasure uncategorized-client to take countermeasures against uncategorized clients.
Use undo countermeasure uncategorized-client to restore the default.
Syntax
countermeasure uncategorized-client [ precedence number ]
undo countermeasure uncategorized-client
Default
No countermeasures are taken against uncategorized clients.
Views
Countermeasures policy view
Default command level
2: System level
Parameters
precedence number: Specifies the precedence for taking countermeasures against uncategorized clients, in the range of 0 to 9. The default is 4.
Examples
# Use countermeasures policy office to take countermeasures against uncategorized clients.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] countermeasure-policy office
[Sysname-wlan-ips-cmep-office] countermeasure uncategorized-client
countermeasure-policy (virtual security domain view)
Use countermeasure-policy to configure a countermeasures policy for a virtual security domain.
Use undo countermeasure-policy to restore the default countermeasures policy for the virtual security domain.
Syntax
countermeasure-policy policy-name
undo countermeasure-policy
Default
The default countermeasures policy is applied to a virtual security domain.
Views
Virtual security domain view
Default command level
2: System level
Parameters
policy-name: Specifies a countermeasures policy by its name, a case-insensitive string of 1 to 32 characters that contain letters, numbers, and underlines (_).
Usage guidelines
Only one countermeasures policy can be applied to a virtual security domain.
Examples
# Specify countermeasures policy office for virtual security domain vsda.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] virtual-security-domain vsda
[Sysname-wlan-ips-vsd-vsda] countermeasure-policy office
countermeasure-policy (WIPS view)
Use countermeasure-policy to create a new countermeasures policy and enter countermeasures policy view, or directly enter countermeasures policy view if a countermeasures policy already exists.
Use undo countermeasure-policy to remove a countermeasures policy.
Syntax
countermeasure-policy policy-name
undo countermeasure-policy policy-name
Default
The default countermeasures policy exists. It cannot be created or removed.
Views
WIPS view
Default command level
2: System level
Parameters
policy-name: Specifies a countermeasures policy by its name, a case-insensitive string of 1 to 32 characters that contain letters, numbers, and underlines (_).
Examples
# Create a countermeasures policy named office, and enter its view.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] countermeasure-policy office
detect access-flow-scan enable
Use detect access-flow-scan enable to enable WIPS for a hybrid sensor that provides access services.
Use undo detect access-flow-scan enable to restore the default.
Syntax
detect access-flow-scan enable
undo detect access-flow-scan enable
Default
WIPS is not enabled for a hybrid sensor that provides access services.
Views
WIPS view
Default command level
2: System level
Usage guidelines
When this command is enabled, WIPS detection and attack prevention capabilities are improved, but the access performance is decreased.
Examples
# Enable WIPS for a hybrid sensor that provides access services.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] detect access-flow-scan enable
detect adhoc-network
Use detect adhoc-network to enable Ad hoc network detection specified in the current attack detection policy.
Use undo detect adhoc-network to disable Ad hoc network detection specified in the current attack detection policy.
Syntax
detect adhoc-network
undo detect adhoc-network
Default
Ad hoc network detection is disabled.
Views
Attack detection policy view
Default command level
2: System level
Examples
# Enable Ad hoc network detection specified in the attack detection policy named office.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-office]detect adhoc-network
detect admin-mac-scan
Use detect admin-mac-scan enable to enable random MAC address filtering.
Use undo detect admin-mac-scan enable to disable random MAC address filtering.
Syntax
detect admin-mac-scan enable
undo detect admin-mac-scan enable
Default
Random MAC address filtering is disabled.
Views
WIPS view
Default
2: System level
Examples
# Enable random MAC address filtering.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] detect admin-mac-scan enable
detect all
Use detect all to enable all detections, including Ad hoc network, AP MAC address spoofing, client MAC address spoofing, and invalid channel detections specified in the current attack detection policy.
Use undo detect all to disable all detections specified in the current attack detection policy.
Syntax
detect all
undo detect all
Default
All-detection is disabled.
Views
Attack detection policy view
Default command level
2: System level
Examples
# Enable all detections specified in the attack detection policy named office.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-office]detect all
detect all action
Use detect all action { log | trap }* to configure a sensor to send a log or an alarm to the AC when it detects a malformed packet of any type specified in Table 1.
Use undo detect all action { log | trap }* to disable the function.
Syntax
detect all action { log | trap }*
undo detect all action { log | trap }*
Default
The sensor does not send a log or an alarm to the AC when it detects a malformed packet of specified types.
Views
Malformed packet detection policy view
Default command level
2: System level
Parameters
log: Configures the sensor to send a log to the AC when it detects a malformed packet. The log contains information about malformed packet contents, statistics, and so on.
trap: Configures the sensor to send an alarm to the AC when it detects a malformed packet.
Usage guidelines
Table 1 Malformed packet types
|
Field |
Description |
|
invalid-ie-length |
Invalid IE length. |
|
duplicated-ie |
Duplicate IE. |
|
redundant-ie |
Redundant IE. |
|
invalid-pkt-length |
Invalid packet length. |
|
illegal-ibss-ess |
Abnormal IBSS or ESS setting. |
|
invalid-beacon-channel |
Abnormal beacon channel. |
|
overflow-eapol-key |
Oversized EAPOL key. |
|
malformed-auth |
Malformed authentication frame. |
|
malformed-assoc-req |
Malformed association request frame. |
|
malformed-ht-ie |
Malformed HT IE. |
|
large-duration |
Oversized duration. |
|
null-probe-resp |
Null SSID for probe response frame. |
|
invalid-deauth-code |
Invalid deauthentication reason code. |
|
invalid-disassoc-code |
Invalid disassociation reason code. |
|
overflow-ssid |
Oversized SSID. |
|
fata-jack |
FATA Jack attack. FATA Jack is a kind of DOS attack. The attacker sends spoof authentication frames to the AP. After receiving the spoof frames, the AP sends disconnect frames to authorized users, so the authorized users will be disconnected. |
|
invalid-source-address |
Invalid source address. |
|
Invalid-channel |
Invalid channel ID. |
Examples
# Configure the sensor to send a log and an alarm to the AC when it detects a malformed packet of any type specified in the malformed packet detection policy normal.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy normal
[Sysname-wlan-ips-mdctp-normal]detect all action log trap
detect ap-flood
Use detect ap-flood to enable AP flooding detection specified in the current attack detection policy.
Use undo detect ap-flood to disable AP flooding detection specified in the current attack detection policy.
Syntax
detect ap-flood [ quiet-time time-value ]
undo detect ap-flood
Default
Detection on AP flooding is disabled.
Views
Attack detection policy view
Default command level
2: System level
Parameters
time-value: Specifies the quiet time after AP flooding is detected and an alarm is generated, in the range of 5 to 604800 seconds. The default is 600 seconds.
Examples
# Enable AP flooding detection specified in the attack detection policy named office.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-office] detect ap-flood
detect ap-impersonation
Use detect ap-impersonation to enable AP impersonation attack detection specified in the current attack detection policy.
Use undo detect windows-bridge to disable AP impersonation attack detection specified in the current attack detection policy.
Syntax
detect ap-impersonation [ quiet-time time-value | beacon-inc-threshold beacon-inc-threshold-value | beacon-inc-wait-time beacon-inc-wait-time-value ]*
undo detect ap-impersonation
Default
AP impersonation attack detection is disabled.
Views
Attack detection policy view
Default command level
2: System level
Parameters
quiet-time time-value: Specifies the quiet time after an alarm is generated for detecting an AP impersonation attack, in the range of 5 to 604800 seconds. The default is 600 seconds.
beacon-inc-threshold beacon-inc-threshold-value: Specifies the threshold for beacon frame transmission rate increase in percentage. WIPS generates an alarm when the threshold is reached. The value range for the beacon-inc-threshold-value argument is 1 to 100, and the default is 30.
beacon-inc-wait-time beacon-inc-wait-time-value: Specifies the time to wait after a suspicious AP impersonator is detected, in the range of 0 to 360000 seconds. The default is 10 seconds. WIPS generates an alarm if the number of beacon frames is increasing within the time period.
Examples
# Enable AP impersonation attack detection specified in the attack detection policy named office, and specify the beacon-inc-threshold-value, beacon-inc-wait-time-value, and time-value as 10, 20, and 30, respectively.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-1] detect ap-impersonation beacon-inc-threshold 10 beacon-inc-wait-time 20 quiet-time 30
detect ap-spoofing
Use detect ap-spoofing to enable AP MAC address spoofing detection specified in the current attack detection policy.
Use undo detect ap-spoofing to disable AP MAC address spoofing detection specified in the current attack detection policy.
Syntax
detect ap-spoofing [ quiet-time time-value ]
undo detect ap-spoofing
Default
AP MAC address spoofing detection is disabled.
Views
Attack detection policy view
Default command level
2: System level
Parameters
time-value: Specifies the quiet time when AP MAC spoofing is detected and an alarm is generated, in the range of 5 to 604800 seconds. The default is 600 seconds.
Examples
# Enable AP spoofing detection specified in the attack detection policy named office.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-office]detect ap-spoofing
detect client-spoofing
Use detect client-spoofing to enable client MAC address spoofing detection specified in the current attack detection policy.
Use undo detect client-spoofing to disable client MAC address spoofing detection specified in the current attack detection policy.
Syntax
detect client-spoofing [ quiet-time time-value ]
undo detect client-spoofing
Default
Client MAC address spoofing detection is disabled.
Views
Attack detection policy view
Default command level
2: System level
Parameters
time-value: Specifies the quiet time when client MAC spoofing is detected and an alarm is generated, in the range of 5 to 604800 seconds. The default is 600 seconds.
Examples
# Enable client spoofing detection specified in the attack detection policy named office.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-office]detect client-spoofing
detect deauth-spoofing
Use detect deauth-spoofing to enable spoofed deauthentication frame detection specified in the current attack detection policy.
Use undo detect deauth-spoofing to disable spoofed deauthentication frame detection specified in the current attack detection policy.
Syntax
detect deauth-spoofing
undo detect deauth-spoofing
Default
Spoofed deauthentication frame detection is disabled.
Views
Attack detection policy view
Default command level
2: System level
Examples
# Enable spoofed deauthentication frame detection specified in the attack detection policy named office.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-1] detect deauth-spoofing
detect dos-association
Use detect dos-association to enable association DoS attack detection specified in the current attack detection policy.
Use undo detect dos-association to disable association DoS attack detection specified in the current attack detection policy.
Syntax
detect dos-association [ quiet-time time-value ]
undo detect dos-association
Default
Association DoS attack detection is disabled.
Views
Attack detection policy view
Default command level
2: System level
Parameters
time-value: Specifies the quiet time when association DoS attack is detected and an alarm is generated, in the range of 5 to 604800 seconds. The default is 600 seconds.
Examples
# Enable association DoS attack detection specified in the attack detection policy named office.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-office] detect dos-association
detect dos-authentication
Use detect dos-authentication to enable authentication DoS attack detection specified in the current attack detection policy.
Use undo detect dos-authentication to disable authentication DoS attack detection specified in the current attack detection policy.
detect dos-authentication [ quiet-time time-value ]
undo detect dos-authentication
Default
Authentication DoS attack detection is disabled.
Views
Attack detection policy view
Default command level
2: System level
Parameters
time-value: Specifies the quiet time when authentication DoS attack is detected and an alarm is generated, in the range of 5 to 604800 seconds. The default is 600 seconds.
Examples
# Enable authentication DoS attack detection specified in the attack detection policy named office.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-office] detect dos-authentication
detect dos-eapol-start
Use detect dos-eapol-start to enable EAPOL-Start DoS attack detection specified in the current attack detection policy.
Use undo detect dos-eapol-start to disable EAPOL-Start DoS attack detection specified in the current attack detection policy.
Syntax
detect dos-eapol-start [ quiet-time time-value ]
undo detect dos-eapol-start
Default
EAPOL-Start DoS attack detection is disabled.
Views
Attack detection policy view
Default command level
2: System level
Parameters
time-value: Specifies the quiet time when EAPOL-Start DoS attack is detected and an alarm is generated, in the range of 5 to 604800 seconds. The default is 600 seconds.
Examples
# Enable EAPOL-Start DoS attack detection specified in the attack detection policy named office.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-office] detect dos-eapol-start
detect dos-reassociation
Use detect dos-reassociation to enable reassociation DoS attack detection specified in the current attack detection policy.
Use undo detect dos-reassociation to disable reassociation DoS attack detection specified in the current attack detection policy.
Syntax
detect dos-reassociation [ quiet-time time-value ]
undo detect dos-reassociation
Default
Association DoS attack detection is disabled.
Views
Attack detection policy view
Default command level
2: System level
Parameters
time-value: Specifies the quiet time when reassociation DoS attack is detected and an alarm is generated, in the range of 5 to 604800 seconds. The default is 600 seconds.
Examples
# Enable reassociation DoS attack detection specified in the attack detection policy named office.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-office] detect dos-reassociation
detect duplicated-ie action
Use detect duplicated-ie action { log | trap }* to configure the sensor to send a log, an alarm, or both to the AC when it detects a duplicate IE.
Use undo detect duplicated-ie action { log | trap }* to disable the function.
Syntax
detect duplicated-ie action { log | trap }*
undo detect duplicated-ie action { log | trap }*
Default
The sensor does not send a log or an alarm to the AC when it detects a duplicate IE.
Views
Malformed packet detection policy view
Default command level
2: System level
Parameters
log: Configures the sensor to send a log to the AC when it detects a duplicate IE.
trap: Configures the sensor to send an alarm to the AC when it detects a duplicate IE.
Examples
# In the malformed packet detection policy named normal, configure the sensor to send a log and an alarm to the AC when it detects a duplicate IE.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy normal
[Sysname-wlan-ips-mdctp-normal]detect duplicated-ie action log trap
detect fata-jack action
Use detect fata-jack action { log | trap }* to configure the sensor to send a log, an alarm, or both to the AC when it detects a FATA Jack attack.
Use undo detect fata-jack action { log | trap }* to disable the function.
Syntax
detect fata-jack action { log | trap }*
undo detect fata-jack action { log | trap }*
Default
The sensor does not send a log or an alarm to the AC when it detects a FATA Jack attack.
Views
Malformed packet detection policy view
Default command level
2: System level
Parameters
log: Configures the sensor to send a log to the AC when it detects a FATA Jack attack.
trap: Configures the sensor to send an alarm to the AC when it detects a FATA Jack attack.
Examples
# In the malformed packet detection policy named normal, configure the sensor to send a log and an alarm to the AC when it detects a FATA Jack attack.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy normal
[Sysname-wlan-ips-mdctp-normal] detect fata-jack action log trap
detect honeypot-ap
Use detect honeypot-ap to enable honeypot AP detection specified in the current attack detection policy.
Use undo detect honeypot-ap to disable honeypot AP detection specified in the current attack detection policy.
Syntax
detect honeypot-ap [ quiet-time time-value | similarity similarity-value ]* [ action classify rogue ]
undo detect honeypot-ap
Default
Honeypot AP detection is disabled.
Views
Attack detection policy view
Default command level
2: System level
Parameters
quiet-time time-value: Specifies the quiet time after an alarm is generated for detecting a honeypot AP, in the range of 5 to 604800 seconds. The default is 600 seconds.
similarity similarity-value: Specifies the similarity threshold that triggers a honeypot AP alarm, in the range of 70 to 100 in percentage. The default value is 90%. An AP is determined as a honeypot AP if the similarity between the SSID of the AP and the SSID of a legitimate AP reaches the threshold.
action classify rogue: Classifies the detected attackers as rogue APs or unauthorized clients.
Examples
# Enable honeypot AP detection specified in the attack detection policy named office. Set the similarity threshold and quite time to 80% and 900 seconds, respectively, and classify the detected attackers as rogue APs or unauthorized clients.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-1] detect honeypot-ap similarity 80 quiet-time 900 action classify rogue
detect hotspot-attack
Use detect hotspot-attack to enable hotspot attack detection specified in the current attack detection policy.
Use undo detect hotspot-attack to disable hotspot attack detection specified in the current attack detection policy.
Syntax
detect hotspot-attack [ action classify rogue ]
undo detect hotspot-attack
Default
Hotspot attack detection is disabled.
Views
Attack detection policy view
Default command level
2: System level
Parameters
action classify rogue: Classifies the detected attackers as rogue APs or unauthorized clients.
Examples
# Enable hotspot attack detection specified in the attack detection policy named office, and classify the detected attackers as rogue APs or unauthorized clients.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-office] detect hotspot-attack action classify rogue
detect ht-40mhz-intolerance
Use detect ht-40mhz-intolerance to enable detection on clients with the 40 MHz bandwidth mode disabled specified in the current attack detection policy.
Use undo detect ht-40mhz-intolerance to disable detection on clients with the 40 MHz bandwidth mode disabled specified in the current attack detection policy.
Syntax
detect ht-40mhz-intolerance [ quiet-time time-value ]
undo detect ht-40mhz-intolerance
Default
Detection on clients with the 40 MHz bandwidth mode disabled is disabled.
Views
Attack detection policy view
Default command level
2: System level
Parameters
quiet-time time-value: Specifies the quiet time after an alarm is generated for detecting a client with the 40 MHz bandwidth mode disabled, in the range of 5 to 604800 seconds. The default is 600 seconds.
Examples
# Enable detection on clients with the 40 MHz bandwidth mode disabled specified in the attack detection policy named office, and set the quite time to 900 seconds.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-1] detect ht-40mhz-intolerance quiet-time 900
detect ht-greenfield
Use detect ht-greenfield to enable HT-greenfield AP detection specified in the current attack detection policy.
Use undo detect ht-greenfield to disable HT-greenfield AP detection specified in the current attack detection policy.
Syntax
detect ht-greenfield [ quiet-time time-value ]
undo detect ht-greenfield
Default
HT-greenfield AP detection is disabled.
Views
Attack detection policy view
Default command level
2: System level
Parameters
time-value: Specifies the quiet time after an alarm is generated for detecting an HT-greenfield AP, in the range of 5 to 604800 seconds. The default is 600 seconds.
Examples
# Enable HT-greenfield AP detection specified in the attack detection policy named office, and set the quiet time to 30 seconds.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-1] detect ht-greenfield quiet-time 30
detect illegal-ibss-ess action
Use detect illegal-ibss-ess action { log | trap }* to configure the sensor to send a log, an alarm, or both to the AC when it detects abnormal IBSS or ESS setting.
Use undo detect illegal-ibss-ess action { log | trap }* to disable the function.
Syntax
detect illegal-ibss-ess action { log | trap }*
undo detect illegal-ibss-ess action { log | trap }*
Default
The sensor does not send a log or an alarm to the AC when it detects abnormal IBSS or ESS setting.
Views
Malformed packet detection policy view
Default command level
2: System level
Parameters
log: Configures the sensor to send a log to the AC when it detects abnormal IBSS or ESS setting.
trap: Configures the sensor to send an alarm to the AC when it detects abnormal IBSS or ESS setting.
Examples
# In the malformed packet detection policy named normal, configure the sensor to send a log and an alarm to the AC when it detects abnormal IBSS or ESS setting.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy normal
[Sysname-wlan-ips-mdctp-normal] detect illegal-ibss-ess action log trap
detect invalid-channel action
Use detect invalid-channel action { log | trap }* to configure the sensor to send a log, an alarm, or both to the AC when it detects an invalid channel ID.
Use undo detect invalid-channel action { log | trap }* to disable the function.
Syntax
detect invalid-channel action { log | trap }*
undo detect invalid-channel action { log | trap }*
Default
The sensor does not send a log or an alarm to the AC when it detects an invalid channel ID.
Views
Malformed packet detection policy view
Default command level
2: System level
Parameters
log: Configures the sensor to send a log to the AC when it detects an invalid channel ID.
trap: Configures the sensor to send an alarm to the AC when it detects an invalid channel ID.
Examples
# In the malformed packet detection policy named normal, configure the sensor to send a log and an alarm to the AC when it detects an invalid channel ID.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy normal
[Sysname-wlan-ips-mdctp-normal] detect invalid-channel action log trap
detect invalid-deauth-code action
Use detect invalid-deauth-code action { log | trap }* to configure the sensor to send a log, an alarm, or both to the AC when it detects an invalid deauthentication reason code.
Use undo detect invalid-deauth-code action { log | trap }* to disable the function.
Syntax
detect invalid-deauth-code action { log | trap }*
undo detect invalid-deauth-code action { log | trap }*
Default
The sensor does not send a log or an alarm to the AC when it detects an invalid deauthentication reason code.
Views
Malformed packet detection policy view
Default command level
2: System level
Parameters
log: Configures the sensor to send a log to the AC when it detects an invalid deauthentication reason code.
trap: Configures the sensor to send an alarm to the AC when it detects an invalid deauthentication reason code.
Examples
# In the malformed packet detection policy named normal, configure the sensor to send a log and an alarm to the AC when it detects an invalid deauthentication reason code.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy normal
[Sysname-wlan-ips-mdctp-normal]detect invalid-deauth-code action log trap
detect invalid-disassoc-code action
Use detect invalid-disassoc-code action { log | trap }* to configure the sensor to send a log, an alarm, or both to the AC when it detects an invalid disassociation reason code.
Use undo detect invalid-disassoc-code action { log | trap }* to disable the function.
Syntax
detect invalid-disassoc-code action { log | trap }*
undo detect invalid-disassoc-code action { log | trap }*
Default
The sensor does not send a log or alarm to the AC when it detects an invalid disassociation reason code.
Views
Malformed packet detection policy view
Default command level
2: System level
Parameters
log: Configures the sensor to send a log to the AC when it detects an invalid disassociation reason code.
trap: Configures the sensor to send an alarm to the AC when it detects an invalid disassociation reason code.
Examples
# In the malformed packet detection policy named normal, configure the sensor to send a log and an alarm to the AC when it detects an invalid disassociation reason code .
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy normal
[Sysname-wlan-ips-mdctp-normal]detect invalid-disassoc-code action log trap
detect invalid-ie-length action
Use detect invalid-ie-length action { log | trap }* to configure the sensor to send a log, an alarm, or both to the AC when it detects invalid IE length.
Use detect invalid-ie-length action { log | trap }* to disable the function.
Syntax
detect invalid-ie-length action { log | trap }*
undo detect invalid-ie-length action { log | trap }*
Default
The sensor does not send a log or alarm to the AC when it detects invalid IE length.
Views
Malformed packet detection policy view
Default command level
2: System level
Parameters
log: Configures the sensor to send a log to the AC when it detects invalid IE length.
trap: Configures the sensor to send an alarm to the AC when it detects invalid IE length.
Examples
# In the malformed packet detection policy named normal, configure the sensor to send a log and an alarm to the AC when it detects invalid IE length .
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy normal
[Sysname-wlan-ips-mdctp-normal]detect invalid-ie-length action log trap
detect invalid-oui
Use detect invalid-oui to enable invalid OUI attack detection for an attack detection policy, and classify the detected devices.
Use undo detect invalid-oui to restore the default.
Syntax
detect invalid-oui [ action classify rogue ]
undo detect invalid-oui
Default
Invalid OUI attack detection is disabled in an attack detection policy.
Views
Attack detection policy view
Default command level
2: System level
Parameters
action classify rogue: Classifies detected APs as rogue APs, and detected clients as unauthorized clients..
Usage guidelines
Invalid OUIs are OUIs that do not exist in the OUI library in the WIPS system. The OUI library can be imported by using the import oui command.
Examples
# Enable invalid OUI attack detection specified in the attack detection policy office, and classify the detected devices as rogue devices.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-office]detect invalid-oui action classify rogue
detect invalid-pkt-length action
Use detect invalid-pkt-length action { log | trap }* to configure the sensor to send a log, an alarm, or both to the AC when it detects invalid packet length.
Use undo detect invalid-pkt-length action { log | trap }* to disable the function.
Syntax
detect invalid-pkt-length action { log | trap }*
undo detect invalid-pkt-length action { log | trap }*
Default
The sensor does not send a log or an alarm to the AC when it detects invalid packet length.
Views
Malformed packet detection policy view
Default command level
2: System level
Parameters
log: Configures the sensor to send a log to the AC when it detects invalid packet length.
trap: Configures the sensor to send an alarm to the AC when it detects invalid packet length.
Examples
# In the malformed packet detection policy named normal, configure the sensor to send a log and an alarm to the AC when it detects invalid packet length.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy normal
[Sysname-wlan-ips-mdctp-normal] detect invalid-pkt-length action log trap
detect invalid-source-address action
Use detect invalid-source-address action { log | trap }* to configure the sensor to send a log, an alarm, or both to the AC when it detects an authentication/association request frame with a multicast or broadcast source address.
Use undo detect invalid-source-address action { log | trap }* to disable the function.
Syntax
detect invalid-source-address action { log | trap }*
undo detect invalid-source-address action { log | trap }*
Default
The sensor does not send a log or alarm to the AC when it detects an authentication/association request frame with a multicast or broadcast source address.
Views
Malformed packet detection policy view
Default command level
2: System level
Parameters
log: Configures the sensor to send a log to the AC when it detects an authentication/association request frame with a broadcast or multicast source address.
trap: Configures the sensor to send an alarm to the AC when it detects an authentication/association request frame with a broadcast or multicast source address.
Examples
# In the malformed packet detection policy named normal, configure the sensor to send a log and an alarm to the AC when it detects an authentication/association request frame with a multicast or broadcast source address.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy normal
[Sysname-wlan-ips-mdctp-normal] detect invalid-source-address action log trap
detect large-duration action
Use detect large-duration threshold time to set the duration threshold.
Use undo detect large-duration threshold to restore the default.
Use detect large-duration action { log | trap }* to configure the sensor to send a log, an alarm, or both to the AC when it detects an oversized duration.
Use undo detect large-duration action { log | trap }* to disable the function.
Use detect large-duration threshold time action { log | trap }* to set the duration threshold, and configure the sensor to send a log, an alarm, or both to the AC when it detects a duration value higher than the threshold.
Syntax
detect large-duration { threshold time | action { log | trap }* }*
undo detect large-duration { threshold | action { log | trap }* }
Default
The sensor does not send a log or alarm to the AC when it detects an oversized duration.
Views
Malformed packet detection policy view
Default command level
2: System level
Parameters
threshold time: Specifies the duration threshold for a malformed packet detection policy, in the range of 1 to 32767 microseconds. The default value is 5000 microseconds.
log: Configures the sensor to send a log to the AC when it detects an oversized duration.
trap: Configures the sensor to send an alarm to the AC when it detects an oversized duration.
Examples
# In the malformed packet detection policy named normal, configure the sensor to send a log and an alarm to the AC when it detects an oversized duration.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy normal
[Sysname-wlan-ips-mdctp-normal]detect large-duration action log trap
# Configure the duration threshold for the malformed packet detection policy normal as 2000 μs, and configure the sensor to send a log and an alarm to the AC when the duration exceeds 2000 μs.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy normal
[Sysname-wlan-ips-mdctp-normal]detect large-duration threshold 2000 action log trap
detect malformed-assoc-req action
Use detect malformed-assoc-req action { log | trap }* to configure the sensor to send a log, an alarm, or both to the AC when it detects a malformed association request frame.
Use undo detect malformed-assoc-req action { log | trap }* to disable the function.
Syntax
detect malformed-assoc-req action { log | trap }*
undo detect malformed-assoc-req action { log | trap }*
Default
The sensor does not send a log or an alarm to the AC when it detects a malformed association request frame.
Views
Malformed packet detection policy view
Default command level
2: System level
Parameters
log: Configures the sensor to send a log to the AC when it detects a malformed association request frame.
trap: Configures the sensor to send an alarm to the AC when it detects a malformed association request frame.
Examples
# In the malformed packet detection policy named normal, configure the sensor to send a log and an alarm to the AC when it detects a malformed association request frame.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy normal
[Sysname-wlan-ips-mdctp-normal]detect malformed-assoc-req action log trap
detect malformed-auth action
Use detect malformed-auth action { log | trap }* to configure the sensor to send a log, an alarm, or both to the AC when it detects a malformed authentication frame.
Use undo malformed-auth action { log | trap }* to disable the function.
Syntax
detect malformed-auth action { log | trap }*
undo detect malformed-auth action { log | trap }*
Default
The sensor does not send a log or an alarm to the AC when it detects a malformed authentication frame.
Views
Malformed packet detection policy view
Default command level
2: System level
Parameters
log: Configures the sensor to send a log to the AC when it detects a malformed authentication frame.
trap: Configures the sensor to send an alarm to the AC when it detects a malformed authentication frame.
Examples
# In the malformed packet detection policy named normal, configure the sensor to send a log and an alarm to the AC when it detects a malformed authentication frame.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy normal
[Sysname-wlan-ips-mdctp-normal]detect malformed-auth action log trap
detect malformed-ht-ie action
Use detect malformed-ht-ie action { log | trap }* to configure the sensor to send a log, an alarm, or both to the AC when it detects a malformed HT IE.
Use undo detect malformed-ht-ie action { log | trap }* to disable the function.
Syntax
detect malformed-ht-ie action { log | trap }*
undo detect malformed-ht-ie action { log | trap }*
Default
The sensor does not send a log or an alarm to the AC when it detects a malformed HT IE.
Views
Malformed packet detection policy view
Default command level
2: System level
Parameters
log: Configures the sensor to send a log to the AC when it detects a malformed HT IE.
trap: Configures the sensor to send an alarm to the AC when it detects a malformed HT IE.
Examples
# In the malformed packet detection policy named normal, configure the sensor to send a log and an alarm to the AC when it detects a malformed HT IE.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy normal
[Sysname-wlan-ips-mdctp-normal]detect malformed-ht-ie action log trap
detect null-probe-resp action
Use detect null-probe-resp action { log | trap }* to configure the sensor to send a log, an alarm, or both to the AC when it detects a probe response frame with a null SSID.
Use undo detect null-probe-resp { log | trap }* to disable the function.
Syntax
detect null-probe-resp action { log | trap }*
undo detect null-probe-resp action { log | trap }*
Default
The sensor does not send a log or an alarm to the AC when it detects a probe response frame with a null SSID.
Views
Malformed packet detection policy view
Default command level
2: System level
Parameters
log: Configures the sensor to send a log to the AC when it detects a null SSID in the probe response frame.
trap: Configures the sensor to send an alarm to the AC when it detects a null SSID in the probe response frame.
Examples
# In the malformed packet detection policy named normal, configure the sensor to send a log and an alarm to the AC when it detects a probe response frame with a null SSID.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy normal
[Sysname-wlan-ips-mdctp-normal] detect null-probe-resp action log trap
detect overflow-eapol-key action
Use detect overflow-eapol-key action { log | trap }* to configure the sensor to send a log, an alarm, or both to the AC when it detects an EAPOL packet with an oversized key.
Use undo detect overflow-eapol-key action { log | trap }* to disable the function.
Syntax
detect overflow-eapol-key action { log | trap }*
undo detect overflow-eapol-key action { log | trap }*
Default
The sensor does not send a log or an alarm to the AC when it detects an EAPOL packet with an oversized key.
Views
Malformed packet detection policy view
Default command level
2: System level
Parameters
log: Configures the sensor to send a log to the AC when it detects an EAPOL packet with an oversized key.
trap: Configures the sensor to send an alarm to the AC when it detects an EAPOL packet with an oversized key.
Examples
# In the malformed packet detection policy named normal, configure the sensor to send a log and an alarm to the AC when it detects an EAPOL packet with an oversized key.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy normal
[Sysname-wlan-ips-mdctp-normal]detect overflow-eapol-key action log trap
detect overflow-ssid action
Use detect overflow-ssid action { log | trap }* to configure the sensor to send a log, an alarm, or both to the AC when it detects an oversized SSID.
Use undo detect overflow-ssid action { log | trap }* to disable the function.
Syntax
detect overflow-ssid action { log | trap }*
undo detect overflow-ssid action { log | trap }*
Default
The sensor does not send a log or an alarm to the AC when it detects an oversized SSID.
Views
Malformed packet detection policy view
Default command level
2: System level
Parameters
log: Configures the sensor to send a log to the AC when it detects an oversized SSID.
trap: Configures the sensor to send an alarm to the AC when it detects an oversized SSID.
Examples
# In the malformed packet detection policy named normal, configure the sensor to send a log and an alarm to the AC when it detects an oversized SSID.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy normal
[Sysname-wlan-ips-mdctp-normal]detect overflow-ssid action log trap
detect prohibited-channel
Use detect prohibited-channel to enable prohibited channel detection specified in the current attack detection policy.
Use undo detect prohibited-channel to disable prohibited channel detection specified in the current attack detection policy.
Syntax
detect prohibited-channel [ action classify rogue ]
undo detect prohibited-channel
Default
Prohibited channel detection is disabled.
Views
Attack detection policy view
Default command level
2: System level
Parameters
action classify rogue: Classifies devices on a detected prohibited channel as rogue APs or unauthorized clients.
Usage guidelines
Use the detect prohibited-channel command in combination with the permit-channel command.
Examples
# Specify channels 1, 6, 11, 149, 153, and 157 as permitted channels and enable prohibited channel detection specified in the attack diction policy office. Classify devices on a detected prohibited channel as rogue APs or unauthorized clients.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] permit-channel 1 6 11 149 153 157
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-office]detect prohibited-channel action classify rogue
detect ps-attack
Use detect ps-attack to enable power saving attack detection specified in the current attack detection policy.
Use undo detect ps-attack to disable power saving attack detection specified in the current attack detection policy.
Syntax
detect ps-attack [ quiet-time quiet-time-value | threshold { minoffpacket minoffpacket-value | onoffpercent onoffpercent-value}* ]*
undo detect ps-attack
Default
Power saving attack detection is disabled.
Views
Attack detection policy view
Default command level
2: System level
Parameters
quiet-time quiet-time-value: Specifies the quiet time after an alarm is generated for detecting a power saving attack, in the range of 5 to 604800 seconds. The default is 600 seconds.
threshold: Specifies parameters for power saving attack detection.
minoffpacket minoffpacket-value: Specifies the minimum number of off packets a client in power saving mode sends within 10 seconds. The value range for the argument is 10 to 150, and the default is 50.
onoffpercent onoffpercent-value: Specifies the threshold for the ratio between the on packets and off packets a client in power saving mode sends. WIPS generates an alarm when the threshold is reached. The value range for this argument is 0 to 100, and the default is 80.
Examples
# Enable power saving attack detection specified in the attack detection policy named office, and specify the quiet-time-value, minoffpacket-value, and onoffpercent-value as 60, 60, and 90, respectively.
<sysname> system-view
[sysname] wlan ips
[sysname-wlan-ips] attack-detect-policy office
[sysname-wlan-ips-dctp-office] detect ps-attack quiet-time 60 threshold minioffpacket
60 onoffpercent 90
detect redundant-ie action
Use detect redundant-ie action { log | trap }* to configure the sensor to send a log, an alarm, or both to the AC when it detects a redundant IE.
Use undo detect redundant-ie action { log | trap }* to disable the function.
Syntax
detect redundant-ie action { log | trap }*
undo detect redundant-ie action { log | trap }*
Default
The sensor does not send a log or an alarm to the AC when it detects a redundant IE.
Views
Malformed packet detection policy view
Default command level
2: System level
Parameters
log: Configures the sensor to send a log to the AC when it detects a redundant IE.
trap: Configures the sensor to send an alarm to the AC when it detects a redundant IE.
Examples
# In the malformed packet detection policy named normal, configure the sensor to send a log and an alarm to the AC when it detects a redundant IE.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy normal
[Sysname-wlan-ips-mdctp-normal] detect redundant-ie action log trap
detect scan-channel
Use detect scan-channel to add one or multiple channels to the channel scanning list.
Use undo detect scan-channel to restore the default.
Syntax
detect scan-channel channel-list
undo detect scan-channel { all | channel-list }
Default
No channels are added to the channel scanning list.
Views
WIPS view
Default
2: System level
Parameters
channel-list: Specifies a space-separated list of up to 10 channel items. Each item specifies a channel number or a channel number range. The value range for channel numbers is 1 to 196.
all: Specifies all channels in the channel scanning list.
Examples
# Add channels 1, 6, and 11 to the channel scanning list.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] detect scan-channel 1 6 11
detect soft-ap
Use detect soft-ap to enable soft AP detection specified in the current attack detection policy.
Use undo detect soft-ap to disable soft AP detection specified in the current attack detection policy.
Syntax
detect soft-ap [ convert-time convert-time-value ]*
undo detect soft-ap
Default
Soft AP detection is disabled.
Views
Attack detection policy view
Default command level
2: System level
Parameters
convert-time-value: Specifies the interval at which a soft AP switches between client and AP. The value range for this argument is 5 to 600 seconds, and the default is 10 seconds.
Examples
# Enable soft AP detection specified in the attack detection policy named office, and specify the convert-time-value as 20.
<sysname> system-view
[sysname] wlan ips
[sysname-wlan-ips] attack-detect-policy office
[sysname-wlan-ips-dctp-office] detect soft-ap convert-time 20
detect unencrypted-authorized-ap
Use detect unencrypted-authorized-ap to enable unencrypted authorized AP detection specified in the current attack detection policy.
Use undo detect unencrypted-authorized-ap to disable unencrypted authorized AP detection specified in the current attack detection policy.
Syntax
detect unencrypted-authorized-ap [ quiet-time quiet-time-value ]
undo detect unencrypted-authorized-ap
Default
Unencrypted authorized AP detection is disabled.
Views
Attack detection policy view
Default command level
2: System level
Parameters
quiet-time quiet-time-value: Specifies the quiet time after an alarm is generated for detecting an unencrypted authorized AP, in the range of 5 to 604800 seconds. The default is 600 seconds.
Examples
# Enable unencrypted authorized AP detection specified in the attack detection policy named office.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-office] detect unencrypted-authorized-ap
detect unencrypted-trust-client
Use detect unencrypted-trust-client to enable unencrypted trust client detection specified in the current attack detection policy.
Use undo detect unencrypted-trust-client to disable unencrypted trust client detection specified in the current attack detection policy.
Syntax
detect unencrypted-trust-client [ quiet-time quiet-time-value ]
undo detect unencrypted-trust-client
Default
Unencrypted trust client detection is disabled.
Views
Attack detection policy view
Default command level
2: System level
Parameters
quiet-time quiet-time-value: Specifies the quiet time after an alarm is generated for detecting an unencrypted trust client, in the range of 5 to 604800 seconds. The default is 600 seconds.
Examples
# Enable unencrypted trust client detection specified in the attack detection policy named office.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-office]detect unencrypted-trust-client
detect weak-iv
Use detect weak-iv to enable weak-IV detection for an attack detection policy.
Use undo detect weak-iv to restore the default.
Syntax
detect weak-iv [ quiet-time time-value ]
undo detect weak-iv
Default
Weak-IV detection is disabled in an attack detection policy.
Views
Attack detection policy view
Default command level
2: System level
Parameters
time-value: Specifies the quiet time after weak-IV is detected and an alarm is generated, in the range of 5 to 604800 seconds. The default is 600 seconds.
Examples
# Enable weak-IV detection for the attack detection policy office.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-office] detect weak-iv quiet-time 10
detect windows-bridge
Use detect windows-bridge to enable Windows bridge detection specified in the current attack detection policy.
Use undo detect windows-bridge to disable Windows bridge detection specified in the current attack detection policy.
Syntax
detect windows-bridge
undo detect windows-bridge
Default
Windows bridge detection is disabled.
Views
Attack detection policy view
Default command level
2: System level
Examples
# Enable Windows bridge detection specified in the attack detection policy named office.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-1] detect windows-bridge
detect wireless-bridge
Use detect wireless-bridge to enable wireless bridge detection specified in the current attack detection policy.
Use undo detect wireless-bridge to disable wireless bridge detection specified in the current attack detection policy.
Syntax
detect wireless-bridge [ quiet-time time-value ]
undo detect wireless-bridge
Default
Wireless bridge detection is disabled.
Views
Attack detection policy view
Default command level
2: System level
Parameters
quiet-time time-value: Specifies the quiet time after an alarm is generated for detecting a wireless bridge, in the range of 5 to 604800 seconds. The default is 600 seconds.
Examples
# Enable wireless bridge detection specified in the attack detection policy named office.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] attack-detect-policy office
[Sysname-wlan-ips-dctp-office] detect wireless-bridge quite-time 480
detect wireless-device disable
Use detect wireless-device disable to disable wireless device detection for WIPS.
Use undo detect wireless-device disable to enable wireless device detection for WIPS.
Syntax
detect wireless-device disable
undo detect wireless-device disable
Default
Wireless device detection for WIPS is enabled.
Views
WIPS view
Default
2: System level
Examples
# Disable wireless device detection for WIPS.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] detect wireless-device disable
detect-period
Use detect-period to configure the statistics collection period for a signature. With this command enabled, WIPS takes further actions according to the configuration of the action command when the number of matching times of a signature reaches the detection threshold configured with the detect-threshold command within this statistics collection period.
Use undo detect-period to restore the default.
Syntax
detect-period period-time
undo detect-period
Default
The statistics collection period for a user-defined signature is 60 seconds and that for a system-defined signature depends on the specific system-defined signature.
Views
SIG view
Default command level
2: System level
Parameters
period-time: Specifies the statistics collection period for a signature, in the range of 1 to 3600 seconds.
Usage guidelines
If you configure the statistics collection period for a signature multiple times, the most recent configuration overwrites the previous one.
To modify the statistics collection period for a signature that has been bound to a signature policy, remove the binding first.
Examples
# Configure the statistics collection period for the user-defined signature office as 500 seconds.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips]signature office
[Sysname-wlan-ips-sig-office] detect-period 500
detect-threshold
Use detect-threshold to configure the maximum matching times for a signature within the specified statistics collection period. When the matching times reach this threshold, WIPS takes further actions according to the configuration of the action command.
Use undo detect-threshold to restore the default.
Syntax
detect-threshold { per-mac number | per-signature number }
undo detect-threshold { per-mac | per-signature }
Default
The maximum matching times for a user-defined signature is 1000 and that for a system-defined signature depends on the specific system-defined signature.
Views
SIG view
Default command level
2: System level
Parameters
per-mac number: Specifies the maximum matching times for a signature when the track-method in the signature is configured as per-mac. The value is in the range of 1 to 32000 times.
per-signature number: Specifies the maximum matching times for a signature when the track-method in the signature is configured as per-signature. The value is in the range of 1 to 32000 times.
Usage guidelines
If you configure the detect-threshold for a signature multiple times, the most configuration overwrites the previous one.
You cannot configure the maximum matching times for a signature if a track method does not exist.
To modify the detect-threshold for a signature that has been bound to a signature policy, remove the binding first.
Examples
# Configure the maximum matching times for the signature office as 6000 when the track-method is per-mac.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] signature office
[Sysname-wlan-ips-sig-office] detect-threshold per-mac 6000
display wlan ips ap-classification-rule
Use display wlan ips ap-classification-rule to display information about the specified or all AP classification rules.
Syntax
display wlan ips ap-classification-rule [ rule-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
rule-name: Specifies an AP classification rule by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines, but not spaces.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case sensitive string of 1 to 256 characters.
Examples
# Display information about all AP classification rules in the system.
[Sysname]display wlan ips ap-classification-rule rule1
AP Classification Rules
--------------------------------------------------------------------------------
Classifictaion Rule Name : rule1
Classify Type : authorized-ap
Severity Level : -NA-
Match : Any
SSID : not include "test"
SSID Match Case : Ignore
Security : equal WPA2
Authentication Method : 802.1X
RSSI : > 40
Duration : > 86400
Client Count : -NA-
Discovered APs : < 10
OUI : -NA-
OUI Vendor : h3c
Applied to VSD
VSD 1 : office
VSD 2 : lab
--------------------------------------------------------------------------------
Classifictaion Rule Name : rule2
Classify Type : -NA-
Serverity Level : 10
Match : Any
SSID : include "test"
SSID Match Case : Ignore
Security : include WPA
Authentication Method : PSK
RSSI : < 20
Duration : < 86400
Client Count : -NA-
Discovered APs : > 10
OUI : 00-01-02
OUI Vendor : -NA-
Applied to VSD
VSD 1 : office
Table 2 Command output
|
Field |
Description |
|
Severity Level |
Severity level for an AP that matches an AP classification rule. The value is in the range of 0 to 100. |
|
Match |
Match policy for the rule. · All—An AP is considered as matching the rule when it matches all match criteria of the rule. · Any—An AP is considered as matching an AP classification rule as long as it matches any match criterion of the rule. |
|
SSID |
Match criteria for an SSID. · include—Includes the configured character string. · not Include—Does not include the configured character string. · equal—Equal to the configured characters string. · not equal—Not equal to the configured characters string. |
|
SSID Match Case |
Whether case is considered when the SSID is matched: · ignore—Case insensitive. · exact—Case sensitive. |
|
Security |
Security type used by the AP. · Clear. · WEP. · WPA. · WPA2. |
|
Authentication Method |
Authentication method used by the AP: · 802.1X—802.1X authentication. · PSK—PSK authentication. · None—No authentication. · Other—Authentication other than 802.1X, PSK, and None. |
|
RSSI |
RSSI of the AP. |
|
Duration |
Bootup time of the AP. |
|
Client Count |
Number of clients associated with the AP. |
|
Discovered Aps |
Number of APs discovered by the current sensor. |
|
OUI |
OUI of the AP. |
|
OUI Vendor |
Vendor of the AP. |
|
Applied to VSD |
Virtual security domain where the AP classification rule is applied. |
|
VSD n |
Name of the virtual security domain, where n represents a number automatically assigned by the system. |
display wlan ips attack-detect-policy
Use display wlan ips attack-detect-policy to display information about the specified or all attack detection policies.
Syntax
display wlan ips attack-detect-policy [ policy-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
policy-name: Specifies an attack detection policy by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines, but not spaces.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case sensitive string of 1 to 256 characters.
Examples
# Display information about attack detection policy policy1.
[Sysname]display wlan ips attack-detect-policy
Attack Detect Policies
--------------------------------------------------------------------------------
Detection-Type Status Quiet-Time Action
--------------------------------------------------------------------------------
Policy Name: default
Adhoc-network off -- --
Prohibited-channel off -- --
AP-spoofing on 100 --
Client-spoofing on 200 --
AP-Flood off -- --
Dos-eapol-start off -- --
Dos-authentication off -- --
Dos-association off -- --
Dos-reassociation off -- --
Weak-iv off -- --
Invalid-OUI on -- --
Ps-attack on 600 --
Windows-Bridge on -- --
Hotspot-attack on -- --
AP-Impersonation on 600 --
Soft-ap on -- --
Unencrypt-auth-ap on 600 --
Unencrypt-trust-cli on 600 --
Applied To VSD : default, vsd_office
--------------------------------------------------------------------------------
Policy Name: lab
Adhoc-network on -- --
Prohibited-channel on -- --
AP-spoofing off -- --
Client-spoofing off -- --
AP-Flood on 600 --
Dos-eapol-start off -- --
Dos-authentication off -- --
Dos-association off -- --
Dos-reassociation off -- --
Weak-iv on 500 --
Invalid-OUI off -- --
Ps-attack off -- --
Windows-Bridge off -- --
Hotspot-attack off -- --
AP-Impersonation off -- --
Soft-ap off -- --
Unencrypt-auth-ap off -- --
Unencrypt-trust-cli off -- --
Applied To VSD : vsd_lab
--------------------------------------------------------------------------------
Table 3 Command output
|
Field |
Description |
|
Detection-Type |
Detection type. |
|
Status |
Detection status, enabled or disabled. |
|
Quiet-Time |
Quiet time when an attack is detected. |
|
Action |
Action to take when an attack is detected. |
|
Policy Name |
Attack detection policy name. |
|
Adhoc-network |
Whether to detect Ad hoc networks. · on. · off. |
|
Prohibited-channel |
Whether to detect prohibited channels. · on. · off. |
|
AP-spoofing |
Whether to detect AP spoofing. · on. · off. |
|
Client-spoofing |
Whether to detect client spoofing. · on. · off. |
|
AP-Flood |
Whether to detect AP flood. · on. · off. |
|
Dos-eapol-start |
Whether to detect EAPOL-Start DoS attacks. · on. · off. |
|
Dos-authentication |
Whether to detect authentication DoS attacks. · on. · off. |
|
Dos-association |
Whether to detect association DoS attacks. · on. · off. |
|
Dos-reassociation |
Whether to detect reassociation DoS attacks. · on. · off. |
|
Weak-iv |
Whether to detect weak-IV. · on. · off. |
|
Invalid-OUI |
Whether to detect invalid OUIs. · on. · off. |
|
Ps-attack |
Whether to detect power saving attacks. · on. · off. |
|
Windows-Bridge |
Whether to detect Windows bridge. · on. · off. |
|
Hotspot-attack |
Whether to detect hotspot attacks. · on. · off. |
|
AP-Impersonation |
Whether to detect AP impersonation attacks. · on. · off. |
|
Soft-ap |
Whether to detect soft APs. · on. · off. |
|
Unencrypt-auth-ap |
Whether to detect unencrypted authorized APs. · on. · off. |
|
Unencrypt-trust-cli |
Whether to detect unencrypted trust clients. · on. · off. |
|
Applied to VSD |
Virtual security domain where the attack detection policy is applied. |
display wlan ips authssidlist
Use display wlan ips authssidlist to display information about the specified or all entries in the WIPS authorized SSID list.
Syntax
display wlan ips authssidlist [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case-sensitive string of 1 to 256 characters.
Examples
# Display information about all entries in the authorized SSID list.
<Sysname> display wlan ips authssidlist
Total Number of Entries: 6
AuthSSID List
--------------------------------------------------------------------------------
SSID Added-Time
--------------------------------------------------------------------------------
Cmcc 2014-06-07/15:42:31
Y6066 2014-06-07/15:42:31
c4 2014-06-07/15:42:31
full 2014-06-07/15:42:31
full2 2014-06-07/15:42:31
z05066t 2014-06-07/15:42:31
--------------------------------------------------------------------------------
display wlan ips blocklist
Use display wlan ips blocklist to display information about the specified or all entries in a WIPS prohibited device list.
Syntax
display wlan ips blocklist [ static | dynamic | mac-address mac-addr ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
static: Specifies manually configured entries in the prohibited device list.
dynamic: Specifies dynamically added entry in the prohibited device list.
mac-address mac-addr: Specifies an entry with a specific MAC address in the prohibited device list.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case sensitive string of 1 to 256 characters.
Examples
# Display information about all entries in the prohibited device list.
[Sysname] display wlan ips blocklist
Total Number of Entries: 2
State: S = Static, D = Dynamic, S&D = Static & Dynamic
Blocklist-Action Block : Disable
Block List
--------------------------------------------------------------------------------
MAC-Address Status
--------------------------------------------------------------------------------
0001-0002-0003 S
0001-0002-0004 S
--------------------------------------------------------------------------------
Table 4 Command output
|
Field |
Description |
|
Blocklist-Action Block |
Disable wireless devices in the prohibited device list from accessing the WLAN. · Enable. · Disable. |
|
MAC-Address |
MAC address of the wireless device in the prohibited device list. |
|
Status |
Status of the entries in the prohibited device list. · S—Manually configured. · D—Dynamically generated. · S&D—Manually configured and dynamically generated. |
display wlan ips channel
Use display wlan ips channel to display information about the specified or all channels.
Syntax
display wlan ips channel [ permit | prohibit ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
permit: Specifies permitted channels.
prohibit: Specifies prohibited channels.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case sensitive string of 1 to 256 characters.
Examples
# Display information about all channels.
[Sysname] display wlan ips channel
Channel List
--------------------------------------------------------------------------------
Channel Radio-Type Permit Last-Time
--------------------------------------------------------------------------------
1 11gn No 2013-06-21/16:00:47
2 11gn No 2013-06-21/16:00:47
3 11gn No 2013-06-21/16:00:47
4 11gn No 2013-06-21/16:00:47
5 11gn No 2013-06-21/16:00:47
6 11gn No 2013-06-21/16:00:47
7 11gn No 2013-06-21/16:00:47
8 11gn No 2013-06-21/16:00:47
9 11gn No 2013-06-21/16:00:47
10 11gn No 2013-06-21/16:00:47
11 11gn No 2013-06-21/16:00:47
12 11gn No 2013-06-21/16:00:47
13 11gn No 2013-06-21/16:00:47
149 11an No 2013-06-21/16:00:47
153 11an No 2013-06-21/16:00:47
157 11an No 2013-06-21/16:00:47
161 11an No 2013-06-21/16:00:47
165 11an No 2013-06-21/16:00:47
--------------------------------------------------------------------------------
Table 5 Command output
|
Field |
Description |
|
Channel |
Channels supported by the current country/region code. |
|
Radio-Type |
Type of the radio. |
|
Permit |
Whether the channel is permitted. · Yes. · No. |
|
Last-Time |
Time when the most recent transmission activity was detected on the channel. |
display wlan ips countermeasure-devices
Use display wlan ips countermeasure-devices to display countermeasures statistics for one or all virtual security domains.
Syntax
display wlan ips [ vsd vsd-name ] countermeasure-devices [ static [ countermeasure | pending | idle ] | dynamic [ countermeasure | pending ] | mac-address mac-addr ] [ verbose ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
vsd vsd-name: Specifies a virtual security domain by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines.
static: Displays information about wireless devices added to the countermeasures list from WIPS view and countermeasures policy view.
dynamic: Displays information about wireless devices dynamically added to the countermeasures list.
countermeasure: Displays information about wireless devices against which countermeasures are being taken.
pending: Displays information about wireless devices against which countermeasures are to be taken.
idle: Displays information about wireless devices added to the countermeasures list but are not in any virtual security domain.
mac-address mac-addr: Displays information about wireless devices with the specified MAC addresses.
verbose: Displays detailed information about wireless devices in the countermeasures list.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case sensitive string of 1 to 256 characters.
Examples
# Display countermeasures statistics for all virtual security domains.
<Sysname> display wlan ips countermeasure-devices
S = Static, D = Dynamic, VSD = virtual security domain, Chl = Channel
P = Pending, C = Countermeasure, I = Idle, PRI = Precedence
Countermeasure Devices
--------------------------------------------------------------------------------
Mac-address Type State Start-Time Classification Chl PRI
--------------------------------------------------------------------------------
VSD: default
c4ca-d97e-2680 S&D C 2013-06-21/16:11:44 rogue-ap 6 10
3ce5-a68b-9030 D P 2013-06-21/16:15:26 rogue-ap 6 9
c4ca-d9f0-cab0 S C 2013-06-21/16:15:26 potential-external-ap 1 10
006a-ff00-0001 D C 2013-06-21/16:11:29 rogue-ap 5 9
VSD: vsd_office
c4ca-d97e-2680 S I -- -- -- --
c4ca-d9f0-cab0 S I -- -- -- --
VSD: vsd_lab
c4ca-d97e-2680 S I -- -- -- --
c4ca-d9f0-cab0 S I -- -- -- --
--------------------------------------------------------------------------------
Table 6 Command output
|
Field |
Description |
|
Type |
Type of the wireless device. · S—Manually added. · D—Dynamically added. · S&D—Both manually and dynamically added. |
|
State |
State of the wireless device against which countermeasures are taken. · Pending. · Countermeasure. · Idle. |
|
Start-Time |
Time when the wireless device enters the current state. |
|
Classification |
Type of the wireless device against which countermeasures are taken. · Potential-rogue-ap · Rogue-ap · Misconfigured-ap · Uncategorized-ap · Potential-external-ap · External-ap · Potential-authorized-ap · Uncategorized-client · Misassociation-client · Unauthorized-client |
|
Chl |
Channel on which the sensor is operating. |
|
PRI |
Countermeasures precedence. |
# Display detailed countermeasures statistics for the virtual security domain lab.
<Sysname> display wlan ips vsd default countermeasure-devices verbose
VSD = virtual security domain
Countermeasure Devices
--------------------------------------------------------------------------------
VSD: default
Device: c4ca-d97e-2680
Type : Static
Classification : potential-external-ap
Precedence : 10
State : Countermeasure
Channel : 6
Sensor : ap3
Start-Time : 2013-06-21/16:11:44
Global Static Countermeasure : YES
Applied to Countermeasure-policies : --
default
office
Countermeasure records : 1
2013-06-21/16:11:29 - 2013-06-21/16:11:44 Pending
--------------------------------------------------------------------------------
Device: c4ca-d9f0-cab0
Type : Static
Classification : potential-external-ap
Precedence : 10
State : Pending
Channel : 1
Sensor : --
Start-Time : 2013-06-21/16:25:56
Global Static Countermeasure : YES
Applied to Countermeasure-policies : --
Countermeasure records : 0
--------------------------------------------------------------------------------
Device: 006a-ff00-0001
Type : Dynamic
Classification : rogue-ap
Precedence : 9
State : Countermeasure
Channel : 5
Sensor : ap3
Start-Time : 2013-06-21/16:11:29
Global Static Countermeasure : NO
Applied to Countermeasure-policies : --
Countermeasure records : 1
2013-06-21/16:11:29 - 2013-06-21/16:11:29 Pending
--------------------------------------------------------------------------------
Table 7 Command output
|
Field |
Description |
|
Device |
MAC address of the wireless device in the countermeasures list. |
|
Type |
Type of the wireless device in the countermeasures list. · Static—Manually added. · Dynamic—Dynamically added. · Static & Dynamic—Both manually and dynamically added. |
|
Classification |
Classification of the device in the current virtual security domain. |
|
Precedence |
Countermeasures precedence of the device in the current virtual security domain. |
|
State |
State of the wireless device. · Pending. · Countermeasure. · Idle. |
|
Channel |
Channel on which the sensor that is taking countermeasures against the wireless device is operating. |
|
Sensor |
Sensor that is taking countermeasures against the wireless device |
|
Start-Time |
Time when the wireless device entered the current countermeasures state. |
|
Global Static Countermeasure |
Whether the wireless device is a globally configured device against which countermeasures are taken. |
|
Applied to Countermeasure-policy |
Countermeasures policy applied to the wireless device. |
|
Countermeasure record |
Countermeasures record for the wireless device. |
display wlan ips countermeasure-policy
Use display wlan ips countermeasure-policy to display information about one or all countermeasures policies.
Syntax
display wlan ips countermeasure-policy [ policy-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
countermeasure-policy policy-name: Specifies a countermeasures policy by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines (_).
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case sensitive string of 1 to 256 characters.
Examples
# Display information about countermeasures policy office.
<Sysname> display wlan ips countermeasure-policy officecmp
Countermeasure Policy
--------------------------------------------------------------------------------
Policy Name : officecmp
Countermeasure on Fixedchannel : Disable
Countermeasure Device-Classification
misconfigured-ap : Off
rogue-ap : Off
unauthorized-client : Off
external-ap : Off
misassociation-client : On precedence : 6
potential-authorized-ap : Off
potential-rogue-ap : Off
potential-external-ap : Off
uncategorized-ap : Off
uncategorized-client : Off
Countermeasure Static Devices : 0
Applied to VSD :
VSD 1 : vsd_office
----------------------------------------------------------------------
Table 8 Command output
|
Field |
Description |
|
Policy Name |
Countermeasures policy name. |
|
Countermeasure on Fixedchannel |
Countermeasures policy on fixed channel. · enable. · disable. |
|
Countermeasure Device-Classification |
Taking countermeasures by device type. |
|
misconfigured-ap |
Whether to take countermeasures against misconfigured APs. · on. · off. |
|
rogue-ap |
Whether to take countermeasures against rogue APs. · on. · off. |
|
unauthorized-client |
Whether to take countermeasures against unauthorized clients. · on. · off. |
|
external-ap |
Whether to take countermeasures against external APs. · on. · off. |
|
misassociation-client |
Whether to take countermeasures against misassociated clients. · on. · off. |
|
potential-authorized-ap |
Whether to take countermeasures against potential-authorized APs. · on. · off. |
|
potential-rogue-ap |
Whether to take countermeasures against potential-rogue APs. · on. · off. |
|
potential-external-ap |
Whether to take countermeasures against potential-external APs. · on. · off. |
|
uncategorized-ap |
Whether to take countermeasures against uncategorized APs. · on. · off. |
|
uncategorized-client |
Whether to take countermeasures against uncategorized clients. · on. · off. |
|
Countermeasure Static Devices |
Information about the wireless devices in the static countermeasures list specified by the current countermeasures policy. |
|
Applied to VSD |
Virtual security domain where the current countermeasures policy is applied. |
|
VSD n |
Virtual security domain name, where n is a number automatically assigned by the system. |
display wlan ips devices
Use display wlan ips devices to display information about wireless devices detected in the specified or all virtual security domains.
Syntax
display wlan ips [ vsd vsd-name ] devices [ ap [ adhoc | authorized | external | misconfigured | potential-authorized | potential-external | potential-rogue | rogue | uncategorized | mesh-ap ] | client [ authorized | misassociation | unauthorized | uncategorized | unassociated ] | mac-address mac-addr ] [ verbose ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
vsd vsd-name: Specifies a virtual security domain by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines.
ap: Displays AP information.
adhoc: Displays Ad hoc AP information.
authorized: Displays authorized AP information.
external: Displays external AP information.
misconfigured: Displays misconfigured AP information.
potential-authorized: Displays potential-authorized AP information.
potential-external: Displays potential-external AP information.
potential-rogue: Displays potential-rogue AP information.
rogue: Displays rogue AP information.
uncategorized: Displays uncategorized AP information.
mesh-ap: Displays mesh AP information.
client: Displays client information.
authorized: Displays authorized client information.
unauthorized: Displays unauthorized client information.
misassociation: Displays misassociated client information.
uncategorized: Displays uncategorized client information.
unassociated: Displays unassociated client information.
mac-address mac-addr: Displays information about the wireless device with a specified MAC address.
verbose: Displays device detailed information.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case sensitive string of 1 to 256 characters.
Examples
# Display information about all wireless devices in all virtual security domains.
<Sysname> display wlan ips devices
SL = severity level, #S = number of reporting sensors, S = status
VSD = virtual security domain, I = inactive, A = active
Cli = client, Chl = channel
Detected Wireless Devices
--------------------------------------------------------------------------------
MAC-Address Type Classification SL Last-Time #S Chl S
--------------------------------------------------------------------------------
VSD default: 0
VSD vsd_office: 6
000f-e2a2-2420 AP Misconfigured 0 2014-06-22/15:52:26 1 149 A
000f-e233-5500 AP Misconfigured 0 2014-06-22/15:52:19 1 153 A
044f-aa03-9fec AP Potential-External 0 2014-06-22/15:52:19 1 157 A
0021-632f-f77d Cli Uncategorized - 2014-06-22/15:52:29 1 149 A
0024-012d-ecec Cli Unassociated - 2014-07-18/14:29:55 1 - -
d4c9-efe4-d3e1 AP Mesh 0 2014-07-22/11:38:14 1 161 A
--------------------------------------------------------------------------------
Table 9 Command output
|
Field |
Description |
|
MAC-Address |
MAC address of the wireless device. |
|
Type |
Type of the wireless device. · AP · Cli: Client. |
|
Classification |
Category of the wireless device. |
|
SL |
Severity level of the wireless device. |
|
Last-Time |
Time when WIPS last detected the AP or client. |
|
#S |
Number of sensors that detected the wireless device. |
|
Chl |
Channel where the wireless device was detected. |
|
S |
AP or client status. · Active—Enabled. · Inactive—Disabled. |
# Display detailed information about all wireless devices in all virtual security domains.
<Sysname> display wlan ips devices verbose
Detected Wireless Devices
--------------------------------------------------------------------------------
VSD: default
Total Number of APs: 0
Total Number of Clients: 0
--------------------------------------------------------------------------------
VSD: vsd_office
Total Number of APs: 4
--------------------------------------------------------------------------------
BSSID : 000f-e2a2-2420
Vendor: New H3C Technologies Co., Ltd.
SSID : office
Status : Active
Classification : Misconfigured
Severity Level : 0
Security : WPA2/WPA
Encrypt Method : TKIP/CCMP
Authentication Method : PSK
Radio Type : 802.11an
Channel : 149
In Countermeasure List : No
Up Time : 2013-06-22/15:43:16
First Reported Time : 2013-06-22/15:40:56
Last Reported Time : 2013-06-22/15:53:26
Reporting Sensor : 1
Sensor 1 : ap3
RadioId : 1
RSSI : 72
Last Reported Time : 2013-06-22/15:53:26
Attached Clients : 1
Client 1 : 0021-632f-f77d
Detected Attacks : invalid-oui,
--------------------------------------------------------------------------------
BSSID : 000f-e233-5500
Vendor: New H3C Technologies Co., Ltd.
SSID : bignetwork-a
Status : Active
Classification : Misconfigured
Severity Level : 0
Security : Clear
Encrypt Method : -NA-
Authentication Method : None
Radio Type : 802.11an
Channel : 153
In Countermeasure List : No
Up Time : 2013-05-09/14:46:57
First Reported Time : 2013-06-22/15:38:26
Last Reported Time : 2013-06-22/15:53:21
Reporting Sensor : 1
Sensor 1 : ap3
RadioId : 1
RSSI : 25
Last Reported Time : 2013-06-22/15:53:21
Attached Clients : 0
Detected Attacks : -NA-
--------------------------------------------------------------------------------
BSSID : 044f-aa03-9fec
Vendor: Ruckus Wireless
SSID : Ruckus-Wireless-1
Status : Active
Classification : Potential-External
Severity Level : 0
Security : Clear
Encrypt Method : -NA-
Authentication Method : None
Radio Type : 802.11an
Channel : 157
In Countermeasure List : No
Up Time : 2013-06-13/20:10:13
First Reported Time : 2013-06-22/15:38:27
Last Reported Time : 2013-06-22/15:53:22
Reporting Sensor : 1
Sensor 1 : ap3
RadioId : 1
RSSI : 5
Last Reported Time : 2013-06-22/15:53:42
Attached Clients : 0
Detected Attacks : -NA-
--------------------------------------------------------------------------------
BSSID : d4c9-efe4-d3e1
Vendor: Hewlett Packard
MeshID : wsj
Status : Active
Classification : Mesh
Severity Level : 0
Security : WPA2
Encrypt Method : CCMP
Authentication Method : Other
Radio Type : 802.11ac
Channel : 161
In Countermeasure List : No
Up Time : 2014-06-22/11:37:29
First Reported Time : 2014-06-22/11:37:46
Last Reported Time : 2014-06-22/11:38:42
Reporting Sensor : 1
Sensor 1 : sensor2
RadioId : 1
RSSI : 70
Last Reported Time : 2014-06-22/11:38:42
Attached MeshAPs : 1
MeshAP 1 : 000f-e2c0-4440
Detected Attacks : wireless-bridge,
--------------------------------------------------------------------------------
Total Number of Clients: 2
--------------------------------------------------------------------------------
MAC Address: 0021-632f-f77d
Vendor: ASKEY COMPUTER CORP
BSSID : 000f-e2a2-2420
Status : Active
State : EAPSuccess
Classification : Uncategorized
RadioType : 802.11an
Channel : 149
In Countermeasure List : No
First Reported Time : 2013-06-22/15:46:31
Last Reported Time : 2013-06-22/15:53:33
Reporting Sensor : 1
Sensor 1 : ap3
RadioId : 1
RSSI : 66
Last Reported Time : 2013-06-22/15:53:33
Detected Attacks : -NA-
--------------------------------------------------------------------------------
MAC Address: 0015-af75-3f0f
Vendor: AzureWave Technologies, Inc.
BSSID : -NA-
Status : -NA-
State : Unassociation
Classification : Unassociated
RadioType : 802.11n
Channel : -NA-
In Countermeasure List : No
First Reported Time : 2013-09-18/14:35:14
Last Reported Time : 2013-09-18/14:36:10
Reporting Sensor : 1
Sensor 1 : ap0
RadioId : 2
RSSI : 18
Last Reported Time : 2013-09-18/14:36:10
Detected Attacks : -NA-
--------------------------------------------------------------------------------
Table 10 Command output
|
Field |
Description |
|
VSD |
Name of the virtual security domain. |
|
Total Number of APs |
Number of APs detected in the virtual security domain. |
|
BSSID |
Basic SSID. |
|
SSID |
SSID with which the client is associated. |
|
MeshID |
Mesh ID of the WLAN mesh network. |
|
Hotspot |
Whether the SSID is in the hotspot list. |
|
Status |
AP or client status. · Active—Enabled. · Inactive—Disabled. |
|
State |
Client association state. · Association—The client has been associated with the AP. · Unassociation—The client is not associated with the AP. · EAPSuccess—The client has passed the PSK or 802.1X authentication. · EAPLogoff—The client has been logged off. |
|
Classification |
Category of the AP or client. · AP. ¡ Ad_hoc. ¡ Authorized. ¡ Rogue. ¡ Misconfigured. ¡ External. ¡ Potential-authorized. ¡ Potential-rogue. ¡ Potential-external. ¡ Uncategorized. ¡ Wireless-bridge. · Client. ¡ Authorized. ¡ Unauthorized. ¡ Misassociated. ¡ Uncategorized. ¡ Unassociated. |
|
Severity Level |
Severity level of the wireless device. |
|
Security |
Security type used by the wireless device. · Clear. · WEP. · WPA. · WPA2. |
|
Encrypt Method |
Data encryption mode. · TKIP. · CCMP. · WEP. · -NA-. |
|
Authentication Method |
Authentication method for the AP. · None—No authentication. · PSK—PSK authentication. · 802.1X—802.1X authentication. · Other—Authentication other than None, PSK, and 802.1X. |
|
RadioType |
Radio type of the wireless device. |
|
Channel |
Working channel of the wireless device. |
|
In Countermeasure List |
Whether the AP or client is in the countermeasures list. · Yes. · No. |
|
Up Time |
Bootup time of the AP. |
|
First Reported Time |
Time when WIPS first detected the AP or client. |
|
Last Reported Time |
Time when WIPS last detected the AP or client. |
|
Reporting Sensor |
Number of sensors that detected the wireless device. |
|
Sensor n |
Name of the sensor that detected the wireless device, where n represents a number automatically assigned by the system. |
|
RadioId |
Radio ID detected by the sensor. |
|
RSSI |
RSSI of the device. |
|
Attached Clients |
Number of clients associated with the AP. |
|
Attached MeshAPs |
Number of mesh APs that connect to the mesh AP. |
|
Client n |
MAC address of the client associated with the AP, where n represents a number automatically assigned by the system. |
|
MeshAP n |
MAC address of the mesh AP that connects to the mesh AP, where n represents a number automatically assigned by the system. |
|
Total Number of Clients |
Number of APs detected in the virtual security domain. |
|
MAC Address |
MAC address of the client. |
|
Detected Attacks |
Attacks detected on the device. |
display wlan ips event
Use display wlan ips event to display the specified or all alarm events generated by the WIPS system.
Syntax
display wlan ips event [ source-mac source-mac | causer-mac causer-mac | id event-id | level event-level | type event-type | vsd vsd-name ] [ verbose ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
source-mac source-mac: Specifies the MAC address of the WIPS-enabled device that generates alarm events.
causer-mac source-mac: Specifies the MAC address of the wireless device that causes alarm events.
id event-id: Specifies an event ID in the range of 1 to 1200.
level event-level: Specifies the level for an alarm event in the range of 0 to 7.
type event-type: Specifies the type of an alarm event.
verbose: Displays detailed information for alarm events.
vsd vsd-name: Specifies a virtual security domain by its name.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case sensitive string of 1 to 256 characters.
Examples
# Display information about all alarm events.
[Sysname] display wlan ips event
L = Level
Total Number of Events: 20
WIPS Events
--------------------------------------------------------------------------------
Causer-Mac Type L ID First-Reported-Time Last-Reported-Time
--------------------------------------------------------------------------------
d4c9-efe4-d3e1 wireless-bridge 4 240 2014-06-20/17:41:24 2014-06-22/11:38:42
000f-e2c0-4440 mesh-ap 4 1125 2014-06-22/11:38:14 2014-06-22/11:38:14
0021-632f-e71d man-in-the-middle 4 234 2014-06-07/18:24:27 2014-06-07/18:24:48
d4c9-efe4-d3e0 deauth-spoofing 2 233 2014-06-07/18:24:21 2014-06-07/18:24:46
0023-895e-0320 honeypot-ap 4 149 2014-06-07/18:15:21 2014-06-07/18:15:21
0021-632f-e71d ht-40MHz-intoler 5 200 2014-06-07/18:19:06 2014-06-07/18:19:06
7425-8a61-1211 ht-greenfield 2 8 2014-03-04/11:10:06 2014-03-05/11:03:55
c4ca-d9f0-8ba0 invalid-channel 4 49 2014-03-28/14:56:27 2014-03-28/14:58:42
0021-632f-e4fb ps-attack 4 575 2013-12-10/14:34:45 2013-12-10/14:34:45
e4b0-2140-9247 soft-ap 4 270 2013-12-10/09:45:16 2013-12-10/09:45:16
5866-ba9f-3680 unencrypt-auth-ap 5 22 2013-11-28/18:11:47 2013-11-29/11:27:52
5866-ba9f-3680 unencry-trust-cli 5 22 2013-11-28/18:11:47 2013-11-29/11:27:52
-NA- prohibited-chl 2 5 2013-06-22/15:35:30 2013-06-22/15:35:30
044f-aa03-9fec pt-external-ap 4 4 2013-06-22/15:33:08 2013-06-22/15:33:08
044f-aa03-9fec vsd-ap-add 5 3 2013-06-22/15:33:08 2013-06-22/15:33:08
000f-e233-5500 misconfigured-ap 3 2 2013-06-22/15:33:08 2013-06-22/15:33:08
000f-e233-5500 vsd-ap-add 5 1 2013-06-22/15:33:08 2013-06-22/15:33:08
0021-632f-e71d windows-bridge 2 67 2013-06-22/14:47:36 2013-06-22/14:47:36
7425-8a61-1200 ap-impersonation 4 52 2013-06-22/14:30:14 2013-06-22/14:36:31
0079-e65a-e600 hotspot-attack 2 338 2013-06-22/14:27:30 2013-06-22/14:27:30
--------------------------------------------------------------------------------
Table 11 Command output
|
Field |
Description |
|
Causer-MAC |
MAC address of the wireless device that causes the alarm events. |
|
Type |
Type of the alarm event. |
|
L |
Level of the alarm event in the range of 0 to 7. |
|
ID |
ID of the alarm event. |
|
First-Reported-Time |
Time when the alarm event was first reported. |
|
Last-Reported-Time |
Time when the alarm event was last reported. |
# Display detailed information for all alarm events generated by WIPS.
<Sysname> display wlan ips event verbose
Total Number of Events: 20
WIPS Events
--------------------------------------------------------------------------------
ID: 5 Event Level: 2
Event Type : prohibited-chl
Reported Time : 2013-06-22/15:35:30 - 2013-06-22/15:35:30
Aggregate times : 1
Causer : -NA-
Source:
Source 1 : c4ca-d9f0-e3e0 VSD: default
Detail Information:
In the VSD default, inhibitory channel 157 is active.
--------------------------------------------------------------------------------
ID: 4 Event Level: 4
Event Type : pt-external-ap
Reported Time : 2013-06-22/15:33:08 - 2013-06-22/15:33:08
Aggregate times : 1
Causer : 044f-aa03-9fec
Source:
Source 1 : 3822-d6c1-55fd VSD: -NA-
Detail Information:
In the VSD default, AP 044f-aa03-9fec is classified as Potential-External AP, w
here severity level is 0.
--------------------------------------------------------------------------------
ID: 3 Event Level: 5
Event Type : vsd-ap-add
Reported Time : 2013-06-22/15:33:08 - 2013-06-22/15:33:08
Aggregate times : 2
Causer : 044f-aa03-9fec
Source:
Source 1 : c4ca-d9f0-e3e0 VSD: default
Source 2 : 3822-d6c1-55fd VSD: -NA-
Detail Information:
In the VSD default,the AP 044f-aa03-9fec is added.
--------------------------------------------------------------------------------
ID: 2 Event Level: 3
Event Type : misconfigured-ap
Reported Time : 2013-06-22/15:33:08 - 2013-06-22/15:33:08
Aggregate times : 1
Causer : 000f-e233-5500
Source:
Source 1 : 3822-d6c1-55fd VSD: -NA-
Detail Information:
In the VSD default, AP 000f-e233-5500 is classified as Misconfigured AP.
--------------------------------------------------------------------------------
ID: 1 Event Level: 5
Event Type : vsd-ap-add
Reported Time : 2013-06-22/15:33:08 - 2013-06-22/15:33:08
Aggregate times : 2
Causer : 000f-e233-5500
Source:
Source 1 : c4ca-d9f0-e3e0 VSD: default
Source 2 : 3822-d6c1-55fd VSD: -NA-
Detail Information:
In the VSD default,the AP 000f-e233-5500 is added.
--------------------------------------------------------------------------------
ID: 342 Event Level: 2
Event Type : hotspot-attack
Reported Time : 2013-10-16/14:27:50 - 2013-10-16/14:27:50
Aggregate times : 1
Causer : 000f-e27b-4580
Source:
Source 1 : 3822-d6c1-55ff VSD: -NA-
Detail Information:
In the VSD han, detect AP(BSSID:000f-e27b-4580) using hotspot H3C.
--------------------------------------------------------------------------------
ID: 354 Event Level: 2
Event Type : hotspot-attack
Reported Time : 2013-10-16/14:27:48 - 2013-10-16/14:27:48
Aggregate times : 1
Causer : 5866-ba9f-3680
Source:
Source 1 : 3822-d6c1-55ff VSD: -NA-
Detail Information:
In the VSD han, detect the client(MAC:0021-6330-0f04) connecting to AP(BSSID:
5866-ba9f-3680) using hotspot xlan.
--------------------------------------------------------------------------------
ID: 67 Event Level: 2
Event Type : windows-bridge
Reported Time : 2013-11-15/08:47:36 - 2013-11-15/08:47:36
Aggregate times : 1
Causer : 0021-632f-e71d
Source:
Source 1 : 00a9-a755-fd00 VSD: 1
Detail Information:
In the VSD 1,detect the client(MAC:7425-8a61-1202), which connects to AP (BSSID:0021-632f-e71d), in a windows network bridge. --------------------------------------------------------------------------------
ID: 22 Event Level: 5
Event Type : unencrypt-auth-ap
Reported Time : 2013-11-28/18:11:47 - 2013-11-29/11:27:52
Aggregate times : 63
Causer : 5866-ba9f-3680
Source:
Source 1 : 80f6-2ee6-d3da VSD: -NA-
Detail Information:
In the vsd default, detect an unencrypted authorized AP 5866-ba9f-3680.
--------------------------------------------------------------------------------
ID: 535 Event Level: 5
Event Type : unencrypted-trust-client
Reported Time : 2013-11-29/10:00:00 - 2013-11-29/11:18:25
Aggregate times : 4
Causer : ccef-48f4-7850
Source:
Source 1 : 80f6-2ee6-d3da VSD: -NA-
Detail Information:
In the vsd default, detect a trust client 0021-6330-0f04 connect to an unencrypted AP ccef-48f4-7850.
--------------------------------------------------------------------------------
ID: 52 Event Level: 4
Event Type : ap-impersonation
Reported Time : 2013-12-05/14:12:14 - 2013-12-05/17:06:31
Aggregate times : 670
Causer : 7425-8a61-1200
Source:
Source 1 : 00a9-a75b-5100 VSD: 1
Detail Information:
In the vsd 1, detect AP impersonation of BSSID 7425-8a61-1200.
--------------------------------------------------------------------------------
ID: 270 Event Level: 4
Event Type : soft-ap
Reported Time : 2013-12-10/09:45:16 - 2013-12-10/09:45:16
Aggregate times : 1
Causer : e4b0-2140-9247
Source:
Source 1 : e4b0-2140-9247
Detail Information:
In the VSD 1, detect soft ap e4b0-2140-9247.
--------------------------------------------------------------------------------
ID: 575 Event Level: 4
Event Type : ps-attack
Reported Time : 2013-12-10/14:34:45 - 2013-12-10/14:34:45
Aggregate times : 1
Causer : 0021-632f-e4fb
Source:
Source 1 : 00a9-a69b-4c00 VSD: 1
Detail Information:
In the VSD 1, detect power save attack to client 0021-632f-e4fb.
--------------------------------------------------------------------------------
ID: 8 Event Level: 2
Event Type : ht-greenfield
Reported Time : 2013-12-10/14:34:45 - 2013-12-10/14:34:45
Aggregate times : 1008
Causer : 7425-8a61-1211
Source:
Source 1 : 3ce5-a68b-9020 VSD: vsd2
Detail Information:
In the vsd vsd2, detect an active HT-greenfield mode AP(BSSID:7425-8a61-1211).
--------------------------------------------------------------------------------
ID: 49 Event Level: 4
Event Type : invalid-channel
Reported Time : 2013-12-10/14:34:45 - 2013-12-10/14:34:45
Aggregate times : 3
Causer : c4ca-d9f0-8ba0
Source:
Source 1 : 80f6-2e02-f880
Source 2 : 5866-abc0-4620 VSD: default
Detail Information:
In the VSD default, detect the device c4ca-d9f0-8ba0 launching a malformed pack
et with type of invalid-channel.
--------------------------------------------------------------------------------
ID: 200 Event Level: 5
Event Type : ht-40MHz-intoler
Reported Time : 2014-06-07/18:19:06 - 2014-06-07/18:20:04
Aggregate times : 2
Causer : 0021-632f-e71d
Source:
Source 1 : cc3e-5f26-0e00 VSD: 2
Detail Information:
In the vsd 2, detect a client(MAC:0021-632f-e71d) setting 40MHz intolerance and
connecting with AP(BSSID:0023-895e-0320).
--------------------------------------------------------------------------------
ID: 149 Event Level: 4
Event Type : honeypot-ap
Reported Time : 2014-06-07/18:15:21 - 2014-06-07/18:15:21
Aggregate times : 1
Causer : 0023-895e-0320
Source:
Source 1 : 5866-babe-d0a4 VSD: -NA-
Detail Information:
In the VSD 2, detect honeypot ap 0023-895e-0320.
--------------------------------------------------------------------------------
ID: 233 Event Level: 2
Event Type : deauth-spoofing
Reported Time : 2014-06-07/18:24:21 - 2014-06-07/18:24:46
Aggregate times : 3
Causer : d4c9-efe4-d3e0
Source:
Source 1 : 5866-babe-d0a4 VSD: -NA-
Detail Information:
In the vsd 2, detect a spoof deauthentication frame from AP(BSSID:d4c9-efe4-d3e
0) to CLIENT(MAC:0021-632f-e71d).
--------------------------------------------------------------------------------
ID: 234 Event Level: 4
Event Type : man-in-the-middle
Reported Time : 2014-06-07/18:24:27 - 2014-06-07/18:24:48
Aggregate times : 2
Causer : 0021-632f-e71d
Source:
Source 1 : 5866-babe-d0a4 VSD: -NA-
Detail Information:
In the VSD 2, detect the client(mac:0021-632f-e71d) that connects to the honey
pot AP(BSSID:0023-895e-0330, SSID:"H3C", AuthSSID:"H3C") attacked by the man-in-
the-middle attack.
--------------------------------------------------------------------------------
ID: 240 Event Level: 4
Event Type : wireless-bridge
Reported Time : 2014-06-20/17:41:24 - 2014-06-22/11:38:42
Aggregate times : 33
Causer : d4c9-efe4-d3e1
Source:
Source 1 : cc3e-5f26-0e00 VSD: 2
Detail Information:
In the VSD 2, detect an AP(MAC:d4c9-efe4-d3e1), which connects with another AP
(MAC:000f-e2c0-4440), in a wireless-bridge.
--------------------------------------------------------------------------------
Table 12 Command output
|
Field |
Description |
|
Total Number of Events |
Total number of alarm events. |
|
ID |
ID of the alarm event. |
|
Event Level |
Level of the alarm event in the range of 0 to 7. |
|
Event Type |
Type of the alarm event. |
|
Reported Time |
Time when WIPS first and last reported the alarm event. |
|
Aggregate times |
Number of times that alarm events are aggregated. |
|
Causer |
MAC address of the wireless device that causes the alarm event. |
|
Source |
MAC address of the WIPS-enabled device that generated the alarm event. |
|
VSD |
Name of the virtual security domain to which the WIPS-enabled device belongs. |
|
Detail Information |
Detailed information for the alarm event. |
display wlan ips hotspotlist
Use display wlan ips hotspotlist to display information about the hotspots in the WIPS system.
Syntax
display wlan ips hotspotlist [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case-sensitive string of 1 to 256 characters.
Examples
# Display information about the hotspots in the WIPS system.
[Sysname] display wlan ips hotspotlist
Total Number of Entries: 8
Hotspot List
--------------------------------------------------------------------------------
SSID Last-Reported-Time
--------------------------------------------------------------------------------
ANY --
H3C 2013-12-16/10:46:55
any --
hello --
lwq 2013-12-16/10:46:47
wlan --
wsj --
y06066 2013-12-16/10:46:52
--------------------------------------------------------------------------------
Table 13 Command output
|
Field |
Description |
|
Total Number of Entries |
Number of hotspots in the WIPS system. |
|
SSID |
SSID of the hotspot. |
|
Last-Reported-Time |
Time when the hotspot is detected most recently. |
display wlan ips ignorelist
Use display wlan ips ignorelist to display a specific device or all devices in the alarm-ignored device list.
Syntax
display wlan ips ignorelist [ mac-address mac-addr ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
mac-address mac-addr: Specifies the MAC address of the wireless device for which WIPS alarming information can be ignored.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case sensitive string of 1 to 256 characters.
Examples
# Display information about all wireless devices for which WIPS alarming information can be ignored.
[sysname] display wlan ips ignorelist
Total Number of Entries: 2
Ignore List
------------------------------------------------------------------------
MAC-Address Hit-Count First-Reported-Time Last-Reported-Time
------------------------------------------------------------------------
0001-0002-0003 100 2011-04-08/09:17:25 2011-04-11/09:15:11
0001-0002-0004 2098 2011-04-05/19:35:50 2011-04-11/08:35:26
------------------------------------------------------------------------
Table 14 Command output
|
Field |
Description |
|
MAC-Address |
MAC address of the device in the list. |
|
Hit-Count |
Number of times that the entry in the list was hit. |
|
First-Reported-Time |
Time when the first alarm event was generated for the device. |
|
Last-Reported-Time |
Time when the last alarm event was generated for the device. |
display wlan ips malformed-detect-policy
Use display wlan ips malformed-detect-policy to display information about the specified or all malformed packet detection policies.
Syntax
display wlan ips malformed-detect-policy [ policy-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
policy-name: Specifies a malformed packet detection policy by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines, but not spaces.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case-sensitive string of 1 to 256 characters.
Examples
# Display information about the malformed packet detection policy named lab.
[Sysname]display wlan ips malformed-detect-policy
Malformed Detect Policies
---------------------------------------------------------------------------
Detection-Type Status Quiet-Time Action Threshold
---------------------------------------------------------------------------
Policy Name: default
invalid-ie-length off 600 -- --
duplicated-ie off 600 -- --
redundant-ie off 600 -- --
invalid-pkt-length off 600 -- --
illegal-ibss-ess off 600 -- --
invalid-source-address off 600 -- --
overflow-eapol-key off 600 -- --
malformed-auth off 600 -- --
malformed-assoc-req off 600 -- --
malformed-ht-ie off 600 -- --
large-duration off 600 -- 5000
null-probe-resp off 600 -- --
invalid-deauth-code off 600 -- --
invalid-disassoc-code off 600 -- --
overflow-ssid off 600 -- --
fata-jack off 600 -- --
---------------------------------------------------------------------------
Applied To VSD : vsd
---------------------------------------------------------------------------
Policy Name: mf2
invalid-ie-length on 5 log|trap --
duplicated-ie on 5 log|trap --
redundant-ie on 5 log|trap --
invalid-packet-length off 5 -- --
illegal-ibss-ess on 5 log|trap --
invalid-source-address on 5 log|trap --
overflow-eapol-key on 5 log|trap --
malformed-auth on 5 log|trap --
malformed-assoc-req on 5 log|trap --
malformed-ht-ie on 5 log|trap --
large-duration on 5 log|trap 200
null-probe-resp on 5 log|trap --
invalid-deauth-code on 5 log|trap --
invalid-disassoc-code on 5 log|trap --
overflow-ssid on 5 log|trap --
fata-jack on 5 log|trap --
---------------------------------------------------------------------------
Applied To VSD : han
-------------------------------------------------------------------------
Table 15 Command output
|
Field |
Description |
|
Policy Name |
Name of the malformed packet detection policy. |
|
Detection-Type |
Type of the malformed packet detection policy: invalid-ie-length, duplicated-ie, redundant-ie, invalid-pkt-length, illegal-ibss-ess, invalid-source-address, overflow-eapol-key, malformed-auth, malformed-assoc-req, malformed-ht-ie, large-duration, null-probe-resp, invalid-deauth-code, invalid-disassoc-code, overflow-ssid, or fata-jack. |
|
Status |
Status of the log and alarm functions: · on—The log and alarm functions are enabled. · off—The log and alarm functions are disabled. |
|
Quiet-Time |
Quiet time before alarming the next malformed packet. |
|
Action |
Action to take when the sensor detects a malformed packet: send a log or alarm to the AC. |
|
Threshold |
Duration threshold. |
|
Applied To VSD |
Virtual security domain using the malformed packet detection policy. |
display wlan ips network
Use display wlan ips network to display information about wireless services in the specified or all virtual security domains.
Syntax
display wlan ips [ vsd vsd-name ] network bss [ verbose ] [ name network-name | hotspot ] [ | { begin | exclude | include } regular-expression ]
display wlan ips [ vsd vsd-name ] network [ mesh ] [ verbose ] [ name network-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
vsd vsd-name: Specifies a virtual security domain by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines.
network: Displays information about the detected wireless service.
bss: Displays information about a WLAN ESS or IBSS network.
mesh: Displays information about a WLAN mesh network.
verbose: Displays detailed information about a wireless service.
name network-name: Specifies a WLAN ESS, IBSS, or mesh network by its name, a case-sensitive string of 1 to 32 characters that can contain spaces.
hotspot: Displays information about a hotspot in the hotspot list.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case sensitive string of 1 to 256 characters.
Examples
# Display information about the wireless services in all virtual security domains.
<Sysname> display wlan ips network
#AP = number of APs, VSD = virtual security domain
Detected Wireless Networks
--------------------------------------------------------------------------------
SSID Security Auth-Method Encrypt-Method #AP
--------------------------------------------------------------------------------
VSD default: 0
VSD vsd_office: 3
office WPA2/WPA PSK TKIP/CCMP 1
Ruckus-Wireless-1 Clear None -NA- 1
bignetwork-a Clear None -NA- 1
--------------------------------------------------------------------------------
MeshID Security Auth-Method Encrypt-Method #AP
--------------------------------------------------------------------------------
VSD default: 0
VSD vsd_office: 2
Clear None -NA- 1
wsj WPA2 Other CCMP 1
--------------------------------------------------------------------------------
# Display information about all hotspots in the hotspot list in virtual security domain default.
[Sysname] display wlan ips vsd default network bss hotspot
#AP = number of APs, VSD = virtual security domain
Detected Wireless Networks
--------------------------------------------------------------------------------
SSID Security Auth-Method Encrypt-Method #AP
--------------------------------------------------------------------------------
VSD default: 16
h3c-zc Clear None -NA- 1
CMCC Clear None -NA- 16
lkf3994 Clear None -NA- 1
n1006 WPA2 PSK CCMP 1
AndroidAP WPA2 PSK CCMP 1
lwq Clear None -NA- 1
--------------------------------------------------------------------------------
Table 16 Command output
|
Field |
Description |
|
SSID |
SSID of the wireless service. |
|
MeshID |
Mesh ID of the WLAN mesh service. |
|
Security |
Security type used by the wireless device. · Clear. · WEP. · WPA. · WPA2. |
|
Auth-Method |
Authentication method. · None—No authentication. · PSK—PSK authentication. · 802.1X—802.1X authentication. · Other—Authentication other than None, PSK, and 802.1X. |
|
Encrypt-Method |
Data encryption mode. · TKIP. · CCMP. · WEP. |
|
#AP |
Number of APs that use the SSID. |
# Display detailed information about the wireless services in all virtual security domains.
[Sysname] display wlan ips network verbose
VSD: default
Total number of bss-networks: 0
--------------------------------------------------------------------------------
VSD: vsd_office
Total number of bss-networks: 3
--------------------------------------------------------------------------------
SSID: office
Hotspot : No
Status : Active
Security : WPA2/WPA
Authentication Method : PSK
Encrypt Method : TKIP/CCMP
First Reported Time : 2013-06-22/15:43:18
Last Reported Time : 2013-06-22/15:43:38
APs : 1
BSSID 1 : 000f-e2a2-2420 Channel: 149 Clients: 0 SSID Hide: No
--------------------------------------------------------------------------------
SSID: Ruckus-Wireless-1
Hotspot : No
Status : Active
Security : Clear
Authentication Method : None
Encrypt Method : -NA-
First Reported Time : 2013-06-22/15:38:27
Last Reported Time : 2013-06-22/15:43:44
APs : 1
BSSID 1 : 044f-aa03-9fec Channel: 157 Clients: 0 SSID Hide: No
--------------------------------------------------------------------------------
SSID: bignetwork-a
Hotspot : Yes
Status : Active
Security : Clear
Authentication Method : None
Encrypt Method : -NA-
First Reported Time : 2013-06-22/15:38:26
Last Reported Time : 2013-06-22/15:43:31
APs : 1
BSSID 1 : 000f-e233-5500 Channel: 153 Clients: 0 SSID Hide: No
--------------------------------------------------------------------------------
VSD: default
Total number of mesh-networks: 0
--------------------------------------------------------------------------------
VSD: vsd_office
Total number of mesh-networks: 2
--------------------------------------------------------------------------------
MeshID:
Status : Active
Security : Clear
Authentication Method : None
Encrypt Method : -NA-
First Reported Time : 2014-06-22/11:38:14
Last Reported Time : 2014-06-22/11:38:14
APs : 1
BSSID 1 : 000f-e2c0-4440 Channel: 161 Attached MeshAPs: 1
--------------------------------------------------------------------------------
MeshID: wsj
Status : Active
Security : WPA2
Authentication Method : Other
Encrypt Method : CCMP
First Reported Time : 2014-06-22/11:37:46
Last Reported Time : 2014-06-22/11:37:46
APs : 1
BSSID 1 : d4c9-efe4-d3e1 Channel: 161 Attached MeshAPs: 1
--------------------------------------------------------------------------------
Table 17 Command output
|
Field |
Description |
|
VSD |
Name of the virtual security domain. |
|
Total number of networks |
Total number of wireless services detected in the virtual security domain. |
|
SSID |
SSID of the wireless service. |
|
MeshID |
Mesh ID of the WLAN mesh service. |
|
Hotspot |
Whether the SSID is in the hotspot list. |
|
Status |
SSID status. · Active—Enabled. · Inactive—Disabled. |
|
Security |
Security type used by the wireless device. · Clear. · WEP. · WPA. · WPA2. |
|
Authentication Method |
Authentication method. · None—No authentication. · PSK—PSK authentication. · 802.1X—802.1X authentication. · Other—Authentication other than None, PSK, and 802.1X. |
|
Encrypt Method |
Data encryption mode. · TKIP. · CCMP. · WEP. |
|
First Reported Time |
Time when WIPS first detected the SSID. |
|
Last Reported Time |
Time when WIPS last detected the SSID. |
|
APs |
Number of APs that use the SSID. |
|
BSSID n |
BSSID, where n represents a number automatically assigned by the system. |
|
Channel |
Channel used by the BSSID. |
|
Clients |
Number of clients associated with the BSSID. |
|
Attached MeshAPs |
Number of mesh APs that connect to the mesh AP. |
|
SSID Hide |
Whether the SSID is hidden. · Yes. · No. |
display wlan ips oui
Use display wlan ips oui to display all OUI information for the specified vendor in the OUI library of WIPS.
Syntax
display wlan ips oui vendor-name
Views
Any view
Default command level
2: System level
Parameters
vendor-name: Specifies a vendor by its name, a case-insensitive string of 1 to 64 characters.
Examples
# Display all OUI information for the vendor H3C in the OUI library of WIPS.
[Sysname]display wlan ips oui h3c
Total Number of Entries: 8
Vendor OUI List
---------------------------------------------------------------------------
OUI Vendor
---------------------------------------------------------------------------
00-0F-E2 New H3C Technologies Co., Ltd.
00-23-89 New H3C Technologies Co., Ltd.
0C-DA-41 New H3C Technologies Co., Limited
38-22-D6 New H3C Technologies Co., Limited
3C-E5-A6 New H3C Technologies Co., Ltd.
58-66-BA New H3C Technologies Co., Limited
80-F6-2E New H3C Technologies Co., Limited
C4-CA-D9 New H3C Technologies Co., Limited
---------------------------------------------------------------------------
Table 18 Command output
|
Field |
Description |
|
Vendor |
Device vendor. If the OUI corresponding to the vendor is not in the OUI library of WIPS, this field displays –NA-. |
display wlan ips sensor
Use display wlan ips sensor to display sensors in a specified or all virtual security domains.
Syntax
display wlan ips sensor [ vsd vsd-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
vsd vsd-name: Specifies a virtual security domain by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case sensitive string of 1 to 256 characters.
Examples
# Display sensors in all virtual security domains.
[Sysname] display wlan ips sensor
Total Number of Sensors: 5
wips = dedicated wips mode, hyb-l = low scan-time in hybrid mode,
hyb-m = medium scan-time in hybrid mode, hyb-h = high scan-time in hybrid mode,
S = state, R = run,
I = idle
Sensor List
--------------------------------------------------------------------------------
Sensor-Name Radio Mode S --------------------------------------------------------------------------------
VSD: office
office_ap1 1 wips R
office_ap2 2 hyb-l R
office_ap3 2 hyb-m R
VSD: lab
lab_ap1 1 hyb-h R
lab_ap2 1 hyb-l I
Table 19 Command output
|
Field |
Description |
|
Total Number of Sensors |
Total number of configured sensors. |
|
Sensor-Name |
Name of the AP that is configured as a sensor. |
|
Radio |
ID of the radio that is configured as a sensor. |
|
Mode |
WIPS operation mode. · wips—Monitor mode. · hyb-l—Access first hybrid mode, short scanning duration. · hyb-m—Balanced hybrid mode, middle scanning duration. · hyb-h—Scanning first hybrid mode, long scanning duration. |
|
S |
Running status of the sensor. · R—The AP has been connected to the AC and WIPS is running on the AP. · I—The AP is not connected to the AC or WIPS is not running due to limitation of licenses on the AP. |
|
VSD |
Name of the virtual security domain to which the sensor belongs. |
display wlan ips signature
Use display wlan ips signature to display information about the specified or all signatures.
Syntax
display wlan ips signature { all | custom | signature-id id-value | signature-name name-string | standard } [ verbose ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
custom: Specifies all user-defined signatures.
all: Specifies all signatures.
signature-name name-string: Specifies a signature by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines.
signature-id id-value: Specifies a signature by its rule ID.
standard: Specifies all system-defined signatures.
verbose: Displays detailed signature information.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case sensitive string of 1 to 256 characters.
Usage guidelines
Sub-rule information is not displayed for a system-defined signature.
Examples
# Display information about all system-defined signatures.
[Sysname] display wlan ips signature standard
Total Number of Entries:11
Standard Signature Information
--------------------------------------------------------------------------------
ID SignatureName Type
--------------------------------------------------------------------------------
1 deauth_flood Standard
2 broadcast_deauth_flood Standard
3 disassoc_flood Standard
4 broadcast_disassoc_flood Standard
5 eapol_logoff_flood Standard
6 eap_success_flood Standard
7 eap_failure_flood Standard
8 pspoll_flood Standard
9 cts_flood Standard
10 rts_flood Standard
11 addba_req_flood Standard
--------------------------------------------------------------------------------
# Display information about all user-defined signatures.
[sysname] display wlan ips signature custom
Total Number of Entries:1
Custom Signature Information
--------------------------------------------------------------------------------
ID SignatureName Type
--------------------------------------------------------------------------------
40 office Custom
--------------------------------------------------------------------------------
# Display information about all signatures.
[Sysname] display wlan ips signature all
Total Number of Entries: 12
Signature Information
--------------------------------------------------------------------------------
ID SignatureName Type
--------------------------------------------------------------------------------
1 deauth_flood Standard
2 broadcast_deauth_flood Standard
3 disassoc_flood Standard
4 broadcast_disassoc_flood Standard
5 eapol_logoff_flood Standard
6 eap_success_flood Standard
7 eap_failure_flood Standard
8 pspoll_flood Standard
9 cts_flood Standard
10 rts_flood Standard
11 addba_req_flood Standard
40 office Custom
--------------------------------------------------------------------------------
Table 20 Command output
|
Field |
Description |
|
ID |
Signature ID. 1 to 32 represent system-defined signatures, and 33 to 64 represent user-defined signatures. |
|
SignatureName |
Signature name. |
|
Type |
Signature type. · Standard—System-defined signature. · Custom—User-defined signature. |
# Display detailed information about the signature cts_flood.
[sysname] display wlan ips signature signature-name cts_flood verbose
Standard Signature Information
--------------------------------------------------------------------------------
Signature Name : cts_flood
Signature ID : 9
Signature Type : Standard
Track Method : per-signature
Detect Threshold :
per-signature : 5000 pkts/period
per-mac : -NA-
Detect Period : 5 s
Action : report
Event Level : 2
Quiet Time : 900 s
Applied on Signature Policy
Signature Policy 1 : office
Precedence :1
---------------------------------------------------------------------------
# Display detailed information about the signature with the ID 40.
[sysname] display wlan ips signature signature-id 40 verbose
Custom Signature Information
Custom Signature Information
--------------------------------------------------------------------------------
Signature Name : office
Signature ID : 40
Signature Type : Custom
Track Method : per-signature and per-mac
Detect Threshold :
per-signature : 1000 pkts/period
per-mac : 1000 pkts/period
Detect Period : 60 s
Action : none
Event Level : -NA-
Quiet Time : 900 s
Sub Rule : 7
Match : Any
Frame Type : management
Frame Subtype : association-request
MAC :
Source Mac : ffff-ffff-ffff
Dest Mac : -NA-
Bssid : -NA-
Seq Number : > 100
SSID Length : 15 - 20
SSID : not include "H3C"
SSID Match Case : exact
Pattern : 2
Pattern Name Offset Mask Match FromPayload
pattern1 8 0xabcd > 0x9 Yes
pattern2 8 0xffff 0x15 - 0x20 No
Applied on Signature Policy : -NA-
---------------------------------------------------------------------------
Table 21 Command output
|
Field |
Description |
|
Signature Name |
Signature name. |
|
Signature ID |
Signature ID. 1 to 32 represent system-defined signatures, and 33 to 64 represent user-defined signatures. |
|
Signature Type |
Signature type. · Standard—System-defined signature. · Custom—User-defined signature. |
|
Track Method |
Tracking method for the signature. · per-mac. · per-signature. · both: Uses both methods. |
|
Detect Threshold |
Maximum matching times for the signature. · per-mac—Maximum matching times for a signature when the track-method in the signature is configured as per-mac. The value is in the range of 1 to 32000 times. By default, the maximum matching times for a user-defined signature is 1000 and that for a system-defined signature depends on the specific system-defined signature. · per-signature—Maximum matching times for a signature when the track-method in the signature is configured as per-signature. The value is in the range of 1 to 32000 times. By default, the maximum matching times for a user-defined signature is 1000 and that for a system-defined signature depends on the specific system-defined signature. |
|
Detect Period |
Statistics collection period for a signature in the range of 1 to 3600 seconds. By default, the statistics collection period for a user-defined signature is 60 seconds and that for a system-defined signature depends on the specific system-defined signature. |
|
Action |
Action that WIPS takes when the number of matching times for a signature reaches the configured threshold within the statistics collection period. · Report—WIPS generates corresponding signature alarms when the number of matching times for a signature reaches the threshold within the specified statistics collection period. · None—WIPS does not take any action when the number of matching times for a signature reaches the threshold within the specified statistics collection period. |
|
Event Level |
Alarm level for a signature in the range of 0 to 7. A smaller value represents a higher alarm level. |
|
Quiet Time |
Quiet time for a signature in the range of 60 to 32000, in seconds. By default, the quiet time for a user-defined signature is 900 seconds and that for a system-defined signature depends on the specific system-defined signature. |
|
Sub Rule |
Number of subsignatures. |
|
Match |
Match rule. · Any. · All. |
|
Frame Type |
Frame type. · data—Data frames. · management—Management frames. · control—Control frames. |
|
Frame Subtype |
Sub type of a management frame. · Association Request. · Association Response. · Authentication. · Beacon. · Deauthentication. · Disassociation. · Probe Request. |
|
MAC |
Matches MAC addresses of a specified type. · Source Mac. · Dest Mac. · Bssid. |
|
Seq Number |
Packet sequence number. |
|
SSID Length |
SSID length. |
|
SSID |
Match mode for the SSID. · Include—Includes the configured character string. · not Include—Does not include the configured character string. · equal—Equal to the configured characters string. · not equal—Not equal to the configured characters string. |
|
SSID Match Case |
Whether case is considered when the SSID is matched: · ignore—Case insensitive. · exact—Case sensitive. |
|
SSID Length |
SSID length. · number1 – number2: The value range is number1 (inclusive) to number2 (inclusive). · =: Equal to the configured length. · >: Greater than the configured length. · <: Smaller than the configured length. |
|
Seq Number |
Sequence number of wireless packets. |
|
Pattern |
Pattern match mode. · Offset—Matches frames from the specified starting bit in the range of 0 to 2346. · Mask—Matches frames with a specified mask. · Match—Match mode. · From Payload—Matches frames starting from the frame body. |
|
Applied on Signature Policy |
Signature policy list. |
display wlan ips signature-policy
Use display wlan ips signature-policy to display information about the specified or all signature policies.
Syntax
display wlan ips signature-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
policy-name: Specifies a signature policy by its name.
all: Specifies all signature policies.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case sensitive string of 1 to 256 characters.
Examples
# Display information about the signature policy office.
[sysname] display wlan ips signature-policy policy default
Signature Policy Information
--------------------------------------------------------------------------------
Signature Policy Name : default
Applied on VSD :
VSD 0 : default
Include Signature Num : 11
ID SignatureName Type Precedence
36 test Custom 60
10 rts_flood Standard 20
1 deauth_flood Standard 1
2 broadcast_deauth_flood Standard 1
3 disassoc_flood Standard 1
4 broadcast_disassoc_flood Standard 1
5 eapol_logoff_flood Standard 1
6 eap_success_flood Standard 1
7 eap_failure_flood Standard 1
8 pspoll_flood Standard 1
9 cts_flood Standard 1
--------------------------------------------------------------------------------
Table 22 Command output
|
Field |
Description |
|
Signature Policy Name |
Signature policy name. |
|
VSD |
Virtual security domain. |
|
Include Signature Num |
Number of signatures. |
|
ID |
Signature ID. 1 to 32 represent system-defined signatures, and 33 to 64 represent user-defined signatures. |
|
Signature Name |
Name of the signature bound to the signature policy. |
|
Type |
Signature type. · Standard—System-defined signature. · Custom—User-defined signature. |
|
Precedence |
Signature precedence in the range of 1 to 64. A greater value represents a higher precedence. |
display wlan ips static-trustoui
Use display wlan ips static-trustoui to display information about the specified OUI or all OUIs in the static trusted OUI list.
Syntax
display wlan ips static-trustoui [ oui-info | vendor ]
Default
Information about all OUIs and vendors in the static trusted OUI list is displayed.
Views
Any view
Default command level
2: System level
Parameters
oui-info: Specifies an OUI, a case-insensitive string of hexadecimal characters in the format XXXXXX.
vendor: Specifies all vendors in the static trusted OUI list.
Examples
# Display information about OUI 58-66-BA in the static trusted OUI list.
[Sysname] display wlan ips static-trustoui 5866ba
Trust OUI List
---------------------------------------------------------------------------
OUI Vendor
---------------------------------------------------------------------------
58-66-ba New H3C Technologies Co., Limited
---------------------------------------------------------------------------
# Display information about all vendors in the static trusted OUI list.
[Sysname]display wlan ips static-trustoui vendor
Total Number of Entries: 1
Trust OUI Vendor List
---------------------------------------------------------------------------
Vendor
---------------------------------------------------------------------------
h3c
---------------------------------------------------------------------------
# Display information about all entries in the static trusted OUI list.
[Sysname] display wlan ips static-trustoui
Trust OUI List
Total Number of Entries: 5
--------------------------------------------------------------------------------
OUI Vendor
--------------------------------------------------------------------------------
00-00-09 XEROX CORPORATION
58-66-ba New H3C Technologies Co., Limited
80-f6-2e New H3C Technologies Co., Limited
c4-ca-d9 New H3C Technologies Co., Limited
ff-ff-ff -NA-
--------------------------------------------------------------------------------
Vendor: 1
h3c
--------------------------------------------------------------------------------
Table 23 Command output
|
Field |
Description |
|
Total Number of Entries |
Total number of entries in the current static trusted OUI list. |
|
Vendor |
Device vendor. If the OUI corresponding to the vendor is not in the OUI library of WIPS, the field displays -NA-. |
display wlan ips statistics
Use display wlan ips statistics to display frame statistics about a device or channel.
Syntax
display wlan ips statistics { sensor sensor-name } { device [ mac-address mac-address ] | channel [ channel-num ] } { total | recent } [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
sensor sensor-name: Specifies a sensor by its name.
device: Displays frame statistics by wireless device.
mac-address mac-address: Specifies a MAC address.
channel: Displays frame statistics about a channel. If you do not specify the channel-num argument, frame statistics about all channels are displayed.
total: Displays all frame statistics.
recent: Displays frame statistics within the last statistics collection period.
Examples
# Display total frame statistics about the wireless device with the MAC address 00fc-4a38-4fc5 detected by sensor office_ap1.
[Sysname] display wlan ips statistics sensor office_ap1 device mac-address 00fc-4a38-4fc5
total
Sensor: office_ap1
WIPS Device Total Statistics
--------------------------------------------------------------------------------
Device: 00fc-4a38-4fc5 Channel:149
Transmitted Frames Statistics:
Total (Frames/Bytes) : 646/158163
Unicast (Frames/Bytes) : 118/26578
Broadcast/Multicast (Frames/Bytes) : 528/131585
Management : 610 Control : 0
Data : 36 Fragment : 0
Retry : 35 Beacon : 514
Probe Req : 0 Authentication : 0
Probe Resp : 96 Unicast Deauth : 0
Assoc req : 0 Broadcast Deauth : 0
Assoc Resp : 0 Unicast Disassoc : 0
RTS : 0 Broadcast Disassoc : 0
EAPOL Start : 0 EAP Success : 0
EAPOL Logoff : 0 EAP Failure : 0
Abnormal : 0
--------------------------------------------------------------------------------
Received Frames Statistics:
Total (Frames/Bytes) : 12/1862
Unicast (Frames/Bytes) : 12/1862
Management : 0 Control : 0
Data : 12 Fragment : 0
Retry : 8 Authentication : 0
Probe req : 0 Probe resp : 0
Assoc req : 0 Assoc resp : 0
Disassoc : 0 Deauth : 0
RTS : 0 CTS : 0
EAPOL start : 0 EAP success : 0
EAPOL logoff : 0 EAP Failure : 0
Abnormal : 0
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Device: 00fc-4a38-4fc5 Channel:153
Transmitted Frames Statistics:
Total (Frames/Bytes) : 1/106
Unicast (Frames/Bytes) : 1/106
Broadcast/Multicast (Frames/Bytes) : 0/0
Management : 0 Control : 0
Data : 1 Fragment : 0
Retry : 1 Beacon : 0
Probe Req : 0 Authentication : 0
Probe Resp : 0 Unicast Deauth : 0
Assoc req : 0 Broadcast Deauth : 0
Assoc Resp : 0 Unicast Disassoc : 0
RTS : 0 Broadcast Disassoc : 0
EAPOL Start : 0 EAP Success : 0
EAPOL Logoff : 0 EAP Failure : 0
Abnormal : 0
--------------------------------------------------------------------------------
Received Frames Statistics:
Total (Frames/Bytes) : 21/2875
Unicast (Frames/Bytes) : 21/2875
Management : 0 Control : 1
Data : 20 Fragment : 0
Retry : 12 Authentication : 0
Probe req : 0 Probe resp : 0
Assoc req : 0 Assoc resp : 0
Disassoc : 0 Deauth : 0
RTS : 0 CTS : 0
EAPOL start : 0 EAP success : 0
EAPOL logoff : 0 EAP Failure : 0
Abnormal : 0
--------------------------------------------------------------------------------
# Display frame statistics about channel 149 detected by sensor ap3 within the last statistics collection period.
[Sysname] display wlan ips statistics sensor ap3 channel 149 recent
Sensor: ap3
WIPS Channel Recent Statistics
--------------------------------------------------------------------------------
Channel: 149
Total (Frames/Bytes) : 293/49008
Unicast (Frames/Bytes) : 114/11866
Broadcast/Multicast (Frames/Bytes) : 179/37142
Management : 185 Control : 0
Data : 108 Abnormal : 0
Fragment : 0 Retry : 56
Beacon : 115 RTS : 0
CTS : 0 Authentication : 0
Probe Resp : 19 Unicast Disassoc : 0
Probe Req : 51 Broadcast Disassoc : 0
Assoc Resp : 0 Unicast Deauth : 0
Assoc req : 0 Broadcast Deauth : 0
EAPOL Start : 0 EAP Success : 0
EAPOL Logoff : 0 EAP Failure : 0
--------------------------------------------------------------------------------
Table 24 Command output
|
Field |
Description |
|
Sensor |
Name of the sensor. |
|
Device |
MAC address of the wireless device. |
|
Channel |
Channel number. |
|
Total(Frames/Bytes) |
Total number of frames/bytes. |
|
Unicast (Frames/Bytes) |
Total number of unicast frames/bytes. |
|
Broadcast/Multicast(Frames/Bytes) |
Total number of broadcast/multicast frames/bytes. |
|
Management |
Total number of management frames. |
|
Control |
Total number of control frames. |
|
Data |
Total number of data frames. |
|
Fragment |
Total number of fragments. |
|
Retry |
Total number of retransmission frames. |
|
Beacon |
Total number of Beacon frames. |
|
Probe Req |
Total number of probe requests. |
|
Authentication |
Total number of authentication frames. |
|
Probe Resp |
Total number of probe responses. |
|
Unicast Deauth |
Total number of unicast deauthentication frames. |
|
Assoc Req |
Total number of association requests. |
|
Broadcast Deauth |
Total number of broadcast deauthentication frames. |
|
Assoc Resp |
Total number of association responses. |
|
Unicast Disassoc |
Total number of unicast diassociation frames. |
|
RTS |
Total number of RTS frames. |
|
Broadcast Disassoc |
Total number of broadcast diassociation frames. |
|
Disassoc |
Total number of diassociation frames. |
|
Deauth |
Total number of deauthentication frames. |
|
CTS |
Total number of CTS frames. |
|
EAPOL Start |
Total number of EAPOL Start packets. |
|
EAP Success |
Total number of EAP Success packets. |
|
EAPOL Logoff |
Total number of EAPOL Logoff packets. |
|
EAP Failure |
Total number of EAP Failure packets. |
|
Abnormal |
Total number of abnormal packets. |
display wlan ips statistics sensor
Use display wlan ips statistics sensor to display the malformed packet statistics about a specified sensor.
Syntax
display wlan ips statistics sensor sensor-name malformed-counter
Views
Any view
Default command level
2: System level
Parameters
sensor-name: Specifies a sensor by its name, a case-insensitive string of 1 to 64 characters.
Examples
# Display the malformed packet statistics about sensor 1.
[Sysname] display wlan ips statistics sensor sensor1 malformed-counter
Sensor name: sensor1
In the VSD: VSD1
Malformation-Specify Count
------------------------------------------------------------------------
invalid-ie-length : 15564
duplicated-ie : 44
redundant-ie : 899
invalid-pkt-length : 870
illegal-ibss-ess : 0
invalid-source-address : 0
overflow-eapol-key : 0
malformed-auth : 12
malformed-assoc-req : 15
malformed-ht-ie : 0
large-duration : 0
null-probe-resp : 0
invalid-deauth-code : 0
invalid-disassoc-code : 0
overflow-ssid : 1450
fata-jack : 1866
------------------------------------------------------------------------
Table 25 Command output
|
Field |
Description |
|
Sensor name |
Name of the sensor. |
|
In the VSD |
Virtual security domain using the malformed packet detection policy. |
|
Malformation-Specify |
Type of the malformed packet detection policy: invalid-ie-length, duplicated-ie, redundant-ie, invalid-pkt-length, illegal-ibss-ess, invalid-source-address, overflow-eapol-key, malformed-auth, malformed-assoc-req, malformed-ht-ie, large-duration, null-probe-resp, invalid-deauth-code, invalid-disassoc-code, overflow-ssid, or fata-jack. |
|
Count |
Count of malformed packets of all types. |
display wlan ips summary
Use display wlan ips summary to display the WIPS status of the current system or the specified virtual security domain.
Syntax
display wlan ips summary [ vsd vsd-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
vsd vsd-name: Specifies a virtual security domain by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case sensitive string of 1 to 256 characters.
Examples
# Display the current WIPS status of the system.
[Sysname] display wlan ips summary
WIPS is enabled
WIPS's Running Time: 0 Days, 4 Hours, 9 Minutes
Max Sensor Number : 128
Used Sensor Number : 1
Blocklist-Action Block : Enable
Block-list Entry Number : 2
Trust-list Entry Number : 2
Hotspot-list Entry Number : 4
Countermeasure-list Entry Number: 3
Ignore-list Entry Number : 1
Trust OUI Entry Number : 5
Trust Vendor-OUI Entry Number : 2
Ados State : Disable
Total Number of Signatures : 11
Standard Signature : 10
Custom Signature : 1
Timer:
Inactivity Timer of AP : 300s
Inactivity Timer of Client : 600s
Aging Timer of AP and Client : 86400s
Statistic Period : 103s
Reclassification Period : 800s
Dynamic Trustlist Aging Period: 300s
Update Timer of Device : 20s
Total Number of Events: 214
Level-0: 0 Level-1: 4 Level-2: 14 Level-3: 0
Level-4: 70 Level-5: 126 Level-6: 0 Level-7: 0
--------------------------------------------------------------------------------
Virtual Security Domain Name : default
Configured Sensor Number : 1
Running Sensor Number : 0
Detection Information:
Detected Network Number : 0
AP: 0
Authorized : 0
Mis-Configured : 0
Rogue : 0
External : 0
Ad-hoc : 0
Potential-Authorized : 0
Potential-Rogue : 0
Potential-External : 0
Uncategorized : 0
STA: 0
Authorized : 0
Rogue : 0
Mis-Association : 0
Uncategorized : 0
Unassociated : 0
Total Number of Events: 39
--------------------------------------------------------------------------------
Virtual Security Domain Name : vsd_lab
Configured Sensor Number : 2
Running Sensor Number : 1
Detection Information:
Detected Network Number : 25
AP: 33
Authorized : 0
Mis-Configured : 0
Rogue : 2
External : 2
Ad-hoc : 0
Potential-Authorized : 0
Potential-Rogue : 0
Potential-External : 29
Uncategorized : 0
STA: 1
Authorized : 0
Rogue : 0
Mis-Association : 0
Uncategorized : 1
Unassociated : 0
Total Number of Events: 60
--------------------------------------------------------------------------------
Virtual Security Domain Name : vsd_office
Configured Sensor Number : 0
Running Sensor Number : 0
Detection Information:
Detected Network Number : 0
AP: 0
Authorized : 0
Mis-Configured : 0
Rogue : 0
External : 0
Ad-hoc : 0
Potential-Authorized : 0
Potential-Rogue : 0
Potential-External : 0
Uncategorized : 0
STA: 0
Authorized : 0
Rogue : 0
Mis-Association : 0
Uncategorized : 0
Unassociated : 0
Total Number of Events: 0
--------------------------------------------------------------------------------
Table 26 Command output
|
Field |
Description |
|
Max Sensor Number |
Maximum number of supported sensors. The value depends on the number of licenses installed on the device. |
|
Used Sensor Number |
Number of sensors in use. |
|
Blocklist-Action Block |
Whether to enable or disable the device in the prohibited device list from accessing the WLAN. · Enable. · Disable. |
|
Block-list Entry Number |
Number of entries in the prohibited device list. |
|
Trust-list Entry Number |
Number of entries in the permitted device list. |
|
Countermeasure-list Entry Number |
Number of entries in the countermeasures list. |
|
Ignore-list Entry Number |
Number of entries in the alarm-ignored device list. |
|
Ados State |
ADoS status. · Enabled. · Disabled. |
|
Total Number of Signatures |
Number of signatures. |
|
Standard Signature |
Number of system-defined signatures. |
|
Custom Signature |
Number of user-defined signatures. |
|
Timer |
Global timer. |
|
Inactivity Timer of AP |
Maximum idle time for an AP. |
|
Inactivity Timer of Client |
Maximum idle time for a client. |
|
Aging Timer of AP and Client |
Aging time for inactive APs or clients. |
|
Statistic Period |
Packet statistics collection period. |
|
Reclassification Period |
Time for WIPS to reclassify wireless devices. |
|
Total Number of Events |
Total number of alarm events in the system or in the specified virtual security domain. |
|
Level-0 |
Number of level 0 alarm events. |
|
Level-1 |
Number of level 1 alarm events. |
|
Level-2 |
Number of level 2 alarm events. |
|
Level-3 |
Number of level 3 alarm events. |
|
Level-4 |
Number of level 4 alarm events. |
|
Level-5 |
Number of level 5 alarm events. |
|
Level-6 |
Number of level 6 alarm events. |
|
Level-7 |
Number of level 7 alarm events. |
|
Virtual Security Domain Name |
Name of the virtual security domain. |
|
Configured Sensor Number |
Number of sensors configured for the virtual security domain. |
|
Running Sensor Number |
Number of sensors running in the virtual security domain. |
|
Detected Network Number |
Number of wireless services detected in the virtual security domain. |
|
AP |
Number of APs detected in the virtual security domain. |
|
Authorized |
Number of authorized APs detected in the virtual security domain. |
|
Mis-Configured |
Number of misconfigured APs detected in the virtual security domain. |
|
Rogue |
Number of rogue APs detected in the virtual security domain. |
|
External |
Number of external APs detected in the virtual security domain. |
|
Ad-hoc |
Number of Ad hoc connections detected in the virtual security domain. |
|
Potentia- Authorized |
Number of potential-authorized APs detected in the virtual security domain. |
|
Potential-Rogue |
Number of potential-rogue APs detected in the virtual security domain. |
|
Potential-External |
Number of potential-external APs detected in the virtual security domain. |
|
Uncategorized |
Number of uncategorized APs detected in the virtual security domain. |
|
STA |
Number of clients detected in the virtual security domain. |
|
Authorized |
Number of authorized clients detected in the virtual security domain. |
|
Rogue |
Number of rogue APs. |
|
Mis-Association |
Number of misassociated clients. |
|
Uncategorized |
Number of uncategorized APs or clients. |
|
Unassociated |
Number of unassociated clients. |
|
Total Number of Events |
Total number of alarm events. |
display wlan ips trustlist
Use display wlan ips trustlist to display information about the specified or all entries in the permitted device list.
Syntax
display wlan ips trustlist [ static | dynamic | mac-address mac-addr ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
static: Specifies manually-configured entries in the permitted device list.
dynamic: Specifies dynamically added entry in the permitted device list.
mac-address mac-addr: Specifies a MAC address in the permitted device list.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case sensitive string of 1 to 256 characters.
Examples
# Display information about all entries in the permitted device list.
[sysname] display wlan ips trustlist
Total Number of Entries: 2
Trust List
-----------------------------------------------------------
MAC-Address Status
-----------------------------------------------------------
0001-0002-0003 S
0001-0002-0004 S&D
-----------------------------------------------------------
Table 27 Command output
|
Field |
Description |
|
Status |
Status of the entries in the permitted device list. · S—Manually configured. · D—Dynamically generated. · S&D—Manually configured and dynamically generated. |
display wlan ips vsd-policy
Use display wlan ips vsd-policy to display policy information for the specified or all virtual security domains.
Syntax
display wlan ips vsd-policy [ vsd vsd-name ] [ | { begin | exclude | include } regular-expression ]
Views
None
Default command level
2: System level
Parameters
vsd vsd-name: Specifies a virtual security domain by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case sensitive string of 1 to 256 characters.
Examples
# Display policy information for all virtual security domains.
[sysname]display wlan ips vsd-policy
Virtual Security Domain Policy
---------------------------------------------------------------------------
VSD Name : office
Attack Detect Policy : policy1
Signature Policy : default
AP Classification Rules:
Priority 15 : auth_ap
Priority 10 : invalid_ap
Priority 0 : default_rule
---------------------------------------------------------------------------
VSD Name : lab
Attack Detect Policy : policy2
Signature Policy : sigpolicy1
AP Classification Rules:
Priority 13 : invalid_ap
Priority 0 : default_rule
---------------------------------------------------------------------------
Table 28 Command output
|
Field |
Description |
|
VSD Name |
Name of the virtual security domain. |
|
Attack Detect Policy |
Name of the attack detection policy applied in the virtual security domain. |
|
Signature Policy |
Name of the signature policy applied in the virtual security domain. |
|
Countermeasure Policy |
Name of the countermeasures policy applied in the virtual security domain. |
|
AP Classification Rules |
All AP classification rules applied in the virtual security domain, displayed by precedence in descending order. |
|
Priority n |
Name of the AP classification rule, where n represents the precedence of the rule. |
export wips-cfg-file oui
Use export wips-cfg-file oui to export OUI information in the OUI library of WIPS to the specified configuration file.
Syntax
export wips-cfg-file oui filename
Default
OUI information in the OUI library of WIPS is not exported.
Views
WIPS view
Default command level
2: System level
Parameters
file-name: Specifies a configuration file by its name, a case-insensitive string of 1 to 32 characters. It cannot contain special characters back slash (\), slash (/), colon (:), asterisk (*), question mark (?), quotation mark ("), left angle bracket (<), right angle bracket (>), and vertical bar (|).
Usage guidelines
Export OUI information in the following format:
000FE2 (base 16) New H3C Technologies Co., Ltd.
You cannot export OUI information to multiple configuration files at the same time.
Examples
# Export OUI information in the OUI library to configuration file OUIInfo.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] export wips-cfg-file oui OUIInfo
hotspot
Use hotspot to add the specified hotspot to the hotspot list of WIPS.
Use undo hotspot to remove the specified or all hotspots from the hotspot list of WIPS.
Syntax
hotspot ssid-name
undo hotspot [ ssid-name ]
Default
No hotspot list is configured.
Views
WIPS view
Default command level
2: System level
Parameters
ssid-name: Specifies a hotspot by its SSID, a case-sensitive string of 1 to 32 characters that can contain letters, numbers, underlines, and spaces.
Examples
# Add hotspot kfc to the hotspot list of WIPS.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] hotspot kfc
ignorelist
Use ignorelist to add the MAC address of a wireless device to the alarm-ignored device list.
Use undo ignorelist to remove the MAC address of the specified or all wireless devices in the alarm-ignored device list.
Syntax
ignorelist mac-address
undo ignorelist { mac-address | all }
Default
No alarm-ignored device list exists.
Views
WIPS view
Default command level
2: System level
Parameters
mac-address: Specifies the MAC address of the wireless device to be added to or removed from the alarm-ignored device list.
all: Removes all entries in the alarm-ignored device list.
Usage guidelines
For wireless devices in the list, WIPS only monitors them but do not generate any alarms for their actions.
Examples
# Add a wireless device with the MAC address 000f-e45d-fa00 to the alarm-ignored device list.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] ignorelist 000f-e45d-fa00
import wips-cfg-file oui
Use import wips-cfg-file oui to import OUI information from a specific configuration file to the OUI library of WIPS.
Syntax
import wips-cfg-file oui [ filename ]
Default
WIPS automatically imports OUI information to the OUI library.
Views
WIPS view
Default command level
2: System level
Parameters
file-name: Specifies a configuration file by its name, a case-insensitive string of 1 to 32 characters. It cannot contain special characters back slash (\), slash (/), colon (:), asterisk (*), question mark (?), quotation mark ("), left angle bracket (<), right angle bracket (>), and vertical bar (|).
Usage guidelines
Download the specified configuration files from the H3C website, as follows:
38-22-D6 (hex) H3C Technologies Co., Limited
3822D6 (base 16) H3C Technologies Co., Limited
00-00-00 (hex) XEROX CORPORATION
000000 (base 16) XEROX CORPORATION
M/S 105-50C
800 PHILLIPS ROAD
WEBSTER NY 14580
UNITED STATES
If multiple imported OUI configuration files contain information about the same OUI, the new OUI information overwrites the old OUI information.
Only one OUI configuration file can be imported at a time.
Examples
# Import OUI information from configuration file oui.txt to the OUI library of WIPS.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] import wips-cfg-file oui oui.txt
malformed-detect-policy (virtual security domain view)
Use malformed-detect-policy to configure a malformed packet detection policy for the virtual security domain.
Use undo malformed-detect-policy to restore the default.
Syntax
malformed-detect-policy policy-name
undo malformed-detect-policy
Default
The virtual security domain uses the malformed packet detection policy named default.
Views
Virtual security domain view
Default command level
2: System level
Parameters
policy-name: Specifies a malformed packet detection policy by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines.
Usage guidelines
You can configure only one malformed packet detection policy for the virtual security domain.
Examples
# Configure virtual security domain office to use the malformed packet detection policy all.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] virtual-security-domain office
[Sysname-wlan-ips-vsd-office] malformed-detect-policy all
malformed-detect-policy (WIPS view)
Use malformed-detect-policy to create a malformed packet detection policy and enter its view. If the malformed packet detection policy already exists, the command enters its view.
Use undo malformed-detect-policy to remove the specified malformed packet detection policy.
Syntax
malformed-detect-policy policy-name
undo malformed-detect-policy policy-name
Default
A malformed packet detection policy named default exists in the system.
Views
WIPS view
Default command level
2: System level
Parameters
policy-name: Specifies a malformed packet detection policy by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines.
Usage guidelines
You cannot create or delete the malformed packet detection policy named default.
Examples
# Create a malformed packet detection policy named all, and enter its view.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy all
manual-classify ap (virtual security domain view)
Use manual-classify ap to configure the WIPS device type for an AP with a specific MAC address in a virtual security domain.
Use undo manual-classify to remove the device type configuration for an AP with a specific MAC address in a virtual security domain.
Syntax
manual-classify ap { authorized-ap | external-ap | misconfigured-ap | rogue-ap } mac-address &<1-2>
undo manual-classify { mac-address &<1-2> | all }
Default
No WIPS device type is configured for an AP in a virtual security domain.
Views
Virtual security domain view
Default command level
2: System level
Parameters
authorized-ap: Specifies an authorized AP.
external-ap: Specifies an external AP.
misconfigured-ap: Specifies a misconfigured AP.
rogue-ap: Specifies a rogue AP.
mac-address&<1-2>: Specifies the MAC address of an AP, in the H-H-H format. When you specify this argument, you can omit the 0s for each octet in the MAC address. For example, f-e2-1 represents 000f-00e2-0001. &<1-2> indicates you can enter up to two MAC addresses.
all: Removes the WIPS device type configuration for all APs in the virtual security domain.
Usage guidelines
If you configure the WIPS device type for an AP with a specific MAC address in both WIPS view and virtual security domain view, the configuration in virtual security domain view takes effect.
Examples
# Configure the WIPS device type for the AP with the MAC address 000f-00e2-0001 in virtual security domain office as authorized-ap.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] virtual-security-domain office
[Sysname-wlan-ips-vsd-office]manual-classify ap authorized-ap f-e2-1
manual-classify ap (WIPS view)
Use manual-classify ap to configure the WIPS device type for an AP with a specific MAC address.
Use undo manual-classify to remove the device type configuration for an AP with a specific MAC address.
Syntax
manual-classify ap { authorized-ap | external-ap | misconfigured-ap | rogue-ap } mac-address &<1-2>
undo manual-classify { mac-address &<1-2> | all }
Default
No WIPS device type is configured for an AP.
Views
WIPS view
Default command level
2: System level
Parameters
authorized-ap: Specifies an authorized AP.
external-ap: Specifies an external AP.
misconfigured-ap: Specifies a misconfigured AP.
rogue-ap: Specifies a rogue AP.
mac-address&<1-2>: Specifies the MAC address of an AP, in the H-H-H format. When you specify this argument, you can omit the 0s for each octet in the MAC address. For example, f-e2-1 represents 000f-00e2-0001. &<1-2> indicates you can enter up to two MAC addresses.
all: Removes the WIPS device type configuration for all APs.
Usage guidelines
If you configure the WIPS device type for an AP with a specific MAC address in both WIPS view and virtual security domain view, the configuration in virtual security domain view takes effect.
Examples
# Configure the WIPS device type of the AP with the MAC address 000f-00e2-0001 as authorized-ap.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips]manual-classify ap authorized-ap f-e2-1
match all (AP classification rule view)
Use match all to set the match criteria relationship for an AP classification rule. An AP is considered as matching the rule when it matches all match criteria of the rule.
Use undo match all to restore the default match criteria relationship.
Syntax
match all
undo match all
Default
An AP is considered as matching an AP classification rule as long as it matches any match criterion of the rule.
Views
AP classification rule view
Default command level
2: System level
Examples
# Set the match criteria relationship for the AP classification rule invalid_ap. An AP is considered as matching the rule when it matches all match criteria of the rule.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] ap-classification-rule invalid_ap
[Sysname-wlan-ips-class-invalid_ap]match all
match all (SIG view)
Use match all to set the match criteria relationship for a signature. A packet is considered as matching the rule when it matches all match criteria of the rule.
Use undo match all to restore the default match criteria relationship.
Syntax
match all
undo match all
Default
A packet is considered as matching a user-defined signature as long as it matches any match criterion of the rule. A packet is considered as matching a system-defined signature when it matches all match criteria of the rule.
Views
SIG view
Default command level
2: System level
Usage guidelines
To modify the match criteria relationship for a signature that has been bound to a signature policy, remove the binding first.
Examples
# Set the match criteria relationship for the user-defined signature office. A packet is considered as matching the rule when it matches all match criteria of the rule.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] signature office
[Sysname-wlan-ips-sig-office] match all
permit-channel
Use permit-channel to configure the list of permitted channels. Channels not in the list are considered as prohibited channels.
Use undo permit-channel to remove the configured permitted channels.
Syntax
permit-channel channel-list
undo permit-channel { channel-list | all }
Default
Channels supported by the current country code are permitted channels.
Views
WIPS view
Default command level
2: System level
Parameters
channel-list: Specifies a list of channels to be added to or removed from the permitted channel list, in the range of 1 to 224. You can configure a maximum of 10 permitted channels at a time.
all: Removes all permitted channels.
Usage guidelines
Use the permit-channel command in combination with the detect prohibited-channel command. The permit-channel command takes effect only when the detect prohibited-channel command is configured.
Examples
# Specify channels 1, 6, 11, 149, 153, and 157 as permitted channels.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] permit-channel 1 6 11 149 153 157
quiet-time (malformed packet detection policy view)
Use quiet-time to configure the quiet time after malformed packets of the same type and MAC address are detected and an alarm is generated.
Use undo quiet-time to restore the default.
Syntax
quiet-time time
undo quiet-time
Default
The quiet time is 600 seconds.
Views
Malformed packet detection policy view
Default command level
2: System level
Parameters
time: Specifies the quiet time after malformed packets of the same type and MAC address are detected and an alarm is generated. The value range is 5 to 604800 seconds.
Examples
# In the malformed packet detection policy all, configure the quiet time as 120 seconds.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] malformed-detect-policy all
[Sysname-wlan-ips-mdctp-all]quiet-time 120
quiet-time (SIG view)
Use quiet-time to configure the quiet time for a signature. A signature in quiet state is not matched.
Use undo quiet-time to restore the default.
Syntax
quiet-time time
undo quiet-time
Default
The quiet time for a user-defined signature is 900 seconds and that for a system-defined signature depends on the specific system-defined signature.
Views
SIG view
Default command level
2: System level
Parameters
time: Specifies the quiet time for a signature in the range of 60 to 32000, in seconds.
Usage guidelines
To modify the quiet time for a signature that has been bound to a signature policy, remove the binding first.
If you configure the quiet time for a signature multiple times, the most recent configuration overwrites the previous one.
A signature enters the quiet state only when the matching times of the rule reaches the detect-threshold within the specified statistics collection time period.
Examples
# Configure the quiet time for the user-defined signature office as 600 seconds.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] signature office
[Sysname-wlan-ips-sig-office] quiet-time 600
reset wlan ips event
Use reset wlan ips event to delete the specified or all alarm events generated by the WIPS system.
Syntax
reset wlan ips event { all | causer-mac causer-mac | id event-id | level event-level | | source-mac source-mac | type event-type }
Views
User view
Default command level
2: System level
Parameters
all: Deletes all events generated by the WIPS system.
causer-mac source-mac: Specifies the MAC address of the wireless device that causes alarm events.
id event-id: Specifies an event ID in the range of 1 to 1200.
level event-level: Specifies the level for an alarm in the range of 0 to 7.
source-mac source-mac: Specifies the MAC address of the WIPS-enabled device that generates alarm events to be deleted.
type event-type: Specifies the type of an alarm.
Examples
# Delete the alarm event with the ID 10.
<Sysname> reset wlan ips event id 10
reset wlan ips statistic sensor
Use reset wlan ips statistics sensor to clear the malformed packet statistics about the specified sensor.
Syntax
reset wlan ips statistics sensor [ sensor-name ] malformed-counter
Views
User view
Default command level
2: System level
Parameters
sensor [ sensor-name ]: Specifies a sensor by its name, a case-insensitive string of 1 to 64 characters.
Examples
# Clear the malformed packet statistics about sensor 1.
<Sysname> reset wlan ips statistics sensor sensor1 malformed-counter
sensor
Use sensor to add a sensor to the current virtual security domain.
Use undo sensor to remove a sensor from the current virtual security domain.
Syntax
sensor ap-name-list
undo sensor ap-name-list
Default
All sensors are in the default virtual security domain.
Views
Virtual security domain view
Default command level
2: System level
Parameters
ap-name-list: Specifies a space-separated list of up to 10 items. Each item specifies an AP by its name or a range of names in the form of ap-name. The ap-name argument is a case-insensitive string of 1 to 64 characters.
Usage guidelines
If you execute the command multiple times, WIPS adds the specified AP into the virtual security domain until the upper limit is reached, regardless of whether the AP exists.
If the AP you specified is not a sensor, the command does not take effect.
If you do not specify the virtual security domain for an AP that has been configured as a sensor, the AP belongs to the default virtual security domain default.
Sensors in the default virtual security domain cannot be deleted.
Examples
# Add AP 1 and AP 2 to the virtual security domain office and AP 3 and AP 4 to the virtual security domain lab.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] virtual-security-domain office
[Sysname-wlan-ips-vsd-office]sensor ap1 ap2
[Sysname-wlan-ips-vsd-office]quit
[Sysname-wlan-ips] virtual-security-domain lab
[Sysname-wlan-ips-vsd-lab]sensor ap3 ap4
severity-level
Use severity-level to set a severity level for an AP that matches an AP classification rule.
Use undo severity-level to delete a severity level.
Syntax
severity-level level-value
undo severity-level
Default
No severity level is set for an AP that matches an AP classification rule.
Views
AP classification rule view
Default command level
2: System level
Parameters
level-value: Specifies the severity level for an AP that matches an AP classification rule. The value is in the range of 0 to 100. A greater value represents a higher severity level.
Usage guidelines
A severity level takes effect only when no AP type is specified for an AP classification rule. If an AP matches multiple AP classification rules, WIPS uses the sum of the severity levels as the severity level for the AP. The maximum value is 100, even if the sum exceeds 100.
Examples
# Create AP classification rule invalid_ap and set the severity level for the devices matching the rule to 40.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] ap-classification-rule invalid_ap
[Sysname-wlan-ips-class-invalid_ap]severity-level 40
signature
Use signature to create a signature and enter signature view. For an existing signature, this command enters the corresponding signature view.
Use undo signature to remove a signature.
Syntax
signature { rts_flood | cts_flood | pspoll_flood | eap_failure_flood | eap_success_flood | eapol_logoff_flood | broadcast_disassoc_flood | disassoc_flood | broadcast_deauth_flood | deauth_flood | addba_req_flood | signature-name } [ signature-id id-value ]
undo signatrue signatrue-name
Default
System-defined signatures exist.
Views
WIPS view
Default command level
2: System level
Parameters
rts_flood: System-defined signature, used to reconfigure the RST flooding attack detection parameters.
cts_flood: System-defined signature, used to reconfigure the CTS flooding attack detection parameters.
pspoll_flood: System-defined signature, used to reconfigure the PS-Poll flooding attack detection parameters.
eap_failure_flood: System-defined signature, used to reconfigure the EAP-failure flooding attack detection parameters.
eap_success_flood: System-defined signature, used to reconfigure the EAP-success flooding attack detection parameters.
eapol_logoff_flood: System-defined signature, used to reconfigure the EAPOL-logoff flooding attack detection parameters.
broadcast_disassoc_flood: System-defined signature, used to reconfigure the broadcast diassociation flooding attack detection parameters.
disassoc_flood: System-defined signature, used to reconfigure the unicast diassociation flooding attack detection parameters.
broadcast_deauth_flood: System-defined signature, used to reconfigure the broadcast deauthentication flooding attack detection parameters.
deauth_flood: System-defined signature, used to reconfigure the unicast deauthentication flooding attack detection parameters.
addba_req_flood: System-defined signature, used to reconfigure the ADDBA-request flooding attack detection parameters.
signature-name: Specifies a signature by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines.
signature-id id-value: Specifies a signature ID in the range of 1 to 64. The ID of a system-defined signature is in the range of 1 to 32 and cannot be modified. The ID of a user-defined signature is in the range of 33 to 64. It can only be specified when you create a signature. If you do not specify this option when you create a signature, the system assigns an ID to this signature. You cannot modify the ID of a signature.
Usage guidelines
Bind a signature to a signature policy first, and then bind the signature policy to a virtual security domain.
To modify the attribute for a signature that has been bound to a signature policy, remove the binding first.
You can configure up to 32 subsignatures, including 5 basic subsignatures and 27 user-defined subsignatures, for a user-defined signature.
A system-defined signature cannot be deleted.
You cannot configure subsignatures and track methods, modify the action and the match relationship for a system-defined signature.
Examples
# Create a signature named office and specify its ID as 48.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips]signature office signature-id 48
[Sysname-wlan-ips-sig-office]
# Create a signature named assoc_rsp_flood and specify its ID as 50.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips]signature assoc_rsp_flood signature-id 50
[Sysname-wlan-ips-sig-assoc_rsp_flood]
signature (signature policy view)
Use signature to specify a signature by its name or ID for a signature policy.
Use undo signature to remove a specified signature from a signature policy.
signature { signature-name name-string | signature-id signature-list } [ precedence level ]
undo signature { name name-string | signature-id signature-list }
Default
No signature is configured for a signature policy.
Views
Signature policy view
Default command level
2: System level
Parameters
signature-name name-string: Specifies the name of the signature. It is a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines.
signature-id: Specifies the ID of a signature.
signature-list: Specifies a space-separated list of up to 10 items. Each item specifies a signature to be bound to the current signature policy by its ID or a range of IDs in the form of start-signature-id to end-signature-id. The signature-id argument is in the range of 1 to 64. The signatures must exist in the system. Otherwise, the signatures cannot be bound to the signature policy.
precedence level: Specifies the precedence of a signature in the range of 1 to 64. A greater value represents a higher precedence. The precedence of a signature is 1.
Usage guidelines
To bind a signature to virtual security domain, add it to a signature policy first, and then bind the signature policy to the virtual security domain.
Signatures in a signature policy are listed by precedence in descending order. Those with the same precedence are listed by rule ID in ascending order.
After you specify a signature-list, the system binds signatures to a signature policy by signature ID in ascending order. For example, If you specify the signature-list as signature signature-id 10 to 45 2 to 4 12 to 12 34 to 36 56 to 64 54 precedence 14, the system matches the signatures in the order to signature signature-id 2 to 4 10 to 45 54 56 to 64 precedence 14, where signature 2 is matched the first.
If you configure a precedence for a signature multiple times, the new configuration overwrites the previous one.
If the end-signature-id is smaller than the start-signature-id, the command cannot be executed. For example, if you specify the signature-list as signature signature-id 10 to 45 8 to 4 precedence 14, the command cannot be executed, and signatures 10 to 45 cannot be bound to a signature policy either.
A signature with no subsignatures cannot be bound to a signature policy.
Examples
# Enable detection specified by user-defined signature office1 in signature policy office, with the match precedence 21.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] signature-policy office
[Sysname-wlan-ips-sigpolicy-office] signature signature-name office1 precedence 21
signature-policy (virtual security domain view)
Use signature-policy to bind a signature policy to a virtual security domain.
Use undo signature-policy to unbind a signature policy from a virtual security domain.
Syntax
signature-policy policy-name
undo signature-policy
Default
A virtual security domain uses the signature policy named default.
Views
Virtual security domain view
Default command level
2: System level
Parameters
policy-name: Specifies a signature policy by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines.
Usage guidelines
You can bind only one signature policy to a virtual security domain.
Examples
# Bind signature policy office to virtual security domain floor1.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] virtual-security-domain floor1
[Sysname-wlan-ips-vsd-whr]signature-policy office
signature-policy (WIPS view)
Use signature-policy to create a signature policy and enter signature policy view. For an existing signature policy, this command enters the corresponding signature policy view.
Use undo signature-policy to remove a signature policy.
Syntax
signature-policy policy-name
undo signature-policy policy-name
Default
A virtual security domain uses the signature policy named default.
Views
WIPS view
Default command level
2: System level
Parameters
policy-name: Specifies a signature policy by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines.
Usage guidelines
The system supports up to 16 signature policies, including the default signature policy default.
You cannot remove a signature policy that has been applied to a virtual security domain.
You cannot create or remove the default signature policy default.
Examples
# Create a signature policy named office.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] signature-policy office
[Sysname-wlan-ips-sigpolicy-office]
static-blocklist
Use static-blocklist to add the MAC address of a specified wireless device to the static prohibited device list.
Use undo static-blocklist to remove all wireless devices or the device with a specific MAC address from the static prohibited device list.
Syntax
static-blocklist mac-address
undo static-blocklist { mac-address | all }
Default
No static prohibited device list is configured.
Views
WIPS view
Default command level
2: System level
Parameters
mac-address: Specifies the MAC address of the wireless device to be added to or removed from the static prohibited device list.
all: Removes all entries from the static prohibited device list.
Examples
# Add the wireless device with the MAC address 0016-6f9d-612e to the static prohibited device list.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] static-blocklist 0016-6f9d-612e
static-trustlist
Use static-trustlist to add the MAC address of a specified wireless device to the static permitted device list.
Use undo static-trustlist to remove all wireless devices or the device with a specific MAC address from the static permitted device list.
Syntax
static-trustlist mac-address
undo static-trustlist { mac-address | all }
Default
No static permitted device list is configured.
Views
WIPS view
Default command level
2: System level
Parameters
mac-address: Specifies the MAC address of the wireless device to be added to or removed from the static permitted device list.
all: Removes all entries from the static permitted device list.
Examples
# Add the wireless device with the MAC address 000f-e45d-fa00 to the static permitted device list.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] static-trustlist 000f-e45d-fa00
static-trustoui
Use static-trustoui to add an OUI or vendor to the static trusted OUI list.
Use undo static-trustoui to remove a specific OUI or vendor or all OUIs and vendors from the static trusted OUI list.
Syntax
static-trustoui { oui-info | vendor vendor-name }
undo static-trustoui { oui-info | vendor vendor-name | all }
Default
No static trusted OUI list is configured.
Views
WIPS view
Default command level
2: System level
Parameters
oui-info: Specifies an OUI, a case-insensitive string of hexadecimal characters in the format XXXXXX.
vendor vendor-name: Specifies a vendor by its name, a case-sensitive string of 1 to 64 characters.
all: Removes all OUIs and vendors in the static trusted OUI list.
Usage guidelines
You can specify a maximum of 512 OUIs and 64 vendors.
The command does not take effect if the OUI library has no OUI information for the specified vendor.
Examples
# Add OUI 00-0f-e4 to the static trusted OUI list.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] static-trustoui 000fe4
# Add vendor h3c to the static trusted OUI list.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] static-trustoui vendor h3c
sub-rule (AP classification rule view)
Use sub-rule to set subsignatures for an AP classification rule.
Use undo sub-rule to delete the specified subsignatures.
Syntax
sub-rule { ssid [ case-sensitive ] [ not ] { equal | include } string | security { equal | include } { clear | wep | wpa | wpa2 }* | authentication { equal | include } { 802.1x | psk | other | none } | { rssi | duration | client-on-ap | discovered-ap } { greater-than min-value | less-than max-value | between min-value max-value } | oui { oui-info | vendor vendor-name } }
undo sub-rule { ssid | security | authentication | rssi | duration | clients-on-ap | discovered-ap | oui }
Default
No subsignatures are specified for an AP classification rule.
Views
AP classification rule view
Default command level
2: System level
Parameters
ssid: Matches SSIDs.
case-sensitive: Specifies a case-sensitive character string.
not: Matches SSIDs that are not equal to or do not include the specified value.
equal: Matches SSIDs equal to the specified value.
include: Matches SSIDs that include the specified value.
string: Specifies a character string in the range of 1 to 32.
security: Matches security methods used by the AP.
clear: Specifies the clear security method.
wep: Specifies the WEP security method.
wpa: Specifies the WPA security method.
wpa2: Specifies the WPA2 security method.
authentication: Matches the authentication method of APs.
802.1x: Specifies the 802.1X authentication method.
psk: Specifies the PSK authentication method.
other: Specifies an authentication method other than 802.1X and PSK.
none: Specifies no authentication.
rssi: Matches RSSIs of APs in the range of 0 to 90 dBm.
duration: Matches running duration of APs in the range of 0 to 2592000 seconds.
clients-on-ap: Matches number of associated clients of APs in the range of 0 to 128.
discovered-ap: Matches number of APs detected by the current sensor in the range of 0 to 128.
greater-than: Matches values greater than or equal to the specified value.
less-than: Matches values smaller than the specified value.
between: Matches values between the specified minimum value (exclusive) and maximum value (inclusive).
min-value: Specifies a minimum value, which cannot be equal to the maximum value.
max-value: Specifies a maximum value, which cannot be equal to the minimum value.
oui: Matches OUIs of APs.
oui-info: Specifies an OUI, a case-insensitive string of hexadecimal characters in the format XXXXXX.
vendor vendor-name: Specifies a vendor by its name, a case-insensitive string of 1 to 64 characters.
Examples
# Configure the following subsignatures for the AP classification rule invalid_ap.
· SSID—Does not contain H3C, case-insensitive.
· Security method—Clear or WEP.
· RSSI—Greater than 80.
· Running time of the AP—Smaller than 172800 seconds (2 days).
· Number of associated clients—Greater than 10.
· Number of APs detected by the sensor—Greater than 6.
· OUI and vendor—h3c.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] ap-classification-rule invalid_ap
[Sysname-wlan-ips-class-invalid_ap] sub-rule ssid not include H3C
[Sysname-wlan-ips-class-invalid_ap] sub-rule security include clear wep
[Sysname-wlan-ips-class-invalid_ap] sub-rule rssi greater-than 80
[Sysname-wlan-ips-class-invalid_ap] sub-rule duration less-than 172800
[Sysname-wlan-ips-class-invalid_ap] sub-rule clients-on-ap greater-than 10
[Sysname-wlan-ips-class-invalid_ap] sub-rule discovered-ap greater-than 6
[Sysname-wlan-ips-class-invalid_ap] sub-rule oui vendor h3c
sub-rule (SIG view)
Use sub-rule to configure subsignatures for a user-defined signature.
Use undo sub-rule to delete the specified subsignatures.
Syntax
sub-rule { frame-type { data | management [ frame-subtype { association-request | association-response | authentication | beacon | deauthentication | disassociation | probe-request } ] | control } | mac { source-mac mac-address | dest-mac mac-address | bssid mac-address } | ssid { [ case-sensitive ] [ not ] { equal | include } string } | ssid-length { equal length-value | greater-than min-value | less-than max-value | between min-value max-value } | seq-number { equal seq-value | greater-than min-value | less-than max-value | between min-value max-value } | pattern pattern-id id [ pattern-name name ] offset offset-value mask hex-value { equal value | greater-than min-value | less-than max-value | between min-value max-value } [ from-payload ] }
undo sub-rule { frame-type | mac | ssid | ssid-length | seq-number | pattern pattern-id id }
Default
No subsignatures are configured for a signature.
Views
SIG view
Default command level
2: System level
Parameters
frame-type: Specifies a frame type.
data: Matches data frames.
management: Matches management frames.
frame-subtype: Specifies the subtype of frames.
association-request: Matches association requests.
association-response: Matches association responses.
authentication: Matches authentication frames.
beacon: Matches beacon frames.
deauthentication: Matches de-authentication frames.
disassociation: Matches disassociation frames.
probe-request: Matches probe requests.
control: Matches control frames.
mac: Matches MAC addresses.
source-mac mac-address: Matches a source MAC address in the format of FFFF-FFFF-FFFF, case-insensitive.
dest-mac mac-address: Matches a destination MAC address in the format of FFFF-FFFF-FFFF, case-insensitive.
bssid mac-address: Matches a BSSID in the format of FFFF-FFFF-FFFF, case-insensitive.
ssid: Matches SSIDs.
case-sensitive: Specifies a case-sensitive character string.
not: Matches SSIDs that are not equal to or do not include the specified value.
equal: Matches SSIDs equal to the specified value.
include: Matches SSIDs that include the specified value.
string: Specifies a character string in the range of 1 to 32.
ssid-length: Matches the SSID length.
length-value: Specifies an SSID length in the range of 0 to 32.
greater-than: Matches values greater than the specified value.
less-than: Matches values smaller than the specified value.
between: Matches values between the specified minimum value (inclusive) and maximum value (inclusive). The maximum value must be greater than the minimum value.
min-value: Specifies a minimum value, which depends on values to match.
max-value: Specifies a maximum value, which depends on values to match.
seq-number: Matches sequence numbers of wireless packets.
seq-value: Specifies a sequence number in the range of 0 to 4095.
pattern: Specifies a frame match pattern by its name.
pattern-id id: Specifies a frame match pattern by its ID.
pattern-name name: Specifies a frame match pattern by its name.
offset offset-value: Matches frames from the specified starting bit in the range of 0 to 2346.
mask hex-value: Matches frames with a specified mask in the range of 0 to ffff in hexadecimal format.
from-payload: Matches frames starting from the frame body.
Usage guidelines
To modify the subsignatures for a signature that has been bound to a signature policy, remove the binding first.
You cannot configure subsignatures for a system-defined signature.
You can configure up to 32 subsignatures, including 5 basic subsignatures, for a signature. If you configure a subsignature for a signature multiple times, the most recent configuration overwrites the previous one.
If you do not specify the pattern-id keyword in the undo sub-rule command, all subsignatures specifying a frame match pattern are removed.
Examples
# Configure the subsignatures for signature office as the following:
· Frame type—Association Request.
· Source MAC address—0000-0000-0001.
· SSID—Does not contain H3C, case sensitive.
· SSID length—Between 15 (inclusive) and 20 (inclusive).
· Wireless packet sequence number—Greater than 100.
· The frame body starting from the eighth bit ANDed with mask 0xabcd is greater than 9.
· The eighth bit of the frame ANDed with mask 0xabcd is between 0x15 (inclusive) and 0x20 (inclusive).
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] signature office
[Sysname-wlan-ips-sig-office] sub-rule frame-type management frame-subtype association-request
[Sysname-wlan-ips-sig-office] sub-rule mac source-mac 0000-0000-0001
[Sysname-wlan-ips-sig-office] sub-rule ssid case-sensitive not include H3C
[Sysname-wlan-ips-sig-office] sub-rule ssid-length between 15 20
[Sysname-wlan-ips-sig-office] sub-rule seq-number greater-than 100
[Sysname-wlan-ips-sig-office] sub-rule pattern pattern-id 1 offset 8 mask abcd greater-than 9 from-payload
[Sysname-wlan-ips-sig-office] sub-rule pattern pattern-id 2 pattern-name pattern2 offset 8 mask ffff between 15 20
timer ap-inactivity
Use timer ap-inactivity to set the maximum idle time for an AP.
Use undo timer ap-inactivity to restore the default maximum idle time.
Syntax
timer ap-inactivity time
undo timer ap-inactivity
Default
The maximum idle time is 300 seconds.
Views
WIPS view
Default command level
2: System level
Parameters
time: Specifies the maximum idle time in the range of 60 to 600 in seconds. If an AP does not send any packets within the time, WIPS switches the state of the AP to inactive.
Usage guidelines
WIPS considers an AP inactive when it detects that the AP has not sent any packets within the specified time.
Examples
# Set the maximum idle time for an AP to 120 seconds.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] timer ap-inactivity 120
timer client-inactivity
Use timer client-inactivity to set the maximum idle time for an associated client.
Use undo timer client-inactivity to restore the default maximum idle time.
Syntax
timer client-inactivity time
undo timer client-inactivity
Default
The maximum idle time for an associated client is 600 seconds.
Views
WIPS view
Default command level
2: System level
Parameters
time: Specifies the maximum idle time in the range of 120 to 1200 in seconds. If an associated client does not send any packets within the time, WIPS switches the state of the client to inactive.
Examples
# Set the maximum idle time for an associated client to 300 seconds.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] timer client-inactivity 300
timer device-aging
Use timer device-aging to set the aging time for inactive APs or clients.
Use undo timer device-aging to restore the default aging time.
Syntax
timer device-aging time
undo timer device-aging
Default
The aging time is 86400 seconds.
Views
WIPS view
Default command level
2: System level
Parameters
time: Specifies the aging time of inactive APs or clients, in the range of 60 to 2592000 seconds.
Examples
# Set the aging time for inactive APs or clients to 604800 seconds (7 days).
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips]timer device-aging 604800
timer device-update
Use timer device-update to set the information update interval for wireless devices in WIPS.
Use undo timer device-update to restore the default.
Syntax
timer device-update time
undo timer device-update
Default
The information update interval for wireless devices in WIPS is 20 seconds.
Views
WIPS view
Default command level
2: System level
Parameters
time: Specifies the information update interval in the range of 10 to 30 seconds.
Examples
# Set the information update interval for wireless devices in WIPS to 30 seconds.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips]timer device-update 30
timer dynamic-trustlist-aging
Use timer dynamic-trustlist-aging to set the aging time of the wireless devices dynamically added to the trusted device list.
Use undo timer dynamic-trustlist-aging to restore the default.
Syntax
timer dynamic-trustlist-aging time
undo timer dynamic-trustlist-aging
Default
The aging time is 300 seconds.
Views
WIPS view
Default command level
2: System level
Parameters
time: Specifies the aging time of the wireless devices dynamically added to the trusted device list, in the range of 60 to 86400 seconds.
Examples
# Set the aging time of the wireless devices dynamically added to the trusted device list to 360 seconds.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips]timer dynamic-trustlist-aging 360
timer mesh-link-aging
Use timer mesh-link-aging to configure the aging time for WLAN mesh links.
Use undo timer mesh-link-aging to restore the default.
Syntax
timer mesh-link-aging time-value
undo timer mesh-link-aging
Default
The aging time for WLAN mesh links is 600 seconds.
Views
WIPS view
Default command level
2: System level
Parameters
mesh-link-aging time-value: Specifies the aging time for WLAN mesh links, in the range of 60 to 86400 seconds.
Examples
# Set the aging time for WLAN mesh links to 3600 seconds.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] timer mesh-link-aging 3600
timer reclassification
Use timer reclassification to set the interval for WIPS to re-classify detected wireless devices.
Use undo timer reclassification to restore the default.
Syntax
timer reclassification time
undo timer reclassification
Default
The interval for WIPS to re-classify the detected APs and clients is 600 seconds.
Views
WIPS view
Default command level
2: System level
Parameters
time: Specifies the interval for WIPS to re-classify detected wireless devices, in the range of 10 to 3600 seconds.
Examples
# Set the interval for WIPS to re-classify the detected APs and clients to 300 seconds.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips]timer reclassification 300
timer statistic-period
Use timer statistic-period to set the packet statistics collection period.
Use undo timer statistic-period to restore the default.
Syntax
timer statistic-period time
undo timer statistic-period
Default
The statistics collection period for wireless packets is 900 seconds.
Views
WIPS view
Default command level
2: System level
Parameters
time: Specifies the packet statistics collection period in the range of 60 to 86400 seconds.
Examples
# Set the packet statistics collection period to 3600 seconds (1 hour).
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips]timer statistic-period 3600
track-method
Use track-method to configure the match track method for signatures.
Syntax
track-method { both | per-mac | per-signature }
Default
The track method for user-defined signatures is both and that for system-defined signatures depends on the specific signature.
Views
SIG view
Default command level
2: System level
Parameters
both: Uses both methods.
per-mac: Tracks and matches packets by MAC address according to signatures on all channels supported by the current country code.
per-signature: Tracks and matches packets according to signatures without distinguishing MAC addresses on all channels supported by the current country code.
Usage guidelines
To modify the track method for a signature that has been bound to a signature policy, remove the binding first.
If you configure the track-method for a signature multiple times, the most recent configuration overwrites the previous one.
You cannot modify the track method for a system-defined signature.
If you set the track-method to both, configure both the per-mac and per-signature keywords. If you only configure one of them, the default maximum matching times for either per-mac mode or per-signature mode apply.
Examples
# Configure the match track method for signature office as per-mac.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] signature office
[Sysname-wlan-ips-sig-office] track-method per-mac
# Change the match track method for signature office to per-signature.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] signature office
[Sysname-wlan-ips-sig-office] track-method per-signature
undo wips-cfg-file oui
Use undo wips-cfg-file oui to clear the OUI configurations in the OUI library.
Syntax
undo wips-cfg-file oui
Default
The OUI configurations in the OUI library are not cleared.
Views
WIPS view
Default command level
2: System level
Examples
# Clear the OUI configurations in the OUI library.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] undo wips-cfg-file oui
virtual-security-domain
Use virtual-security-domain to create a virtual security domain and enter virtual security domain view. For an existing virtual security domain, this command directly enters the corresponding virtual security domain view.
Use undo virtual-security-domain to remove the specified virtual security domain.
Syntax
virtual-security-domain vsd-name
undo virtual-security-domain vsd-name
Default
The virtual security domain default is used as the default virtual security domain. You cannot create or remove it.
Views
WIPS view
Default command level
2: System level
Parameters
vsd-name: Specifies a virtual security domain by its name, a case-insensitive string of 1 to 32 characters that can contain letters, numbers, and underlines.
Examples
# Create a virtual security domain named office.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] virtual-security-domain office
[Sysname-wlan-ips-vsd-office]
wips detect mode
Use wips detect mode to enable WIPS and configure the operating mode for a sensor.
Use undo wips detect mode to disable WIPS.
Syntax
wips detect mode { access-first | access-only [ scan-time time-value ] | detect-first | detect-only | middle }
undo wips detect mode
Default
No operating mode is configured for a sensor.
Views
AP radio view
Default command level
2: System level
Parameters
access-first: Specifies the access first policy for the sensor operating in hybrid mode.
access-only: Specifies the access only policy for the sensor operating in hybrid mode. The sensor provides access services and scans only the working channel.
scan-time time-value: Specifies the time period during which the sensor scans the working channel, in the range of 60 to 200 milliseconds. The default is 60 milliseconds.
detect-first: Specifies the detection first policy for the sensor operating in hybrid mode.
detect-only: Specifies a monitor sensor.
middle: Specifies the balanced policy for the sensor operating in hybrid mode.
Usage guidelines
If you configure a radio as a sensor operating in monitor mode, you do not need to configure wireless service for the radio.
Examples
# Enable WIPS on radio 2 of AP 1 and set the operating mode of radio 2 to detect-only.
<Sysname> system-view
[Sysname] wlan ap ap1 model WA3628i-AGN
[Sysname-wlan-ap-ap1] radio 2
[Sysname-wlan-ap-ap1-radio-2]wips detect mode detect-only
wips enable
Use wips enable to enable WIPS.
Use undo wips enable to disable WIPS.
Syntax
wips enable
undo wips enable
Default
WIPS is disabled.
Views
WIPS view
Default command level
2: System level
Examples
# Enable WIPS.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips]wips enable
wipslogfile
Use wipslogfile to configure the maximum size of WIPS logs. When the upper limit is reached, WIPS removes the earliest logs of the corresponding type.
Use undo wipslogfile to restore the default.
Syntax
wipslogfile { event | malformed-packet } size value
undo wipslogfile { event | malformed-packet } size
Default
The size of WIPS logs depends on the device model. For more information, see About the H3C Access Controllers Command References.
Parameters
event: Specifies system event logs.
malformed-packet: Specifies error packet logs.
size value: Specifies the size of a certain type of logs in MB. The value range for this option depends on the device model. For more information, see About the H3C Access Controllers Command References.
Views
WIPS view
Default command level
2: System level
Examples
# Configure the maximum size of system event logs as 5 MB.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] wipslogfile event size 5
wipslogfile enable
Use wipslogfile enable to enable automatic WIPS log saving.
Use undo wipslogfile enable to disable automatic WIPS log saving.
Syntax
wipslogfile enable
undo wipslogfile enable
Default
Automatic WIPS log saving is disabled.
Views
WIPS view
Default
2: System level
Examples
# Enable automatic WIPS log saving.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] wipslogfile enable
wireless-probe client-aging
Use wireless-probe client-aging to set the client entry aging timer.
Use undo wireless-probe client-aging to restore the default.
Syntax
wireless-probe client-aging time-value
undo wireless-probe client-aging
Default
The client entry aging timer is 300 seconds.
Views
WIPS view
Default
2: System level
Parameters
time-value: Specifies the client entry aging timer in the range of 1 to 3600 seconds. The default is 300 seconds.
Examples
# Set the client entry aging timer to 600 seconds.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] wireless-probe client-aging 600
wireless-probe enable
Use wireless-probe enable to enable client probing.
Use undo wireless-probe enable to disable client probing.
Syntax
wireless-probe enable
undo wireless-probe enable
Default
Client probing is disabled.
Views
AP template view
Default
2: System level
Examples
# Enable client probing for AP ap1.
<Sysname> system-view
[Sysname] wlan ap ap1 model WA4320i-ACN
[Sysname-wlan-ap-ap1] wireless-probe enable
wireless-probe ignore ap
Use wireless-probe ignore to configure APs to ignore the specified wireless devices.
Use undo wireless-probe ignore to restore the default.
Syntax
wireless-probe ignore { ap | rssi rssi-value }
undo wireless-probe ignore { ap | rssi }
Default
APs do not ignore wireless devices.
Views
WIPS view
Default
2: System level
Parameters
ap: Configures APs to ignore detected APs.
rssi rssi-value: Configures APs to ignore wireless devices with an RSSI lower than the value specified by the rssi-value argument. The value range for the rssi-value argument is 1 to 60.
Examples
# Configure APs to ignore detected APs.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] wireless-probe ignore ap
# Configure APs to ignore wireless devices with an RSSI lower than 10.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] wireless-probe ignore rssi 10
wireless-probe location
Use wireless-probe location to set the longitude and latitude of an AP.
Use undo wireless-probe location to remove the configuration.
Syntax
wireless-probe location longitude longitude-value latitude latitude-value
undo wireless-probe location
Default
The longitude and latitude of an AP are not set.
Views
AP template view
Default
2: System level
Parameters
longitude longitude-value: Specifies the longitude of the AP, in XXX-XX-XX.X format. The value ranges for XXX and XX are 0 to 180 and 0 to 60, respectively. The value of X can be e or w and is case insensitive.
latitude latitude-value: Specifies the latitude of the AP, in XXX-XX-XX.X format. The value ranges for XXX and XX are 0 to 90 and 0 to 60, respectively. The value of X can be s or n and is case insensitive.
Examples
# Set the longitude and latitude for AP sensor to 123-40-40.e and 80-30-30.n, respectively.
<Sysname> system-view
[Sysname] wlan ap sensor model WA4320i-ACN
[Sysname-wlan-ap-sensor] wireless-probe location longitude 123-40-40.e latitude 80-30-30.n
wireless-probe server
Use wireless-probe server to specify a server to receive wireless device information.
Use undo wireless-probe sever to restore the default.
Syntax
wireless-probe server ip ip-address port port-number [ interval interval ] preshared-key [ cipher | simple ] key-string
undo wireless-probe server
Default
No server is specified to receive wireless device information.
Views
WIPS view
AP template view
Default
2: System level
Parameters
ip ip-address: Specifies the IP address of the server.
port port-number: Specifies the port number of the server, in the range of 1 to 65534.
interval interval: Specifies the interval at which APs send device information to the server, in the range of 1 to 600 seconds. The default interval is 30 seconds.
cipher: Specifies a key in encrypted form.
simple: Specifies a key in plaintext form.
key-string: Specifies the key. Its plaintext form is a case-sensitive string of 8 to 63 characters. Its encrypted form is a case-sensitive string of 41 to 117 characters.
Usage guidelines
The configuration in AP template view takes precedence over the configuration in WIPS view.
Examples
# In WIPS view, specify the server with IP address 8.3.1.2 and port number 5060 to receive device information. Set the report interval to 60 seconds and the key to 12345678 in plaintext form.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips] wireless-probe server ip 8.3.1.2 port 5060 interval 60 preshared-key simple 12345678
# In AP template view, specify the server with IP address 8.3.1.2 and port number 5060 to receive device information. Set the report interval to 60 seconds and the key to 12345678 in plaintext form.
<Sysname> system-view
[Sysname] wlan ap ap1 model WA4320i-ACN
[Sysname-wlan-ap-ap1] wireless-probe server ip 8.3.1.2 port 5060 interval 60 preshared-key simple 12345678
wireless-probe timezone
Use wireless-probe timezone to set the time difference between the AC and an AP.
Use undo wireless-probe timezone to remove the configuration.
Syntax
wireless-probe timezone { add | minus } timevalue
undo wireless-probe timezone
Default
The time difference between the AC and an AP is not set.
Views
AP template view
Default
2: System level
Parameters
add: Configures a positive time difference between the AP and the AC.
minus: Configures a negative time difference between the AP and the AC.
timevalue: Specifies the time difference between the AP and the AC in hh: mm: ss format.
Examples
# Configure a negative time difference between AP sensor and the AC and set the time difference to 8 hours, which means that the time of AP sensor is the AC' s time minus 8 hours.
<Sysname> system-view
[Sysname] wlan ap sensor model WA4320i-ACN
[Sysname-wlan-ap-sensor] wireless-probe timezone minus 08:00:00
wlan ips
Use wlan ips to enter WLAN IPS view.
Syntax
wlan ips
Views
System view
Default command level
2: System level
Examples
# Enter WLAN IPS view.
<Sysname> system-view
[Sysname] wlan ips
[Sysname-wlan-ips]
