Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-WLAN IDS Commands | 90.58 KB |
WLAN IDS configuration commands
WLAN IDS detection configuration commands
Blacklist and whitelist configuration commands
WLAN IDS detection configuration commands
attack-detection enable
Use attack-detection enable to enable WIDS-IPS detection of various DoS attacks.
Use undo attack-detection enable to restore the default.
Syntax
attack-detection enable { all | flood | spoof | weak-iv }
undo attack-detection enable
Default
No WIDS-IPS detection is enabled.
Views
WLAN IDS view
Default command level
2: System level
Parameters
all: Enables detection of all kinds of attacks.
flood: Enables detection of flood attacks.
spoof: Enables detection of spoof attacks.
weak-iv: Enables weak-IV detection.
Examples
# Enable spoof attack detection.
<Sysname> system-view
[Sysname] wlan ids
[Sysname-wlan-ids] attack-detection enable spoof
display wlan ids history
Use display wlan ids history to display the history of attacks detected in the WLAN system. It supports a maximum of 512 entries.
Syntax
display wlan ids history [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display the history of attacks.
<Sysname> display wlan ids history
Total Number of Entries: 5
Flags:
act = Action Frame asr = Association Request
aur = Authentication Request daf = Deauthentication Frame
dar = Disassociation Request ndf = Null Data Frame
pbr = Probe Request rar = Reassociation Request
saf = Spoofed Disassociation Frame
sdf = Spoofed Deauthentication Frame
wiv = Weak IV Detected
AT - Attack Type, Ch - Channel Number, AR - Average RSSI
WIDS History Table
--------------------------------------------------------------------------
MAC Address AT Ch AR Detected Time AP
--------------------------------------------------------------------------
0027-E699-CA71 asr 8 44 2010-06-12/19:47:54 ap12
0015-E9A4-D7F4 wiv 8 45 2010-06-12/19:45:28 ap48
0027-E699-CA71 asr 8 20 2010-06-12/19:18:17 ap12
003d-B5A6-539F pbr 8 43 2010-06-12/19:10:48 ap56
0015-E9A4-D7F4 wiv 8 50 2010-06-12/19:01:28 ap48
--------------------------------------------------------------------------
Table 1 Command output
|
Field |
Description |
|
MAC-Address |
In case of spoof attacks, this field displays the BSSID that was spoofed. In case of other attacks, this field displays the MAC address of the device that initiated the attack. |
|
AT |
Type of attack. |
|
Ch |
Channel in which the attack was detected. |
|
AR |
Average RSSI of the attack frames. |
|
Detected time |
Time at which this attack was detected. |
display wlan ids statistics
Use display wlan ids statistics to display WLAN IDS statistics.
Syntax
display wlan ids statistics [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display WLAN IDS statistics.
<Sysname> display wlan ids statistics
Current attack tracking since: 2010-06-21/12:46:33
----------------------------------------------------------------------
Type Current Total
----------------------------------------------------------------------
Probe Request Frame Flood Attack 2 7
Authentication Request Frame Flood Attack 0 0
Deauthentication Frame Flood Attack 0 0
Association Request Frame Flood Attack 1 1
Disassociation Request Frame Flood Attack 4 8
Reassociation Request Frame Flood Attack 0 0
Action Frame Flood Attack 0 0
Null Data Frame Flood Attack 0 0
Weak IVs Detected 12 21
Spoofed Deauthentication Frame Attack 0 0
Spoofed Disassociation Frame Attack 0 2
----------------------------------------------------------------------
Table 2 Command output
|
Field |
Description |
|
Current |
Provides the count of attacks detected since the time specified by the current attack tracking time (specified in the field "Current attack tracking since:"). The current attack tracking time is started at the system startup and is refreshed each hour subsequently. |
|
Total |
Provides the total count of the attacks detected since the system startup. |
|
Probe Request Frame Flood Attack |
Number of probe request frame flood attacks detected. |
|
Authentication Request Frame Flood Attack |
Number of authentication request frame flood attack detected. |
|
Deauthentication Frame Flood Attack |
Number of de-authentication frame flood attacks detected. |
|
Association Request Frame Flood Attack |
Number of association request frame flood attacks detected. |
|
Disassociation Request Frame Flood Attack |
Number of disassociation request frame flood attacks detected. |
|
Reassociation Request Frame Flood Attack |
Number of reassociation request frame flood attacks detected. |
|
Action Frame Flood Attack |
Number of action frame flood attacks detected. |
|
Null Data Frame Flood Attack |
Number of null data frame flood attacks detected. |
|
Weak IVs Detected |
Number of weak IVs detected. |
|
Spoofed Deauthentication Frame Attack |
Number of spoofed deauthentication frame attacks detected. |
|
Spoofed Disassociation Frame Attack |
Number of spoofed disassociation frame attacks detected. |
reset wlan ids history
Use reset wlan ids history to clear the history information of attacks detected in the WLAN.
Syntax
reset wlan ids history
Views
User view
Default command level
1: Monitor level
Usage guidelines
After this command is executed, all the history information regarding attacks will be cleared, and the history table will be empty.
Examples
# Clear all history information of attacks.
<Sysname> reset wlan ids history
reset wlan ids statistics
Use reset wlan ids statistics to clear the statistics of attacks detected in the WLAN system.
Syntax
reset wlan ids statistics
Views
User view
Default command level
1: Monitor level
Usage guidelines
This command clears both the "current" and "total" of all attack types in the WLAN IDS statistics table.
Examples
# Clear WLAN IDS statistics.
<Sysname>reset wlan ids statistics
wlan device-detection enable
Use wlan device-detection enable to configure the AP to operate in hybrid mode.
Use undo wlan device-detection enable to restore the default.
Syntax
wlan device-detection enable
undo wlan device-detection enable
Default
The AP operates in normal mode to provide WLAN services.
Views
System view
Default command level
2: System level
Usage guidelines
If the AP operates in monitor mode, the command is invisible.
If the AP operates in hybrid mode, configure a service template so the AP can provide both WLAN access and rogue detection services.
Examples
# Set the hybrid operation mode for the AP.
<Sysname> system-view
[Sysname] wlan device-detection enable
wlan ids
Use wlan ids to enter WLAN IDS view.
Syntax
wlan ids
Views
System view
Default command level
2: System level
Usage guidelines
This view enables you to configure WLAN IDS parameters such as scan parameters and device lists.
Examples
# Enter WLAN IDS view.
<Sysname> system-view
[Sysname] wlan ids
[Sysname-wlan-ids]
wlan work-mode monitor
Use wlan work-mode monitor to configure the AP to operate in monitor mode.
Use undo wlan work-mode monitor to restore the default.
Syntax
wlan work-mode monitor
undo wlan work-mode monitor
Default
The AP operates in normal mode to provide WLAN services.
Views
System view
Default command level
2: System level
Usage guidelines
If the AP operates in monitor mode, the AP can only operate as a monitor AP and cannot operate as an access AP, and cannot provide WLAN services.
Before switching the AP operating mode from hybrid to normal, use the undo wlan device-detection enable command to disable the hybrid mode.
Examples
# Set the monitor operation mode for the AP.
<Sysname> system-view
[Sysname] wlan work-mode monitor
Blacklist and whitelist configuration commands
display wlan blacklist
Use display wlan blacklist to display the static or dynamic blacklist entries.
Syntax
display wlan blacklist { static | dynamic } [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
static: Displays static blacklist entries.
dynamic: Displays dynamic blacklist entries.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about the static blacklist.
<Sysname> display wlan blacklist static
Total Number of Entries: 3
Static Blacklist
--------------------------------------------------------------------------
MAC-Address
--------------------------------------------------------------------------
0014-6c8a-43ff
0016-6F9D-61F3
0019-5B79-F04A
--------------------------------------------------------------------------
Table 3 Command output
|
Field |
Description |
|
MAC-Address |
MAC addresses of clients. |
# Display information about the dynamic blacklist.
<Sysname> display wlan blacklist dynamic
Total Number of Entries: 3
Dynamic Blacklist
-------------------------------------------------------------------------------
MAC-Address APID Lifetime(s) Blacklisted For (hh:mm:ss) Reason
-------------------------------------------------------------------------------
000f-e2cc-0001 1 60 00:02:11 Assoc-Flood
000f-e2cc-0002 2 60 00:01:17 Deauth-Flood
000f-e2cc-0003 3 60 00:02:08 Auth-Flood
Table 4 Command output
|
Field |
Description |
|
MAC-Address |
MAC address of the device inserted into the dynamic blacklist. |
|
APID |
AP ID of the corresponding entry in the dynamic blacklist. |
|
Lifetime(s) |
Lifetime of the corresponding entry in seconds. |
|
Blacklisted For (hh:mm:ss) |
Time elapsed since the entry was last updated. |
|
Reason |
Reason why the entry was added into the dynamic blacklist. |
display wlan whitelist
Use display wlan whitelist to display the configured white list.
Syntax
display wlan whitelist [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display the white list.
<Sysname> display wlan whitelist
Total Number of Entries: 3
Whitelist
--------------------------------------------------------------------------
MAC-Address
--------------------------------------------------------------------------
000e-35b2-000e
0019-5b8e-b709
001c-f0bf-9c92
0000-0000-00EE
0400-0000-0000
0400-0000-00EE
--------------------------------------------------------------------------
Table 5 Command output
|
Field |
Description |
|
MAC-Address |
MAC addresses of clients in the white list. |
dynamic-blacklist enable
Use dynamic-blacklist enable to enable the dynamic blacklist feature.
Use undo dynamic-blacklist enable to disable the dynamic blacklist feature.
Syntax
dynamic-blacklist enable
undo dynamic-blacklist enable
Default
The dynamic blacklist feature is disabled.
Views
WLAN IDS view
Default command level
2: System level
Parameters
enable: Enables the dynamic blacklist feature.
Usage guidelines
With this feature, a WLAN device, upon detecting flood attacks from a device, adds the device to the dynamic blacklist, and denies any packets from this device until the dynamic blacklist entry ages out.
The maximum number of entries in the dynamic blacklists depends on the device model.
Examples
# Enable the dynamic blacklist feature.
<Sysname> system-view
[Sysname] wlan ids
[Sysname-wlan-ids] dynamic-blacklist enable
dynamic-blacklist lifetime
Use dynamic-blacklist lifetime to set the lifetime for dynamic blacklist entries.
Use undo dynamic-blacklist lifetime to restore the default.
Syntax
dynamic-blacklist lifetime lifetime
undo dynamic-blacklist lifetime
Default
The lifetime is 300 seconds.
Views
WLAN IDS view
Default command level
2: System level
Parameters
lifetime: Interval, in the range of 60 to 3600 seconds.
Usage guidelines
If a dynamic blacklist entry is not detected within the lifetime, the entry is removed from the dynamic blacklist.
Examples
# Specify a lifetime of 1200 seconds for dynamic blacklist entries.
<Sysname> system-view
[Sysname] wlan ids
[Sysname-wlan-ids] dynamic-blacklist lifetime 1200
reset wlan dynamic-blacklist
Use reset wlan dynamic-blacklist to remove a specified entry or all entries from the dynamic blacklist.
Syntax
reset wlan dynamic-blacklist { mac-address mac-address | all }
Views
User view
Default command level
1: Monitor level
Parameters
mac-address mac-address: Removes an entry with the specified MAC address from the dynamic blacklist.
all: Removes all entries from the dynamic blacklist.
Usage guidelines
The maximum number of entries in the dynamic blacklist is 128.
Examples
# Remove a client with MAC address 001d-0f31-87d from the dynamic blacklist.
<Sysname> reset wlan dynamic-blacklist mac-address 001d-0f31-87d
static-blacklist mac-address
Use static-blacklist mac-address to add a client with a specified MAC address to the static blacklist.
Use undo static-blacklist to remove the client with the specified MAC address or all clients from the static blacklist.
Syntax
static-blacklist mac-address mac-address
undo static-blacklist { mac-address mac-address | all }
Views
WLAN IDS view
Default command level
2: System level
Parameters
mac-address: Adds/deletes a client to/from the static blacklist.
all: Deletes all entries from the static blacklist.
Default
No static blacklist exists.
Usage guidelines
Clients in the static blacklist cannot get associated with the AP.
The maximum number of entries in the static blacklist depends on the device model.
Examples
# Add the client with MAC address 0014-6c8a-43ff to the static blacklist.
<Sysname> system-view
[Sysname] wlan ids
[Sysname-wlan-ids] static-blacklist mac-address 0014-6c8a-43ff
whitelist mac-address
Use whitelist mac-address to add a client with a specified MAC address to the white list.
Use undo whitelist to remove the client with the specified MAC address or all clients from the white list.
Syntax
whitelist mac-address mac-address
undo whitelist { mac-address mac-address | all }
Views
WLAN IDS view
Default command level
2: System level
Parameters
mac-address: Adds/deletes the client with the MAC address to/from the white list.
all: Deletes all entries from the white list.
Default
No white list exists.
Usage guidelines
Clients in the white list can be associated with the AP.
The maximum number of entries in the white list depends on the device model.
Examples
# Add the client with MAC address 001c-f0bf-9c92 to the white list.
<Sysname> system-view
[Sysname] wlan ids
[Sysname-wlan-ids] whitelist mac-address 001c-f0bf-9c92
