Motorola Wing 5 Manual

							CHAPTER 10 ADVANCED-WIPS-POLICY
This chapter summarizes the advanced WIPS policy commands within the CLI structure.
Use the (config) instance to configure advance WIPS policy commands. To navigate to the advanced WIPS policy instance, 
use the following commands:
RFSSwitch(config)#advanced-wips-policy 
rfs7000-37FABE(config)#advanced-wips-policy test
rfs7000-37FABE(config-advanced-wips-policy-test)#?
Advanced WIPS policy Mode commands:
  event               Configure event detection
  no                  Negate a command or set its defaults
  server-listen-port  Configure local WIPS server listen port number
  terminate           Add a device to the list of devices to be terminated
  use                 Set setting to use
  clrscr              Clears the display screen
  commit              Commit all changes made in this session
  do                  Run commands from Exec mode
  end                 End current mode and change to EXEC mode
  exit                End current mode and down to previous mode
  help                Description of the interactive help system
  revert              Revert changes
  service             Service Commands
  show                Show running system information
  write               Write running configuration to memory or terminal
rfs7000-37FABE(config-advanced-wips-policy-test)# 
						

							10 - 2 WiNG CLI Reference Guide
10.1 advanced-wips-policy
Table 10.1 summarizes advanced WIPS policy commands
Table 10.1advanced-wips-policy commands
Command Description Reference
eventConfigures eventspage 10-3
noNegates a command or sets its defaultpage 10-10
server-listen-portSets a local WIPS server’s listening portpage 10-13
terminateAdds a device to a list of terminated devicespage 10-14
useDefines the settings used with the advanced WIPS policypage 10-15
clrscrClears the display screenpage 5-3
clrscrCommits (saves) changes made in the current sessionpage 5-4
doRuns commands from EXEC modepage 4-66
endEnds and exits the current mode and moves to the PRIV EXEC modepage 5-5
exitEnds the current mode and moves to the previous modepage 5-3
helpDisplays the interactive help systempage 5-7
revertReverts changes to their last saved configurationpage 5-13
serviceInvokes service commands to troubleshoot or debug 
(config-if) instance 
configurationspage 5-14
showDisplays running system informationpage 6-4
writeWrites information to memory or terminalpage 5-42 
						

							ADVANCED-WIPS-POLICY 10 - 3
10.1.1 event
advanced-wips-policy
Configures the detection of anomalous frames in a RF network 
Supported in the following platforms:
 AP300
 AP621
 AP650
 AP6511
 AP6521
 AP6532
 AP71XX
 RFS4000
 RFS6000
 RFS7000
 NX9000
 NX9500
Syntax
event [accidental-association|all|crackable-wep-iv-used|dos-cts-flood|
dos-deauthentication-detection|dos-disassociation-detection|
dos-eap-failure-spoof|dos-eapol-logoff-storm|dos-rts-flood|
essid-jack-attack-detected|fake-dhcp-server-detected|fata-jack-detected|
id-theft-eapol-success-spoof-detected|id-theft-out-of-sequence|
invalid-channel-advertized|invalid-management-frame|ipx-detection|
monkey-jack-attack-detected|multicast-all-routers-on-subnet|
multicast-all-systems-on-subnet| multicast-dhcp-server-relay-agent|
multicast-hsrp-agent|multicast-igmp-detection|multicast-igrp-routers-detection|
multicast-ospf-all-routers-detection|multicast-ospf-designated-routers-detection|
multicast-rip2-routers-detection|multicast-vrrp-agent|netbios-detection|
null-probe-response-detected|probe-response-flood|rogue-ap-detection|
stp-detection|unauthorized-bridge|windows-zero-config-memory-leak|
wlan-jack-attack-detected]
event accidental-association mitigation-enable
event accidental-association trigger-against sanctioned
event all trigger-all-applicable
event [crackable-wep-iv-used|dos-deauthentication-detection|dos-disassociation-
detection|dos-eap-failure-spoof|essid-jack-attack-detected|fake-dhcp-server-
dected|fata-jack-detected|id-theft-eapol-success-spoof-detected|id-theft-out-of-
sequence|ipx-detection|monkey-jack-attack-detected|multicast-all-routers-on-
subnet|multicast-all-systems-on-subnet|multicast-dhcp-server-relay-agent|multicast-
hsrp-agent|multicast-igmp-detection|multicast-igrp-routers-detection|multicast-ospf-
all-routers-detection|multicast-ospf-designated-routers-detection|multicast-rip2-
routers-detection|multicast-vrrp-agent|netbios-detection|null-probe-response-
detected|stp-detection|windows-zero-config-memory-leak|wlan-jack-attack-detected] 
trigger-against sanctioned
event [dos-rts-flood|invalid-channel-advertized|invalid-management-frame] trigger-
against (neighboring,sanctioned,unsanctioned)
event dos-cts-flood threshold [cts-frames-ratio |mu-rx-cts-frame 
event dos-cts-flood trigger-against (neighboring,sanctioned,unsanctioned) 
						

							10 - 4 WiNG CLI Reference Guide
event dos-eapol-logoff-storm threshold [eapol-start-frames-ap |eapol-start-
frames-mu 
event dos-eapol-logoff-storm trigger-against sanctioned
event probe-response-flood threshold probe-rsp-frames-count 
event probe-response-flood trigger-against sanctioned
event rogue-ap-detection mitigation-enable
event rogue-ap-detection trigger-against (neighboring,sanctioned,unsanctioned)
event unauthorized-bridge mitigation-enable
event unauthorized-bridge trigger-against (neighboring,unsanctioned)
Parameters
• event accidental-association mitigation-enable
• event accidental-association trigger-against sanctioned
• event all trigger-all-applicable
• event [crackable-wep-iv-used|dos-deauthentication-detection|dos-disassociation-
detection|dos-eap-failure-spoof|essid-jack-attack-detected|fake-dhcp-server-
dected|fata-jack-detected|id-theft-eapol-success-spoof-detected|id-theft-out-of-
sequence|ipx-detection|monkey-jack-attack-detected|multicast-all-routers-on-
subnet|multicast-all-systems-on-subnet|multicast-dhcp-server-relay-agent|multicast-
hsrp-agent|multicast-igmp-detection|multicast-igrp-routers-detection|multicast-ospf-
all-routers-detection|multicast-ospf-designated-routers-detection|multicast-rip2-
routers-detection|multicast-vrrp-agent|netbios-detection|null-probe-response-
detected|stp-detection|windows-zero-config-memory-leak|wlan-jack-attack-detected] 
trigger-against sanctioned
accidental-association This event occurs when a client accidentally associates to a wireless controller
mitigation-enable Enables the default mitigation of an accidental association event
accidental-association This event occurs when a client accidentally associates to a wireless controller
trigger-against sanctioned Sets the trigger condition
 sanctioned – The accidental association event is triggered against sanctioned 
devices
all trigger-all-applicable Enables all events
crackable-wep-iv-used This event occurs when a crackable WEP initialization vector is used
The standard WEP64 uses a 40 bit key concatenated with a 24 bit initialization 
vector
dos-deauthentication-detection This event occurs when a DoS Deauthentication attack is detected
In this attack, clients connected to an AP are constantly forced to deauthenticate so 
they cannot stay connected to the network long enough to utilize it.
dos-disassociation-detection This event occurs when a DoS disassociation attack is detected
With this attack, clients connected to an AP are constantly disassociated. A fake 
deassociation frame is generated using an AP MAC address as the source address 
and the MAC address of the target device as the destination address. The target 
device on receiving this fake frame dissociates itself from the AP, then tries to 
re-associate. If the target receives a large number of deassociation frames, it will 
not be able to stay connected to the network long enough to utilize it. 
						

							ADVANCED-WIPS-POLICY 10 - 5
dos-eap-failure-spoof This event occurs when a Dos EAP failure spoofing attack is detected
With this attack, the attacker generates a large number of EAP-failure packets 
forcing the AP to disassociate with its legitimate wireless clients.
essid-jack-attack-detected This event occurs when an essid-jack attack is detected
Essid-jack is a tool in the AirJack suite that sends a disassociate frame to a target 
client to force it to reassociate it to the network to find the SSID. This can be used 
to launch further DoS attacks on the network.
fake-dhcp-server-detected This event occurs when a fake DHCP server is detected in the controlled network 
A fake or rogue DHCP server is a type of man in the middle attack where DHCP 
services are provide by an unauthorized DHCP server compromising the integrity of 
the wireless controller managed network.
fata-jack-detected This event occurs when a FATA-jack exploit is detected in the controller managed 
network
FATA-jack is a tool in the AirJack suite that forces an AP to disassociate a valid 
client. This exploit uses a spoofed authentication frame with an invalid 
authentication algorithm number of 2. The attacker sends an invalid authentication 
frame with the wireless client’s MAC, forcing the AP to return a deauth to the client.
id-theft-eapol-success-spoof-
detectedThis event occurs when an EAPOL success spoof is detected
In this DoS attack, the attacker keeps the client from providing its credentials 
through the EAP-response packet by sending a EAP-success packet. Since the client 
is unable to provide its credentials, it cannot be authenticated and therefore cannot 
access the wireless network. 
id-theft-out-of-sequence This event occurs when an out of sequence packet is received
This indicates a wireless client has been spoofed and is sending a packet out of 
sequence with the packet sent by the real wireless client.
ipx-detection This event occurs when Novell’s Internetwork Packet Exchange (IPX) packets are 
detected
monkey-jack-attack-detected This event occurs when a monkey-jack attack is detected
Monkey-jack is a tool in the AirJack suite that enables an attacker to deauthenticate 
all wireless clients from an AP, and then insert itself between the AP and the 
wireless clients.
multicast-all-routers-on-subnet This event occurs when a sanctioned device detects multicast packets to all routers 
on the subnet
multicast-all-systems-on-subnet This event occurs when a sanctioned device detects multicast packets to all systems 
on the subnet
multicast-dhcp-server-relay-
agentThis event occurs when a sanctioned device detects a DHCP server relay agent in 
the network
multicast-hsrp-agent This event occurs when a sanctioned device detects a Hot Standby Router Protocol 
(HSRP) agent in the network
multicast-igmp-detection This event occurs when a sanctioned device detects multicast Internet Group 
Management Protocol (IGMP) packets 
						

							10 - 6 WiNG CLI Reference Guide
• event [dos-rts-flood|invalid-channel-advertized|invalid-management-frame] trigger-
against (neighboring,sanctioned,unsanctioned)
multicast-igrp-routers-detection This event occurs when a sanctioned device detects multicast Interior Gateway 
Routing Protocol (IGRP) packets
multicast-ospf-all-routers-
detectionThis event occurs when a sanctioned device detects multicast Open Shortest Path 
First (OSPF) packets
multicast-ospf-designated-
routers-detectionThis event occurs when a sanctioned device detects multicast OSPF routers in the 
network
multicast-rip2-routers-detection This event occurs when a sanctioned device detects multicast Routing Information 
Protocol version 2 (RIP2) routers in the network
multicast-vrrp-agent This event occurs when a sanctioned device detects multicast Virtual Router 
Redundancy Protocol (VRRP) agents in the network
netbios-detection This event occurs when netbios packets are detected in the network
Network Basic Input/Output System (netbios) provides services related to the 
sessions layer of the OSI model. This allows applications on different devices to 
communicate over the local area network.
null-probe-response-detected This event occurs when a sanctioned device detects null probe response packets
stp-detection This event occurs when a sanctioned device detects Scanning Tunnelling Protocol 
(STP) packets in the network
windows-zero-config-memory-
leakThis event occurs when a Windows™ Zero-Config memory leak is detected 
wlan-jack-attack-detected This event occurs when a WLAN-jack exploit is detected in the wireless controller 
managed network.
WLAN-jack is a tool in the AirJack suite that forces an AP to disassociate a valid 
client. The attacker sends deauthentication frames continuously or uses the 
broadcast address. This prevents the wireless clients from reassociating with the 
AP.
trigger-against sanctioned Configures the event trigger condition
 sanctioned – The selected event is only triggered against sanctioned devices
dos-rts-flood This event occurs when a large number of request to send (RTS) frames are detected 
in the wireless controller managed network
invalid-channel-advertized This event occurs when packets with invalid channels are detected in the wireless 
controller managed network 
						

							ADVANCED-WIPS-POLICY 10 - 7
• event dos-cts-flood threshold [cts-frames-ratio |mu-rx-cts-frame ]
• event dos-cts-flood trigger-against (neighboring,sanctioned,unsanctioned)
• event dos-eapol-logoff-storm threshold [eapol-start-frames-ap |eapol-
start-frames-mu 
invalid-management-frame This event occurs when an invalid management frame is detected in the controller 
managed network
trigger-against 
(neighboring,sanctioned,unsanct
ioned)Sets the trigger condition. The following conditions are available:
 sanctioned – An accidental association event is triggered against sanctioned 
devices
 unsanctioned – An accidental association event is triggered against 
unsanctioned devices
 neighboring – An accidental association event is triggered against neighboring 
devices
dos-cts-flood This event occurs when a large number of clear to send (CTS) frames are detected 
in the network
threshold [cts-frames-ratio |mu-rx-cts-frame ]Sets the CTS flood threshold
 cts-frames-radio  – Sets the CTS:Total Frames ratio for triggering this 
event
  – Specify the value from 0 - 65535.
 mu-rx-cts-frame – Sets the CTS frame received by clients
  – Specify the value from 0 - 65535.
dos-cts-flood This event occurs when a large number of clear to send (CTS) frames are detected in 
the network
trigger-against 
(neighboring,sanctioned,unsanct
ioned)Sets the trigger condition
 sanctioned – An accidental association event is triggered against sanctioned 
devices
 unsanctioned – An accidental association event is triggered against unsanctioned 
devices
 neighboring – An accidental association event is triggered against neighboring 
devices
dos-eapol-logoff-storm This event occurs when a large number of EAPOL logoff frames are detected in the 
network
threshold [eapol-start-frames-ap 
|eapol-start-frames-
mu ]Sets the EAPOL logoff frames flood threshold
 eapol-start-frames-ap – Sets the EAPOL start frames transmitted by an AP to 
trigger this event
  – Specify a value from 0 - 65535.
 eapol-start-frames-mu – Sets the EAPOL start frames transmitted by a client to 
trigger this event
  – Specify a value from 0 - 65535. 
						

							10 - 8 WiNG CLI Reference Guide
• event dos-eapol-logoff-storm trigger-against sanctioned
• event probe-response-flood threshold probe-rsp-frames-count 
• event probe-response-flood trigger-against sanctioned
• event rogue-ap-detection mitigation-enable
• event rogue-ap-detection trigger-against (neighboring,sanctioned,unsanctioned)
• event unauthorized-bridge mitigation-enable
dos-eapol-logoff-storm This event occurs when a large number of EAPOL logoff frames are detected in the 
network
trigger-against sanctioned Configures the event trigger condition
 sanctioned – This event is triggered against sanctioned devices only
probe-response-flood This event occurs when a large number of probe response frames are detected in 
the network
threshold probe-rsp-frames-count 
Sets the probe response frames flood threshold
 probe-rsp-frames-count – Sets the threshold from the number of probe response 
frames received
  – Specify the value from 0 - 65535.
probe-response-flood This event occurs when a large number of probe response frames are detected in 
the network
trigger-against sanctioned Configures the event trigger condition.
 sanctioned – This event is triggered against sanctioned devices only
rogue-ap-detection This event occurs when rogue APs are detected in the network
mitigation-enable Enables default mitigation for the rogue-ap-detection event
rogue-ap-detection This event occurs when rogue APs are detected in the network.
trigger-against 
(neighboring,sanctioned,unsancti
oned)Sets the trigger condition
 sanctioned – An accidental association event is triggered against sanctioned 
devices
 unsanctioned – An accidental association event is triggered against 
unsanctioned devices
 neighboring – An accidental association event is triggered against neighboring 
devices
unauthorized-bridge This event occurs when unauthorized bridges are detected in the network
mitigation-enable Enables the default mitigation for the unauthorized-bridge event 
						

							ADVANCED-WIPS-POLICY 10 - 9
• event unauthorized-bridge trigger-against (neighboring,unsanctioned)
Example
rfs7000-37FABE(config-advanced-wips-policy-test)#event dos-cts-flood threshold cts-
frames-ratio 8
rfs7000-37FABE(config-advanced-wips-policy-test)#event dos-eapol-logoff-storm 
threshold eapol-start-frames-mu 99
rfs7000-37FABE(config-advanced-wips-policy-test)#event probe-response-flood 
threshold probe-rsp-frames-count 8
rfs7000-37FABE(config-advanced-wips-policy-test)#event wlan-jack-attack-detected 
trigger-against sanctioned
rfs7000-37FABE(config-advanced-wips-policy-test)#event probe-response-flood trigger-
against sanctioned
Related Commands
unauthorized-bridge This event occurs when unauthorized bridges are detected in the network
trigger-against 
(neighboring,unsanctioned)Sets the trigger condition
 unsanctioned – An accidental association event is triggered against 
unsanctioned devices
 neighboring – An accidental association event is triggered against neighboring 
devices
noResets values or disables commands 
						

							10 - 10 WiNG CLI Reference Guide
10.1.2 no
advanced-wips-policy
Negates a command or sets its default value
Supported in the following platforms:
 AP300
 AP621
 AP650
 AP6511
 AP6521
 AP6532
 AP71XX
 RFS4000
 RFS6000
 RFS7000
 NX9000
 NX9500
Syntax
no [event|server-listen-port|terminate|use]
no event [accidental-association|crackable-wep-iv-used|dos-cts-flood|
dos-deauthentication-detection|dos-disassociation-detection|
dos-eap-failure-spoof|dos-eapol-logoff-storm|dos-rts-flood|
essid-jack-attack-detected|fake-dhcp-server-detected|fata-jack-detected|
id-theft-eapol-success-spoof-detected|id-theft-out-of-sequence|
invalid-channel-advertized|invalid-management-frame|ipx-detection|
monkey-jack-attack-detected|multicast-all-routers-on-subnet|
multicast-all-systems-on-subnet| multicast-dhcp-server-relay-agent|
multicast-hsrp-agent|multicast-igmp-detection|multicast-igrp-routers-detection|
multicast-ospf-all-routers-detection|multicast-ospf-designated-routers-detection|
multicast-rip2-routers-detection|multicast-vrrp-agent|netbios-detection|
null-probe-response-detected|probe-response-flood|rogue-ap-detection|
stp-detection|unauthorized-bridge|windows-zero-config-memory-leak|
wlan-jack-attack-detected]
no server-listen-port
no terminate 
no use device-configuration
Parameters
• no event [accidental-association|crackable-wep-iv-used|dos-cts-flood|
dos-deauthentication-detection|dos-disassociation-detection|
dos-eap-failure-spoof|dos-eapol-logoff-storm|dos-rts-flood|
essid-jack-attack-detected|fake-dhcp-server-detected|fata-jack-detected|
id-theft-eapol-success-spoof-detected|id-theft-out-of-sequence|
invalid-channel-advertized|invalid-management-frame|ipx-detection|
monkey-jack-attack-detected|multicast-all-routers-on-subnet|
multicast-all-systems-on-subnet| multicast-dhcp-server-relay-agent|
multicast-hsrp-agent|multicast-igmp-detection|multicast-igrp-routers-detection|
multicast-ospf-all-routers-detection|multicast-ospf-designated-routers-detection|
multicast-rip2-routers-detection|multicast-vrrp-agent|netbios-detection|
null-probe-response-detected|probe-response-flood|rogue-ap-detection|