<description><![CDATA[<p>A client has moved from one AccessPoint to another. If the client has not changed its SSID then a BSSID change indicates that the client has roamed from one AccessPoint to another. This is normal behavior for mobile clients, however excessive BSSID changes can indicate that AccessPoint's signal strength is fluctuating.</p>]]></description>
<action><![CDATA[<p>
If the number of events is reasonable no action is necessary. If a high number of
events occur for the same client, consider the following actions:
<ul>
<li>Verify that the signal strengh of the AccessPoints the client is closest to are not fluctuating excessively.</li>
<li>See if a firmware upgrade for the client card is available from the manufacturer.</li>
</ul>
</p>]]></action>
</expert>
<expert>
<id>1001</id>
<enabled>1</enabled>
<name>Default SSID in Use</name>
<severity>1</severity>
<class>Vulnerability</class>
<frequency>1</frequency>
<summary>AccessPoint is using the manufacturer's default SSID setting.</summary>
<alerttemplate>AccessPoint is using a default SSID of '%s'</alerttemplate>
<description><![CDATA[<p>AccessPoint has not been configured yet. Still uses the factory default SSID settings assigned by the AccessPoint manufacturer. If you have just installed this accesspoint follow the actions below to secure it from hackers. </p>]]></description>
<action><![CDATA[<p>Configure all AccessPoints to use SSIDs which are different from the default. Also, confirm that each AccessPoint is not using other default security settings such as administrator password, SNMP settings etc.
<description><![CDATA[<p>AirJack is running in one of your user machines. AirJack is a free linux-based device driver API for 802.11 cards that enables raw frame injection (fake packets) into WLANs. These fake packets can be used for number of intrusion and denial-of-service attacks. Presence of AirJack in your network indicates that a serious attack on your Wireless network is underway. </p>]]></description>
<action><![CDATA[<p>Locate the computer running AirJack and disable AirJack tool.
</p>]]></action>
</expert>
<expert>
<id>1003</id>
<enabled>1</enabled>
<name>Wellenreiter Detected</name>
<severity>1</severity>
<class>Reconnaissance</class>
<frequency>1</frequency>
<summary>Wellenreiter tool is running in the network.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>
<a href="http://www.wellenreiter.net/" target="_blank">Wellenreiter</a> is a 802.11
network discovery tool (like NetStumbler). In general, such WLAN discovery tools are used by attackers to identify potential targets for attack.</p>]]></description>
<action><![CDATA[<p>
Locate the computer running Wellenreiter.
</p>]]></action>
</expert>
<expert>
<id>1005</id>
<enabled>1</enabled>
<name>AccessPoint Channel Changed</name>
<severity>1</severity>
<class>Intrusion</class>
<frequency>1</frequency>
<summary>The channel used by an AccessPoint has been changed.</summary>
<alerttemplate>AccessPoint's channel changed from %d to %d</alerttemplate>
<description><![CDATA[<p>In normal operation AccessPoints should not change their channel. This alert indicates that either the AccessPoint was reconfigured to use a different channel or an attacker is using MAC address spoofing to masquerade as a legitimate AccessPoint. </p>]]></description>
<action><![CDATA[<p>Determine if the channel change is legitimate. If not, check the configuration of the AccessPoint to see if an attacker has changed the AccessPoint configuration.
</p>]]></action>
</expert>
<expert>
<id>1008</id>
<enabled>1</enabled>
<name>Rogue Ad-hoc Client Detected</name>
<severity>2</severity>
<class>Intrusion</class>
<frequency>1</frequency>
<summary>An unauthorized ad-hoc client has been discovered in the network.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>A rogue ad-hoc client is one which is not listed in the authorized mobile clients list. This could be an attacker trying to access your network or a legitimate adhoc client whose MAC is not updated in the authorized MAC list.
<action><![CDATA[<p>If the client is legitimate, add it to the authorized MAC list.
</p>]]></action>
</expert>
<expert>
<id>1010</id>
<enabled>1</enabled>
<name>AccessPoint Broadcasting SSID</name>
<severity>1</severity>
<class>Vulnerability</class>
<frequency>1</frequency>
<summary>AccessPoint is broadcasting its SSID in beacon packets.</summary>
<alerttemplate>AccessPoint is broadcasting its SSID of '%s'</alerttemplate>
<description><![CDATA[<p>Broadcasting the SSID makes it possible for network discovery tools such as NetStumbler to scan the wireless network and gain knowledge on your SSIDs. Attackers can then set the SSIDs on their clients and connect to your AccessPoints.
</p>]]></description>
<action><![CDATA[<p>Reconfigure the AccessPoint not to broadcast the SSID. Also configure the AccessPoint not to
<clearmsg>AccessPoint configured not to broadcast SSID.</clearmsg>
</expert>
<expert>
<id>1011</id>
<enabled>1</enabled>
<name>AccessPoint Reported a Problem to a Client</name>
<severity>2</severity>
<class>Operational</class>
<frequency>0</frequency>
<summary>An AccessPoint notified a client that there was a problem with something the client tried to do.</summary>
<alerttemplate>AccessPoint %m notified the client that %s</alerttemplate>
<description><![CDATA[<p>This alert can indicate a wide range of operational issues. Look at the message which accompanied the alert to see what the particular problem was.
</p>]]></description>
</expert>
<expert>
<id>1012</id>
<enabled>1</enabled>
<name>Ad-hoc Network Operating</name>
<severity>2</severity>
<class>Vulnerability</class>
<frequency>1</frequency>
<summary>An ad-hoc network is operating.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>Wireless enabled client devices can share data amongst themselves, without requiring an AccessPoint. These isolated networks are called ad-hoc networks. Ad-hoc networks cannot use enterprise security solutions such as authentication and data encryption, and are difficult to secure.</p>]]></description>
<action><![CDATA[<p>Locate the PC involved or change your SSID so that it does not conflict with an already running ad-hoc network.
</p>]]></action>
</expert>
<expert>
<id>1013</id>
<enabled>1</enabled>
<name>AccessPoint With WEP Disabled</name>
<severity>2</severity>
<class>Vulnerability</class>
<frequency>1</frequency>
<summary>AccessPoint is not using WEP encryption.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>When an AccessPoint does not use WEP (or other WLAN layer 2 encryption methods) a client can sniff unencrypted traffic (a.k.a. "packet capture") with special software known as "sniffers". These packets can then be reassembled to produce the original message. </p>]]></description>
<action><![CDATA[<p>Reconfigure the AccessPoint to use WEP or other method of encryption. To provide maximum security for your clients use a Layer-7 application based encryption method such as a VPN.
<summary>Usage of weak WEP IV detected in your WLAN.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>Weak IVs reveal more information about the WEP keys than the strong ones. If an attacker gathers thousands of weak IVs he would be able to crack the WEP key easily within minutes and will be able to launch multiple attacks using the cracked WEP key. </p>]]></description>
<action><![CDATA[<p>Many manufacturers provide firmware upgrades which can reduce the number of weak IVs generated. Check that your AccessPoints and clients are using the latest firmware. Alternatively, you can try using the TKIP (Temporal Key Integrity Protocol) encryption mechanism, which is now supported by most enterprise level wireless equipments. TKIP enabled devices are not subject to any such WEP related vulnerabilities.
<summary>A station is retransmitting too many packets.</summary>
<alerttemplate>Station is generating too many retry packets (%f%% of packets)</alerttemplate>
<description><![CDATA[<p>
Retransmissions are caused when the packet is not received due to errors. Errors can be caused by:
<ul>
<li>Client is too far from AccessPoint.</li>
<li>Excessive RF noise.</li>
<li>Active RF jamming.</li>
</ul>
</p>]]></description>
<action><![CDATA[<p>
Ensure that AP coverage is adequate.
</p>]]></action>
</expert>
<expert>
<id>1017</id>
<enabled>1</enabled>
<name>Random MAC Address Detected</name>
<severity>2</severity>
<class>Intrusion</class>
<frequency>1</frequency>
<summary>A station is using a random address.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>The MAC address being used by a station does not belong to a known vendor. This is good indication that the MAC address has been randomly generated. Randomly generated addresses are used by some hacking tools such as Wellenreiter.</p>]]></description>
<description><![CDATA[<p>Using fata-jack tool someone is trying to launch an authentication-failure attack on your WLAN. Your authorized mobile users would get disconnected automatically if this attack were successful.]]></description>
<action><![CDATA[<p>Locate the client running Fata-Jack tool.
</p>]]></action>
</expert>
<expert>
<id>1019</id>
<enabled>1</enabled>
<name>Spoofed MAC Address</name>
<severity>2</severity>
<class>Intrusion</class>
<frequency>1</frequency>
<summary>A spoofed MAC address has been detected using sequence number tracking.</summary>
<alerttemplate>A station MAC address has been spoofed (sequence number jump to %d detected).</alerttemplate>
<description><![CDATA[<p>A station or AccessPoint should never have a need to change their MAC address, therefore a spoofed MAC address is good evidence that there is suspicious activity on the wireless LAN.
</p>
<p>By analyzing the sequence number in 802.11 management frames we can collaborate on when an anamoly had been detected and MAC address spoofing has occured within the perimeter. </p>]]></description>
<action><![CDATA[<p>If you are using MAC-based authentication for your AccessPoint you should consider another method. A MAC address can easily be spoofed using ifconfig (Linux) or registry settings (Windows). Other types of detectable attacks such as ARP cache poisoning are possible with MAC address spoofing.
<summary>A station is sending too many deauthentication packets.</summary>
<alerttemplate>Excessive deauthentication packets are being sent by %m (%d packets).</alerttemplate>
<description><![CDATA[<p>Using WLAN jack, void11 tools someone is trying to launch a de-authentication flood attack on your WLAN. Your authenticated mobile clients would get disconnected automatically if this attack were successful.</p>]]></description>
<summary>A new AccessPoint is discovered.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>A new AccessPoint is discovered. It could be an authorized AccessPoint that you have just installed, or it could be an AccessPoint from neighboring premises beaming its signals into your WLAN, or it could be a rogue AccessPoint.
</p>]]></description>
<action><![CDATA[<p>If this AccessPoint is legitimate, mark it as trusted. If this is a neighboring AccessPoint, mark it as friendly. If this is a rogue AccessPoint mark it as rogue and block it from the network using the 'Block Switch Port' option.
</p>]]></action>
</expert>
<expert>
<id>1022</id>
<enabled>1</enabled>
<name>New Client Discovered</name>
<severity>0</severity>
<class>Informational</class>
<frequency>1</frequency>
<summary>A new client is discovered.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>A new client is discovered. It could be one of your authorized mobile users, or it could be an attacker trying to associate with your WLAN.
</p>]]></description>
<action><![CDATA[<p>If this client is legitimate, mark it as 'trusted'. If it is a rogue client, mark it as 'rogue'.
</p>]]></action>
</expert>
<expert>
<id>1023</id>
<enabled>1</enabled>
<name>New Adhoc Client Discovered.</name>
<severity>0</severity>
<class>Informational</class>
<frequency>1</frequency>
<summary>A new adhoc client is discovered.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>A new client operating in adhoc mode is discovered. Clients operating in adhoc mode are vulnerable to attacks as they don't use encryption and authentication. If these clients are also connected to the wired network they can open up the entire wired network to an attacker.
</p>]]></description>
<action><![CDATA[<p>If your organization doesnot encourage adhoc clients, locate the client and shut it down.
</p>]]></action>
</expert>
<expert>
<id>1024</id>
<enabled>1</enabled>
<name>AccessPoint Restarted</name>
<severity>1</severity>
<class>Operational</class>
<frequency>1</frequency>
<summary>An AccessPoint was restarted (or crashed).</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>This alert may mean one of several things:</p>
<ul>
<li>The AccessPoint has malfunctioned and reset itself.</li>
<li>An attacker has caused the AccessPoint to crash in anticipation of staging an attack.</li>
<li>Some AccessPoints periodically change mode and this alert may be a consequence of the AccessPoint switching from one mode to another. </li>
</ul>]]></description>
<action><![CDATA[<p>Update the status of the AccessPoint (or ping) to check that the AccessPoint is running normally.
</p>]]></action>
</expert>
<expert>
<id>1025</id>
<enabled>1</enabled>
<name>ASLEAP Attack Detected</name>
<severity>2</severity>
<class>Intrusion</class>
<frequency>1</frequency>
<summary>An ASLEAP attack was detected.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>This is more likely to be a real attack if the MAC address spoofing alert has also been recently raised for the same AccessPoint.
</p>
<p>
<a href="http://asleap.sourceforge.net/" target="_blank">ASLEAP</a> is a tool written by Joshua Wright to exploit a weekness in the Cisco proprietary LEAP protocol. LEAP uses a modified MS-CHAPv2 exchange to authenticate users which is vulnerable to dictionary and brute force attacks.</p>]]></description>
<action><![CDATA[<p>This exploit is dangerous if you are running a Cisco AccessPoint. A security advisory from Cisco is <a href="http://www.cisco.com/warp/public/707/cisco-sn-20030802-leap.shtml" target="_blank">available</a>.
</p>
<p>
According to Cisco, admins should migrate to another EAP type like EAP-FAST (Fast Authentication via Secure Tunneling), PEAP (Protected Extensible Authentication Protocol) or EAP-TLS (Transport Layer Security) whose authentication methods are not susceptible to dictionary attacks.
</p>]]></action>
</expert>
<expert>
<id>1026</id>
<enabled>1</enabled>
<name>AccessPoint Overloaded</name>
<severity>2</severity>
<class>Denial of Service</class>
<frequency>1</frequency>
<summary>AccessPoint is overloaded and unable to accept new clients.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>AccessPoint has refused a new client which attempted to associate with it.
This could be due to heavy load from legitimate clients, or it could be due to denial of service attack. Some forms of denial of service attacks will create many fake associations so that legitimate clients can no longer use the AccessPoint. </p>]]></description>
<action><![CDATA[<p>If this alert is raised during normal operation, confirm that the AccessPoint is configured to accept more than the number of clients trying to use it, or consider deploying more AccessPoints.
</p>]]></action>
</expert>
<expert>
<id>1027</id>
<enabled>1</enabled>
<name>Client Rate Support Mismatch</name>
<severity>1</severity>
<class>Operational</class>
<frequency>1</frequency>
<summary>There is a mistmatch in the rates supported by the client and the AccessPoint.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>The AccessPoint configuration does not match with what the client station can handle. Either the AccessPoint configuration is incorrect or it is a rogue AccessPoint.
</p>]]></description>
<action><![CDATA[<p>Configure the AccessPoint if it is a legitimate one or locate the rogue AccessPoint.
</p>]]></action>
</expert>
<expert>
<id>1028</id>
<enabled>1</enabled>
<name>Client is Sending Spurious Traffic</name>
<severity>1</severity>
<class>Intrusion</class>
<frequency>1</frequency>
<summary>The client is sending traffic without having an association with an AccessPoint.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>Someone may be injecting forged 802.11 packets if they have not attempted an association with the AccessPoint. This anomaly would show that a client station has not acted in accordance with normal authentication procedures and is most likely a rogue client.
Check your clients and upgrade to the latest firmware if possible. Otherwise locate the rogue client.
</p>]]></action>
</expert>
<expert>
<id>1029</id>
<enabled>1</enabled>
<name>Disassociation Flood Attack</name>
<severity>2</severity>
<class>Denial of Service</class>
<frequency>1</frequency>
<summary>Device is sending too many disassociation packets.</summary>
<alerttemplate>Excessive disassociation packets are being sent by %m (%d packets).</alerttemplate>
<description><![CDATA[<p>Someone is sending a number of disassociation management frame packets. This could force all your associated clients to be disassociated from the AccessPoint. </p>]]></description>
<action><![CDATA[<p>Locate the client.</p>]]></action>
</expert>
<expert>
<id>1030</id>
<enabled>1</enabled>
<name>Association Flood Attack</name>
<severity>2</severity>
<class>Denial of Service</class>
<frequency>1</frequency>
<summary>Device is sending too many association packets.</summary>
<alerttemplate>Excessive association packets are being sent by %m (%d packets).</alerttemplate>
<description><![CDATA[<p>Someone is sending a number of association packets. This might be an attempt to fill up the AccessPoint client association table and thus make the AccessPoint deny association for new legitimate clients. </p>]]></description>
<summary>Device is sending too many authentication packets.</summary>
<alerttemplate>Excessive authentication packets are being sent by %m (%d packets).</alerttemplate>
<description><![CDATA[<p>Someone is sending number of authentication packets to the AccessPoint. This could be an attack using the void11 tool. If successful, this attack would fill the association table of the AccessPoint with fake clients. This would result in the AccessPoint denying connection to legitimate mobile clients.</p>]]></description>
<description><![CDATA[<p>A significant abnormal noise level is a good indication that there is a device jamming your legitimate signal. </p>]]></description>
<summary>Device is sending too many EAPoL start packets.</summary>
<alerttemplate>Excessive EAPoL Start packets are being sent by %m (%d packets).</alerttemplate>
<description><![CDATA[<p>Someone is sending number of EAPOL-Start packets. EAPOL-Start is the first step in EAP based authentication process. Normally AccessPoint would respond to EAPOL-start requests with EAP-Identity-Request and some internal resource allocation. When the number of requests increase, the AccessPoint resources exhaust resulting in denial of service to real mobile clients. </p>]]></description>
<action><![CDATA[<p>If you are using EAPoL for authentication, check to make sure all your clients are up to date with the latest client software. Locate the PC which is causing this alert as excessive EAPoL Start commands can deny other clients service.
</p>]]></action>
</expert>
<expert>
<id>1034</id>
<enabled>1</enabled>
<name>EAPoL Logoff Storm</name>
<severity>2</severity>
<class>Denial of Service</class>
<frequency>1</frequency>
<summary>Device is sending too many EAPoL logoff packets.</summary>
<alerttemplate>Excessive EAPoL Logoff packets are being sent by %m (%d packets).</alerttemplate>
<description><![CDATA[<p>Someone is sending numerous EAPOL-Logoff packets. EAPOL-Logoff is the last step in (EAP authentication process) disconnecting client from an AccessPoint. This would force AccessPoint to logoff authenticated users. </p>]]></description>
<action><![CDATA[<p>If you are using EAPoL for authentication, check to make sure all your clients are up to date with the latest client software. Locate the PC which is causing this alert as excessive EAPoL Logoff commands can deny other clients service.
</p>]]></action>
</expert>
<expert>
<id>1035</id>
<enabled>1</enabled>
<name>Adhoc node using AccessPoint SSID</name>
<severity>2</severity>
<class>Intrusion</class>
<frequency>1</frequency>
<summary>Adhoc client is using the same SSID as an AccessPoint.</summary>
<alerttemplate>Adhoc client is using the same SSID (%s) as an AccessPoint %m.</alerttemplate>
<description><![CDATA[<p>Malicious users could create bad associations by using the same SSID as an AccessPoint, fooling the client into thinking the connection is made with the legitimate AccessPoint. It is also common for inexperienced users to accidentally create their connections as "Ad-hoc" instead of "Managed".</p>]]></description>
<action><![CDATA[<p>Locate the Adhoc client with the AccessPoint SSID.
</p>]]></action>
</expert>
<expert>
<id>1036</id>
<enabled>1</enabled>
<name>Channel With Too Many AccessPoints</name>
<severity>1</severity>
<class>Operational</class>
<frequency>1</frequency>
<summary>There are too many AccessPoints operating on the same channel.</summary>
<alerttemplate>There are %d AccessPoints operating on channel %d within proximity of each other.</alerttemplate>
<description><![CDATA[<p>Many AccessPoints operating on the same channel within proximity of each other. This may lead to degraded performance due to bandwidth sharing and increased packet corruption. </p>]]></description>
<action><![CDATA[<p>Adjacent AccessPoints should use different channels. If these are legitimate AccessPoints, place them on seperate channels for maximum efficiency. If they are unauthorized AccessPoints, locate them (or their owner) and notify them of the problem.
<name>Authorized Client Connected to Rogue AccessPoint</name>
<severity>2</severity>
<class>Vulnerability</class>
<frequency>1</frequency>
<summary>An authorized client has associated with an unauthorized AccessPoint or ad-hoc network.</summary>
<alerttemplate>An authorized client has associated with an unauthorized AccessPoint or ad-hoc network (%m).</alerttemplate>
<description><![CDATA[<p>Authorized clients should never associate with unauthorized AccessPoints. This alert may be caused by a client associating with a neighbors AccessPoint.</p>]]></description>
<action><![CDATA[<p>Check to make sure the unauthorized AccessPoint is not legitimate. Then locate the authorized client station and recheck the configurations. Locate the unauthorized AccessPoint on the network.
</p>]]></action>
</expert>
<expert>
<id>1038</id>
<enabled>1</enabled>
<name>Netstumbler Detected</name>
<severity>1</severity>
<class>Reconnaissance</class>
<frequency>1</frequency>
<summary>Netstumbler detected in the network.</summary>
<alerttemplate>Netstumbler (version %s) detected running on a client.</alerttemplate>
<description><![CDATA[<p>
<a href="http://www.netstumbler.com" target="_blank">Netstumbler</a> is a popular free tool for discovering open AccessPoints. It is used by wardrivers or hackers to discover wireless networks.
<p>]]></description>
<action><![CDATA[<p>Netstumbler is normally not an issue if you have turned off SSID broadcasting. This prevents your AccessPoint from responding to Netstumbler's probe requests. Check to make sure you have SSID broadcasting turned off on your AccessPoint to prevent it from showing up in Netstumbler and other applications.
</p>]]></action>
</expert>
<expert>
<id>1039</id>
<enabled>1</enabled>
<name>Duration Attack Detected</name>
<severity>2</severity>
<class>Denial of Service</class>
<frequency>1</frequency>
<summary>Device uses an excessive value in the duration field.</summary>
<alerttemplate>A wireless device uses an excessive value of %d in the duration field.</alerttemplate>
<description><![CDATA[<p>
The duration field in an 802.11 packet tells the other stations on the network
how long they must wait before transmitting again. If one station uses values which are too large this is a denial of service because it prevents other stations from operating.</p>]]></description>
<action><![CDATA[<p>Find the station causing the alert. This alert could also be generated by faulty firmware in the station (though this still means that the station is preventing other stations from using the network).
</p>]]></action>
</expert>
<expert>
<id>1040</id>
<enabled>1</enabled>
<name>WDS In Operation/Bridging</name>
<severity>0</severity>
<class>Informational</class>
<frequency>1</frequency>
<summary>WDS mode is being used to bridge packets between AccessPoints.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>Wireless Distribution System (WDS) is a feature of 802.11 that allows packets to be sent directly between AccessPoints. WDS mode is sometimes called bridging. Under normal situations your AccessPoint may be using WDS if it is acting as a bridge. However if you are not using bridging and this alert is raised it could be used as a possible "man-in-the-middle" attack on unsuspecting clients. This may be the case if a previous alert was raised pertaining to other rogue AccessPoints or SSIDs. Beware, this is a typical setup of a laptop using two(2) wireless NICs instead of one(1). One to create the "bridge" to the legitimate AccessPoint and the other to create a rogue AccessPoint for the client.
</p>]]></description>
<action><![CDATA[<p>Ignore if you are using AccessPoints acting as bridges. If not, check whether any client is operating with two NICs as explained above. If yes, locate and shutdown the client.
</p>]]></action>
</expert>
<expert>
<id>1041</id>
<enabled>1</enabled>
<name>AccessPoint Supports Multiple SSIDs</name>
<severity>0</severity>
<class>Informational</class>
<frequency>1</frequency>
<summary>The AccessPoint supports more than one SSID.</summary>
<alerttemplate>The AccessPoint supports more than one SSID.</alerttemplate>
<description><![CDATA[<p>Some AccessPoints can support more than one SSID so that different classes of service
can be offered to clients based on the SSID they use. (also known as "Virtual AccessPoints")
</p>]]></description>
<action><![CDATA[<p>No action is needed if this is an authorized AccessPoint and all of your SSIDs are accounted for in the alert. Otherwise you have to locate the rogue AccessPoint.</p>]]></action>
</expert>
<expert>
<id>1042</id>
<enabled>1</enabled>
<name>RF Sensor Down</name>
<severity>1</severity>
<class>Operational</class>
<frequency>1</frequency>
<summary>Sensor did not respond to keep-alive request.</summary>
<alerttemplate>The Sensor '%s' did not respond to a keep-alive request.</alerttemplate>
<description><![CDATA[<p>The server sends keep-alive requests every 30 seconds to verify whether the Sensor is still running. This alert indicates that the Sensor did not respond to a keep-alive request but had been previous operating. This could be due to loss of power to the Sensor, loss of network connectivity or a malfunction on the Sensor. It may also be caused if the Sensor is using DHCP and the address allocated by the DHCP server changes.
</p>]]></description>
<action><![CDATA[Check the current status of the Sensor to see if it has resumed operating. If the
Sensor has power and network connectivity verify that the IP address is still valid. The last resort should be to power cycle the Sensor.]]></action>
</expert>
<expert>
<id>1043</id>
<enabled>1</enabled>
<name>Sensor Failed to Start</name>
<severity>1</severity>
<class>Operational</class>
<frequency>1</frequency>
<summary>Sensor failed to start.</summary>
<alerttemplate>The Sensor '%s' failed to start.</alerttemplate>
<description><![CDATA[The Sensor could not be started.]]></description>
<action><![CDATA[Verify that the Sensor information, especially the IP address and community string, is correct. If the Sensor has power and network connectivity verify that the IP address is still valid. The last resort should be to power cycle the Sensor.]]></action>
</expert>
<expert>
<id>1044</id>
<enabled>1</enabled>
<name>AccessPoint is Using Hotspot SSID</name>
<severity>1</severity>
<class>Vulnerability</class>
<frequency>1</frequency>
<summary>AccessPoint is using an SSID commonly used by hotspots.</summary>
<alerttemplate>AccessPoint is using an SSID of '%s' which is commonly used by hotspots.</alerttemplate>
<description><![CDATA[<p>Having an SSID that is commonly used in hotspots makes your WLAN more vulnerable to attack. Basic attack on Wireless networks is to try connecting to the WLAN using various default/common SSIDs. </p>]]></description>
<action><![CDATA[<p>Reconfigure the AccessPoint to use enterprise specific SSIDs.
</p>]]></action>
</expert>
<expert>
<id>1045</id>
<enabled>1</enabled>
<name>Hotspotter Attack Detected</name>
<severity>2</severity>
<class>Intrusion</class>
<frequency>1</frequency>
<summary>A Hotspotter attack has been detected.</summary>
<alerttemplate>A Hotspotter attack has been detected using the SSID of '%s'.</alerttemplate>
<description><![CDATA[<p>Hotspotter is a free open source tool that will passively monitor probe requests from Windows XP clients and compares them to common "hotspot" SSID names. If there is a match with the clients request, the rogue client running the hotspotter tool will act as an AccessPoint with the same SSID. </p>]]></description>
<action><![CDATA[<p>Check your client so that they are not listing sensitive SSID information in their Windows XP client profile as Windows will probe all preferred SSID AccessPoints.
</p>]]></action>
</expert>
<expert>
<id>1046</id>
<enabled>1</enabled>
<name>Airsnarf Attack Detected</name>
<severity>2</severity>
<class>Intrusion</class>
<frequency>1</frequency>
<summary>An Airsnarf attack has been detected.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>Airsnarf is a rogue AccessPoint that tries to get username/ passwords by using a fake hotspot portal.
<action><![CDATA[<p>Locate the client running AirSnarf.
</p>]]></action>
</expert>
<expert>
<id>1047</id>
<enabled>1</enabled>
<name>WEPWedgie Attack Detected</name>
<severity>2</severity>
<class>Intrusion</class>
<frequency>1</frequency>
<summary>An WEPWedgie attack has been detected.</summary>
<alerttemplate>An WEPWedgie attack has been detected from client %m to AccessPoint %m.</alerttemplate>
<description><![CDATA[<p><a href="http://sourceforge.net/projects/wepwedgie/" target="_blank">WEPWedgie</a> is a toolkit for determining 802.11 WEP keystreams and injecting traffic with known keystreams.
<action><![CDATA[<p>Better encryption techniques, such as WPA or 802.11i, are not vulnerable to WEPWedgie.
</p>]]></action>
</expert>
<expert>
<id>1048</id>
<enabled>0</enabled>
<name>Channel with Excessive Errors</name>
<severity>1</severity>
<class>Operational</class>
<frequency>1</frequency>
<summary>A channel has too many corrupted packets.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>The sensor has detected too many corrupted or illegitimate packets in a channel. This could be due to poor signal and coverage, rogue 802.11 injection, or bad software/firmware</p>]]></description>
<action><![CDATA[<p>Check other alerts to see channel related problems getting reported.
</p>]]></action>
</expert>
<expert>
<id>1049</id>
<enabled>1</enabled>
<name>Constant Traffic</name>
<severity>1</severity>
<class>Intrusion</class>
<frequency>1</frequency>
<summary>The station is generating constant traffic.</summary>
<alerttemplate>The station is generating constant traffic of about %d bytes per second.</alerttemplate>
<description><![CDATA[<p>The station is generating a large amount of constant 802.11 data frames. This could be a problem for other users on the network if there is no load balancing.</p>]]></description>
<action><![CDATA[<p>If this alert occurs under normal circumstances you should consider load balancing with multiple AccessPoints. Otherwise, this could be a sign of malicious activity.
</p>]]></action>
</expert>
<expert>
<id>3001</id>
<enabled>1</enabled>
<name>AccessPoint Low Signal Strength</name>
<severity>1</severity>
<class>Operational</class>
<frequency>1</frequency>
<summary>The AccessPoint has a low signal strength, as measured by the nearest Sensor.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>
A sensor has reported a low signal coming from an authorized AccessPoint. This is a good indication of interference on the AccessPoints channel either legitimately (microwave, cordless phone, etc) or illegitimately (RF jamming).
<action><![CDATA[<p>Review the location of your AccessPoint or sensor to make sure it is situated in an area giving you maximum coverage. Perform a quick site survey to determine what may or may not be causing the low signal.
<summary>Device sent a broadcast disassociation packet.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>Someone is sending disassociation packet to the broadcast address (all clients). This would force all associated clients to disassociate. </p>]]></description>
<summary>A client transmitted a deauthentication packet to the broadcast address.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>Someone is sending deauthentication packets to the broadcast address (all clients). This would force all authenticated users to get deauthenticated. </p>]]></description>
<summary>Karlnet Turbocell is in use on the network.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p><a href="http://www.karlnet.com/products/software/wl_TurboCell.html" target="_blank">TurboCell</a> is a proprietary broadband wireless protocol used in Point-To-Multi-Point environments that makes use of existing 802.11 radio technology.
</p>]]></description>
<action><![CDATA[<p>
No action is needed if you are using a Karlnet AccessPoint. Otherwise locate the client.
<summary>Unencrypted NetBIOS traffic was detected.</summary>
<alerttemplate></alerttemplate>
<description><![CDATA[<p>Unencrypted NetBIOS (Network Basic Input/Output System) traffic was detected. Some common and popular applications of this include Microsoft File and Printer sharing and Samba. </p>]]></description>
<action><
