Brocade Mobility RFS Controller CLI Reference Guide (Supporting software release 5.5.0.0 and later) User Manual
Page 1159
Brocade Mobility RFS Controller CLI Reference Guide
1151
53-1003098-01
21
event enable-all-events
event excessive
[80211-replay-check-failure|aggressive-scanning|auth-server-failures|
decryption-failures|dos-assoc-or-auth-flood|dos-eapol-start-storm
|dos-unicast-deauth-or-disassoc|eap-flood|eap-nak-flood|frames-from-unassoc-s
tation] {filter-ageout [<0-86400>]|threshold-client
[<0-5535>]|threshold-radio <0-65535>}
wellenreiter
Tracks Wellenreiter events
filter-ageout <0-86400>
The following keywords are common to all of the above client anomaly events:
•
filter-ageout <0-86400> – Optional. Configures the filter expiration interval in seconds
•
<0-86400> – Sets the filter ageout interval from 0 - 86400 seconds. The default is 0
seconds.
NOTE: For each violation define a filter time in seconds, which determines how long the packets
(received from an attacking device) are ignored once a violation has been triggered. Ignoring
frames from an attacking device minimizes the effectiveness of the attack and the impact to the
site until permanent mitigation can be performed.
The filter ageout value is applicable across the entire RF Domain using this WIPS policy. If an MU is
detected performing an attack and is filtered by one of the APs, the information is passed on to all APs
and controllers within the RF Domain through the domain manager. Consequently the MU is filtered, for
the specified period of time, across all devices.
enable-all-events
Enables tracking of all intrusion events (client anomaly and excessive events)
excessive
Enables the tracking of excessive events. Excessive events are actions performed continuously and
repetitively. These events can impact the performance of the controller managed network. DoS attacks
come under this category.
80211-replay-check-failure
Tracks 802.11replay check failure
aggressive-scanning
Tracks aggressive scanning events
auth-server-failures
Tracks failures reported by authentication servers
decryption-failures
Tracks decryption failures
dos-assoc-or-auth-flood
Tracks DoS association or authentication floods
dos-eapol-start-storm
Tracks DoS EAPOL start storms
dos-unicast-deauth-or-disassoc Tracks DoS dissociation or deauthentication floods
eap-flood
Tracks EAP floods
eap-nak-flood
Tracks EAP NAK floods
frames-from-unassoc-station
Tracks frames from unassociated clients
filter-ageout <0-86400>
The following keywords are common to all excessive events:
•
filter-ageout <0-86400> – Optional. Configures a filter expiration interval in seconds. It sets the
duration for which the client is filtered. The client is added to a ACL as a special entry and frames
received from this client are dropped.
•
<0-86400> – Sets a filter ageout interval from 0 - 86400 seconds. The default is
0 seconds.
NOTE: This value is applicable across the RF Domain. If a client is detected performing an attack and is
filtered by one of the APs, the information is passed to the domain controller. The domain
controller then propagates this information to all APs and wireless controllers in the RF Domain.