Security Streaming Event
The Security streaming event is generated when a rogue AP is detected in the network or if one of the configured Intrusion Detection System (IDS) event is triggered.
Security Event Protocol Buffer File
enum Action
{
ADD = 1;
DELETE = 2;
UPDATE = 3;
}
message MacAddress {
required bytes addr = 1;
}
message RapidsStreamingEvent
{
required string cust_id = 1;
repeated RogueEvent rogue = 2;
repeated WIDSEvent idsEvent = 3;
}
message RogueEvent
{
required MacAddress rogue_id = 1;
required uint32 classification = 2;
optional string first_seen = 3;
optional string last_seen = 4;
optional string rogue_name = 5;
optional string ssid = 6;
optional string lan_mac = 7;
optional string first_det_device = 8;
optional string last_det_device = 9;
optional uint32 encryption = 10;
optional string port = 11;
optional string containment_status = 12;
optional string mac_vendor = 13;
}
message WIDSEvent
{
required string device_id = 1;
required uint32 event_number = 2;
optional string event_type = 3;
optional string attack_type = 4;
optional string description = 5;
optional string detected_ap = 6;
optional MacAddress mac_addr = 7;
optional string radio_band = 8;
optional string level = 9;
}
Parameters Descriptions for Rogue AP Detection
| Field | Type | Rule | Description |
|---|---|---|---|
| rogue_id | MacAddress | Required | Indicates the corresponding base bssid of the rogue. |
| classification | Unit32 | Required | Indicates the rogue's classification. Possible input: Rogue. This should only be rogue since we only send rogue events to the streaming API. |
| first_seen | String | Optional | Indicates the time of the first detection of the rogue. |
| last_seen | String | Optional | Indicates the time of the last detection of the rogue. |
| rogue_name | String | Optional | Indicates the Rogue AP's name. |
| ssid | String | Optional | Indicates the Rogue AP's SSID. |
| lan_mac | String | Optional | Indicates the LAN Mac address if the Rogues AP is connected to our network through a switch. |
| first_det_device | String | Optional | Indicates the first device to detect the rogue. |
| last_det_device | String | Optional | Indicates the last device to detect the rogue. |
| encryption | unit32 | Optional | Indicates the rogue AP's encryption. |
| port | String | Optional | Indicates the port name if the rogue AP is connected to a switch on Aruba Network. |
| containment_status | String | Optional | Indicates the containment status, if the rogue is currently contained or not. |
| mac_vendor | String | Required | Indicates the Mac vendor of the rogue ap. |
Parameters Descriptions for WIDS Event
| Field | Type | Rule | Description |
|---|---|---|---|
| device_id | String | Required | Indicates the serial number of the AP that triggered the WIDS event. |
| event_number | unit32 | Required | Indicates the event number. |
| event_type | String | Optional | Indicates the event type. |
| attack_type | String | Optional | Indicates the attack type. |
| description | String | Optional | Indicates the description of the event. |
| detected_ap | String | Optional | Indicates the name of the AP that detected the WIDS event. |
| mac_addr | MacAddres | Optional | Indicates the Mac address of the rogue AP. |
| radio_band | String | Optional | Indicates the radio band where the WIDS event was detected. |
| level | String | Optional | Indicates the level of the WIDS event. |
Example Messages for Security Streaming Topic
cust_id: "d9f16c95f70c40a59155266f0180b587"
rogue
{
rogue_id {
addr: "\270\'\353\311\225\220"
}
classification: 3
first_seen: "2021-04-11T16:10:37.136Z"
last_seen: "2021-04-13T13:41:37.873Z"
rogue_name: "Raspberry Pi-C9:95:94"
ssid: "CX-RoguePi9"
first_det_device: "CNKKKD532C"
last_det_device: "CNKKKD532D"
encryption: 3
containment_status: "Un-contained"
mac_vendor: "Raspberry Pi Foundation"
}
cust_id: "d9f16c95f70c40a59155266f0180b587"
idsEvent
{
device_id: "CNJCJ0T2WS"
event_number: 1188
event_type: "infrastructuredetection"
attack_type: "detect_malformed_frame_wrong_channel"
description: "An AP detected that the Access Point with MAC
A8:BD:27:D1:B4:30 and BSSID A8:BD:27:D1:B4:30 has sent a beacon
for SSID APACSouth_test This beacon advertizes channel 116 but
was received on channel."
detected_ap: "7c:57:3c:c9:07:9a"
mac_addr {
addr: "\250\275\'\321\2640"
}
radio_band: "1"
level: "critical"
}
Event Number, Attack Type, and Event Type Mapping
Mapping information of the event_number, event_type, and attack_type:
| Event Number | Attack Type | Event Type |
|---|---|---|
| 1088 | detect_rate_anomalies_by_ap | clientdetection |
| 1089 | detect_rate_anomalies_by_sta | clientdetection |
| 1090 | detect_eap_rate_anomaly | clientdetection |
| 1094 | detect_disconnect_sta | clientdetection |
| 1136 | signature_asleap_from_ap | clientdetection |
| 1137 | signature_asleap_from_sta | clientdetection |
| 1138 | signature_airjack_from_ap | clientdetection |
| 1139 | signature_airjack_from_sta | clientdetection |
| 1148 | detect_station_disconnect_attack_AP | clientdetection |
| 1171 | detect_unencrypted_valid | clientdetection |
| 1175 | detect_disconnect_station_attack | clientdetection |
| 1177 | detect_omerta_attack | clientdetection |
| 1178 | detect_tkip_replay_attack | clientdetection |
| 1179 | detect_chopchop_attack | clientdetection |
| 1180 | detect_fatajack | clientdetection |
| 1182 | detect_valid_client_misassociation | clientdetection |
| 1198 | detect_block_ack_attack | clientdetection |
| 1199 | detect_hotspotter_attack | clientdetection |
| 1220 | detect_power_save_dos_attack | clientdetection |
| 1057 | detect_valid_ssid_misuse | infrastructuredetection |
| 1063 | detect_adhoc_network | infrastructuredetection |
| 1095 | detect_ap_flood | infrastructuredetection |
| 1097 | detect_wireless_bridge | infrastructuredetection |
| 1098 | detect_invalid_mac_oui_ap | infrastructuredetection |
| 1099 | detect_invalid_mac_oui_sta | infrastructuredetection |
| 1100 | detect_bad_wep | infrastructuredetection |
| 1113 | detect_ap_impersonation | infrastructuredetection |
| 1129 | detect_windows_bridge | infrastructuredetection |
| 1142 | signature_deauth_broadcast_ap | infrastructuredetection |
| 1143 | signature_deauth_broadcast_sta | infrastructuredetection |
| 1157 | detect_ht_greenfield | infrastructuredetection |
| 1158 | detect_ht_40mhz_intolerance_ap | infrastructuredetection |
| 1159 | detect_ht_40mhz_intolerance_sta | infrastructuredetection |
| 1170 | detect_client_flood | infrastructuredetection |
| 1172 | detect_adhoc_using_valid_ssid | infrastructuredetection |
| 1173 | detect_ap_spoofing | infrastructuredetection |
| 1181 | detect_invalid_addresscombination | infrastructuredetection |
| 1183 | detect_malformed_htie | infrastructuredetection |
| 1184 | detect_malformed_assoc_req | infrastructuredetection |
| 1185 | detect_overflow_ie | infrastructuredetection |
| 1186 | detect_overflow_eapol_key | infrastructuredetection |
| 1187 | detect_malformed_large_duration | infrastructuredetection |
| 1188 | detect_malformed_frame_wrong_channel | infrastructuredetection |
| 1189 | detect_malformed_frame_auth | infrastructuredetection |
| 1190 | detect_cts_rate_anomaly | infrastructuredetection |
| 1191 | detect_rts_rate_anomaly | infrastructuredetection |
| 1205 | signature_deauth_broadcast | infrastructuredetection |
| 1206 | signature_deassociation_broadcast | infrastructuredetection |
| 1222 | detect_adhoc_using_valid_ssid | infrastructuredetection |
Updated almost 3 years ago
What’s Next