Security Streaming Event

The Security streaming event is generated when a rogue AP is detected in the network or if one of the configured Intrusion Detection System (IDS) event is triggered.

Security Event Protocol Buffer File

enum Action 
{ 
ADD = 1; 
DELETE = 2; 
UPDATE = 3; 
}

message MacAddress {
required bytes addr = 1;
}

message RapidsStreamingEvent 
{
required string cust_id = 1; 
repeated RogueEvent rogue = 2; 
repeated WIDSEvent idsEvent = 3; 
}

message RogueEvent 
{
required MacAddress rogue_id = 1; 
required uint32 classification = 2; 
optional string first_seen = 3; 
optional string last_seen = 4; 
optional string rogue_name = 5; 
optional string ssid = 6; 
optional string lan_mac = 7; 
optional string first_det_device = 8; 
optional string last_det_device = 9; 
optional uint32 encryption = 10; 
optional string port = 11; 
optional string containment_status = 12; 
optional string mac_vendor = 13; 
}

message WIDSEvent 
{
required string device_id = 1; 
required uint32 event_number = 2; 
optional string event_type = 3; 
optional string attack_type = 4; 
optional string description = 5; 
optional string detected_ap = 6; 
optional MacAddress mac_addr = 7;
optional string radio_band = 8; 
optional string level = 9; 
}

Parameters Descriptions for Rogue AP Detection

Field

Type

Rule

Description

rogue_id

MacAddress

Required

Indicates the corresponding base bssid of the rogue.

classification

Unit32

Required

Indicates the rogue's classification. Possible input: Rogue.
This should only be rogue since we only send rogue events to the streaming API.

first_seen

String

Optional

Indicates the time of the first detection of the rogue.

last_seen

String

Optional

Indicates the time of the last detection of the rogue.

rogue_name

String

Optional

Indicates the Rogue AP's name.

ssid

String

Optional

Indicates the Rogue AP's SSID.

lan_mac

String

Optional

Indicates the LAN Mac address if the Rogues AP is connected to our network through a switch.

first_det_device

String

Optional

Indicates the first device to detect the rogue.

last_det_device

String

Optional

Indicates the last device to detect the rogue.

encryption

unit32

Optional

Indicates the rogue AP's encryption.

port

String

Optional

Indicates the port name if the rogue AP is connected to a switch on Aruba Network.

containment_status

String

Optional

Indicates the containment status, if the rogue is currently contained or not.

mac_vendor

String

Required

Indicates the Mac vendor of the rogue ap.

Parameters Descriptions for WIDS Event

Field

Type

Rule

Description

device_id

String

Required

Indicates the serial number of the AP that triggered the WIDS event.

event_number

unit32

Required

Indicates the event number.

event_type

String

Optional

Indicates the event type.

attack_type

String

Optional

Indicates the attack type.

description

String

Optional

Indicates the description of the event.

detected_ap

String

Optional

Indicates the name of the AP that detected the WIDS event.

mac_addr

MacAddres

Optional

Indicates the Mac address of the rogue AP.

radio_band

String

Optional

Indicates the radio band where the WIDS event was detected.

level

String

Optional

Indicates the level of the WIDS event.

Example Messages for Security Streaming Topic

cust_id: "d9f16c95f70c40a59155266f0180b587"
rogue 
{
  rogue_id {
    addr: "\270\'\353\311\225\220"
  }
  classification: 3
  first_seen: "2021-04-11T16:10:37.136Z"
  last_seen: "2021-04-13T13:41:37.873Z"
  rogue_name: "Raspberry Pi-C9:95:94"
  ssid: "CX-RoguePi9"
  first_det_device: "CNKKKD532C"
  last_det_device: "CNKKKD532D"
  encryption: 3
  containment_status: "Un-contained"
  mac_vendor: "Raspberry Pi Foundation"
}
cust_id: "d9f16c95f70c40a59155266f0180b587"
idsEvent 
{
  device_id: "CNJCJ0T2WS"
  event_number: 1188
  event_type: "infrastructuredetection"
  attack_type: "detect_malformed_frame_wrong_channel"
  description: "An AP detected that the Access Point with MAC 
  A8:BD:27:D1:B4:30 and BSSID A8:BD:27:D1:B4:30 has sent a beacon 
  for SSID APACSouth_test This beacon advertizes channel 116 but 
  was received on channel."
  detected_ap: "7c:57:3c:c9:07:9a"
  mac_addr {
    addr: "\250\275\'\321\2640"
  }
  radio_band: "1"
  level: "critical"
}

Event Number, Attack Type, and Event Type Mapping

Mapping information of the event_number, event_type, and attack_type:

Event Number

Attack Type

Event Type

1088

detect_rate_anomalies_by_ap

clientdetection

1089

detect_rate_anomalies_by_sta

clientdetection

1090

detect_eap_rate_anomaly

clientdetection

1094

detect_disconnect_sta

clientdetection

1136

signature_asleap_from_ap

clientdetection

1137

signature_asleap_from_sta

clientdetection

1138

signature_airjack_from_ap

clientdetection

1139

signature_airjack_from_sta

clientdetection

1148

detect_station_disconnect_attack_AP

clientdetection

1171

detect_unencrypted_valid

clientdetection

1175

detect_disconnect_station_attack

clientdetection

1177

detect_omerta_attack

clientdetection

1178

detect_tkip_replay_attack

clientdetection

1179

detect_chopchop_attack

clientdetection

1180

detect_fatajack

clientdetection

1182

detect_valid_client_misassociation

clientdetection

1198

detect_block_ack_attack

clientdetection

1199

detect_hotspotter_attack

clientdetection

1220

detect_power_save_dos_attack

clientdetection

1057

detect_valid_ssid_misuse

infrastructuredetection

1063

detect_adhoc_network

infrastructuredetection

1095

detect_ap_flood

infrastructuredetection

1097

detect_wireless_bridge

infrastructuredetection

1098

detect_invalid_mac_oui_ap

infrastructuredetection

1099

detect_invalid_mac_oui_sta

infrastructuredetection

1100

detect_bad_wep

infrastructuredetection

1113

detect_ap_impersonation

infrastructuredetection

1129

detect_windows_bridge

infrastructuredetection

1142

signature_deauth_broadcast_ap

infrastructuredetection

1143

signature_deauth_broadcast_sta

infrastructuredetection

1157

detect_ht_greenfield

infrastructuredetection

1158

detect_ht_40mhz_intolerance_ap

infrastructuredetection

1159

detect_ht_40mhz_intolerance_sta

infrastructuredetection

1170

detect_client_flood

infrastructuredetection

1172

detect_adhoc_using_valid_ssid

infrastructuredetection

1173

detect_ap_spoofing

infrastructuredetection

1181

detect_invalid_addresscombination

infrastructuredetection

1183

detect_malformed_htie

infrastructuredetection

1184

detect_malformed_assoc_req

infrastructuredetection

1185

detect_overflow_ie

infrastructuredetection

1186

detect_overflow_eapol_key

infrastructuredetection

1187

detect_malformed_large_duration

infrastructuredetection

1188

detect_malformed_frame_wrong_channel

infrastructuredetection

1189

detect_malformed_frame_auth

infrastructuredetection

1190

detect_cts_rate_anomaly

infrastructuredetection

1191

detect_rts_rate_anomaly

infrastructuredetection

1205

signature_deauth_broadcast

infrastructuredetection

1206

signature_deassociation_broadcast

infrastructuredetection

1222

detect_adhoc_using_valid_ssid

infrastructuredetection


Did this page help you?