...
Most eltex-wids-service configuration is done in "WIDS/WIPS" tab of "Configuration" menu.
Parameter | Values | Description | ||||||||||||
WIDS Parameters | ||||||||||||||
Status | Down/Full/Key-only | Down - disable the service (default value). Full - enable the attack detecting service. Key-only - enable the service, but disable threat detection. In the "Key-only" mode, an AP will add an encrypted entry to Beacon packets to be included into "trusted" AP lists of opposite APs, but it will not detect threats on its own. In this mode, only the Shared key field is available. | ||||||||||||
Shared key | ASCII string of length from 10 to 32 | A shared key used for detecting trusted APs in a spectrum. By default, it is not specified. The service will not be enabled until Shared key is specified. | ||||||||||||
WIDS list URL | ws://<ip>:<port>/MacLists | The path to eltex-wids-service. Optional setting. | ||||||||||||
WIDS MAC list | The name of MAC address list | The opportunity to choose one of the MAC address lists created in "Wireless - WIDS Manager" is provided. Optional setting. | ||||||||||||
Scan mode | Passive/Sentry | Spectrum scanning mode. Passive - in this mode, an AP will change its current channel (where client services are implemented) to another channel from the list for short time intervals (Passive scan duration) over certain periods of time (Passive scan interval) in order to detect other APs in a spectrum (default value). Sentry - scan mode. Interaction between an AP and clients is not intended. An AP is constantly scanning the channel list and detects threats as quickly as possible. | ||||||||||||
Passive scan interval, sec | 5..3600 | Passive scan interval (by default): 20 sec | ||||||||||||
Passive scan duration, ms | 10..2000 | Passive scan duration (by default): 100 ms | ||||||||||||
Prevention mode | None/Rogue/All | Threat prevention mode. None - disabled (default value). Rogue - a scanning AP detects MAC addresses of the clients connected to "rogue" APs and sends a DeAuth packet on behalf of the "rogue" AP to the client and vice versa. All - in this mode, a forced DeAuth is sent to "rogue" APs, "untrusted" APs and clients connected to them. | ||||||||||||
DoS Detection Parameters | ||||||||||||||
Mode | Up/Down | Down — DoS attack detection disabled (default value). Up - DoS attack detection enabled. If the limit of managing frames it the spectrum is exceeded, it is a DoS attack. Only the frames, destination MAC of which is the same as the address of a scanning AP are analysed (Beacon is an exception). | ||||||||||||
Interval, sec | 1..86400 | The interval during which frame counting is conducted. If during this time the specified limit is exceeded, the SNMP trap on attack detection will be generated.
1 second by default | ||||||||||||
... threshold | 1..10000 | Threshold for each type of management frames (Assoc, ReAssoc, DiAssoc, Auth, DeAuth, RTS, CTS, Prob, Beacon, BlockAck, BlockAckReq, Pspoll). Default values:
| ||||||||||||
Bruteforce Detection Parameters | ||||||||||||||
Interval, sec | 0..86400 | Brute force detection function. During the interval, the number of unsuccessful authorizations on SSIDs with encryption (Personal and Enterprise) that are used by a scanning AP is counted. At exceeding of the Threshold, a brute force attack detection trap is sent to the Management system.
Default value: 5 sec If set to 0 - Brute force attack detection will be disabled. | ||||||||||||
Threshold | 1..10000 | Unsuccessful authorization threshold. Default value: 25 |
...