topic Re: malicious rogue vs. rogue? in Unleashed

malicious rogue vs. rogue?

charles_sprickm — Thu, 09 Mar 2017 23:05:41 GMT

Been googling a bit, but I'm not finding what the difference is between a "rogue AP" (I get that) and a "malicious rogue AP". Also the logging is odd - I get log events of the rogue AP going away, but no mention of it appearing. Log example:


2017/03/09  14:15:09 | High | A Malicious Rogue[40:5d:82:12:5d:93] detection by AP[1c:b9:c4:35:eb:e0] goes away

That MAC belongs to a Netgear device, so I'm assuming it's some consumer router. It would be helpful if an SSID was logged as well...

Re: malicious rogue vs. rogue?

mike_kuly_hdvuk — Thu, 09 Mar 2017 23:15:55 GMT

A rogue AP is any AP that your AP can hear the beacons from that is not part of your wifi network. Another vendors AP in the next office will show up as a rogue. Not usually a problem unless they are blasting your office too. Malicious AP is an AP that your AP can hear and its either transmitting your SSID (man in the middle attack) usually with an open SSID which clients may prefer and will connect to it instead of your AP. Or another scenario is when an AP that is not part of your wifi system and it is on your network. There are a couple of other types of malicious APs but they dont happen very often.

Hope this helps

Re: malicious rogue vs. rogue?

charles_sprickm — Thu, 09 Mar 2017 23:42:23 GMT

Is there any way to coax more logging out of the Ruckus? I'd like to know if the malicious rogue AP is using the same SSID or not (as that would certainly explain a lot of problems). Also, any idea on why only the "goes away" state is logged?

Re: malicious rogue vs. rogue?

michael_brado — Fri, 10 Mar 2017 00:39:07 GMT

Yes, if you collect a wireless trace from an AP. A "rogue" is defined as any device not managed by your controller.
Malicious is if they are advertising our SSID, or DHCP.

Re: malicious rogue vs. rogue?

charles_sprickm — Fri, 07 Apr 2017 02:16:25 GMT

Can you clarify a bit more? I get "advertising our SSID" I think - another AP in range with the same SSID. Clearly bad. I don't get the "or DHCP" part. What does that mean? How can my AP detect anything having to do with DHCP on an AP that's not on my network?

Also in this message:

A new Same-Network Rogue[f0:b0:52:37:cf:fc] with SSID[CableWiFi] is first detected by AP[RuckusAP 2@1c:b9:c4:35:eb:e0]

What does "Network" refer to in the context of "same network"? I assume not the same SSID, as the SSID is logged as the ubiquitous "CableWiFi". Does network mean "channel" in this context?

Re: malicious rogue vs. rogue?

erin_mcclellen — Tue, 17 Apr 2018 17:24:26 GMT

I'd still like an answer to this. 🙂

Re: malicious rogue vs. rogue?

erin_mcclellen — Tue, 17 Apr 2018 17:37:11 GMT

Also I don't know why this doesn't trigger an email alert. I tested that alerts work (see screenshot). And you can see the checkbox is checked. This is a ZD on latest 10.x.

Re: malicious rogue vs. rogue?

erin_mcclellen — Wed, 16 May 2018 20:13:05 GMT

Bump! I can open a case if necessary.

It's a pain to get notified of complaints, then login to the ZD, check the logs, see the rogue is there, and then wonder why I have no email telling me about this. Makes us look sloppy, we're trying to be proactive. The test works correctly and we see the test email. The test email is fine, whitelisted. Looking in spam box there's no evidence of these alerts.