malicious rogue vs. rogue?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-09-2017 03:05 PM
Been googling a bit, but I'm not finding what the difference is between a "rogue AP" (I get that) and a "malicious rogue AP". Also the logging is odd - I get log events of the rogue AP going away, but no mention of it appearing. Log example:
That MAC belongs to a Netgear device, so I'm assuming it's some consumer router. It would be helpful if an SSID was logged as well...
2017/03/09 14:15:09 | High | A Malicious Rogue[40:5d:82:12:5d:93] detection by AP[1c:b9:c4:35:eb:e0] goes away
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-09-2017 03:15 PM
A rogue AP is any AP that your AP can hear the beacons from that is not part of your wifi network. Another vendors AP in the next office will show up as a rogue. Not usually a problem unless they are blasting your office too. Malicious AP is an AP that your AP can hear and its either transmitting your SSID (man in the middle attack) usually with an open SSID which clients may prefer and will connect to it instead of your AP. Or another scenario is when an AP that is not part of your wifi system and it is on your network. There are a couple of other types of malicious APs but they dont happen very often.
Hope this helps
Hope this helps
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-09-2017 03:42 PM
Is there any way to coax more logging out of the Ruckus? I'd like to know if the malicious rogue AP is using the same SSID or not (as that would certainly explain a lot of problems). Also, any idea on why only the "goes away" state is logged?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-09-2017 04:39 PM
Yes, if you collect a wireless trace from an AP. A "rogue" is defined as any device not managed by your controller.
Malicious is if they are advertising our SSID, or DHCP.
Malicious is if they are advertising our SSID, or DHCP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2017 07:16 PM
Can you clarify a bit more? I get "advertising our SSID" I think - another AP in range with the same SSID. Clearly bad. I don't get the "or DHCP" part. What does that mean? How can my AP detect anything having to do with DHCP on an AP that's not on my network?
Also in this message:
A new Same-Network Rogue[f0:b0:52:37:cf:fc] with SSID[CableWiFi] is first detected by AP[RuckusAP 2@1c:b9:c4:35:eb:e0]
What does "Network" refer to in the context of "same network"? I assume not the same SSID, as the SSID is logged as the ubiquitous "CableWiFi". Does network mean "channel" in this context?
Also in this message:
A new Same-Network Rogue[f0:b0:52:37:cf:fc] with SSID[CableWiFi] is first detected by AP[RuckusAP 2@1c:b9:c4:35:eb:e0]
What does "Network" refer to in the context of "same network"? I assume not the same SSID, as the SSID is logged as the ubiquitous "CableWiFi". Does network mean "channel" in this context?
