Specifications
OmniAccess Reference: AOS-W System Reference
318 Part 031652-00 May 2005
Null-Probe-Response - An attack with the potential to crash or lock up the
firmware of many 802.11 NICs. In this attack, a client probe-request frame will
be answered by a probe response containing a null SSID. A number of popular
NIC cards will lock up upon receiving such a probe response.
AirJack – Airjack is a popular NIC driver for Linux that allows manipulation of
many 802.11 parameters. Airjack also includes AP functionality that by default
generates beacons with an ESSID of “AirJack”. This signature detects the AP
functionality using the default configuration.
NetStumbler Generic – NetStumbler is a popular wardriving application used
to locate 802.11 networks. When used with certain NICs (such as Orinoco),
NetStumbler generates a characteristic frame that can be detected.
NetStumbler 3.3.0x – Version 3.3.0 of NetStumbler changed the characteristic
frame slightly. This signature detects the updated frame.
Deauth-broadcast – A deauth broadcast attempts to disconnect all stations in
range – rather than sending a spoofed deauth to a specific MAC address, this
attack sends the frame to a broadcast address.
CLI configuration for the pre-defined signatures is:
wms
ids-signature "Null-Probe-Response"
mode enable
frame-type probe-response ssid-length 0
!
ids-signature "AirJack"
mode enable
frame-type beacon ssid AirJack
!
ids-signature "NetStumbler Generic"
mode enable
payload 0x00601d 3
payload 0x0001 6
!
ids-signature "NetStumbler Version 3.3.0x"
mode enable
payload 0x00601d 3
payload 0x000102 12
!
ids-signature "Deauth-Broadcast"
mode enable
frame-type deauth
dst-mac ff:ff:ff:ff:ff:ff