RE: [enterasys] Rogue Detection Alarm

[William Reed]

Hi John,   Check the wireless controller/SNMP config. Make sure you have your Netsight box's IP address in the manager A or Manager B field. In our environment, I put our hipath wireless manager box's IP in Manager A and Netsight in Manager B. Then, set forward traps to "informational" and publish AP as interface of controller to "enabled".   You should start getting traps from Mitigator in Netsight that you can write alarms on. I have several alarms setup to check for channel changes due to noise, etc. That's how we do it.   Hope that helps, Bill         Bill Reed Telecommunications and Network Administrator Franciscan University of Steubenville 740-284-5199 >>> From: John Kaftan <jkaf...@utica.edu> To: "Enterasys Customer Mailing List" <enterasys@listserv.unc.edu> Date: 3/27/2012 4:29 PM Subject: RE: [enterasys] Rogue Detection Alarm Yeah I was able to find that while on the Mitigator tab thanks.  My issue is that those messages are not showing up in Netsight so I cannot alert on them.     John Kaftan IT Infrastructure Manager Utica College 315.792.3102   From: LeWayne Ballard [mailto:lewayne.ball...@gvtc.net] Sent: Tuesday, March 27, 2012 2:52 PM To: Enterasys Customer Mailing List Subject: RE: [enterasys] Rogue Detection Alarm   Make sure you’re still on the Mitigator tab.  It doesn’t write to the general logs.  You have to look at the mitigator logs.  I can send screen shot if need.   From: John Kaftan [mailto:jkaf...@utica.edu] Sent: Tuesday, March 27, 2012 1:39 PM To: Enterasys Customer Mailing List Subject: RE: [enterasys] Rogue Detection Alarm   Exactly.  But I am not getting that in Syslog.  I do not even see it in the ‘All’ log on the server.     John Kaftan IT Infrastructure Manager Utica College 315.792.3102   From: LeWayne Ballard [mailto:lewayne.ball...@gvtc.net] Sent: Tuesday, March 27, 2012 2:26 PM To: Enterasys Customer Mailing List Subject: RE: [enterasys] Rogue Detection Alarm   I haven't built alarms based upon it, but do run the Mitigator for rogues.  It writes to the 'major' log which also displays in the 'all'.    Is this what you were looking for?     03/27/12 13:21:12 Major Mitigator Analysis Engine Threat [Unknown AP with invalid SSID] detected by AP Cust Ops Spare, SN 10xxxxxxxx (xxxx). Details: RSSI:13, scanned channel:165, channel_rx:165, bssid:00:11:88:xx:xx:xx, ssid:, privacy:WEP, bssType:Infrastructure-BSS, beaconInterval:102ms     -----Original Message----- From: John Kaftan [mailto:jkaf...@utica.edu] Sent: Tuesday, March 27, 2012 12:53 PM To: Enterasys Customer Mailing List Subject: [enterasys] Rogue Detection Alarm   Has anyone found a way to be alerted when a rogue comes on your wireless network?  We are playing with Mitigator and I believe I have it working. However I do not see any log entries when it finds a rogue.  I went into the controller log and clicked 'All' and exported and searched for a rogue that Mitigator recently detected.  Then I searched the log offline but did not see my known rogue.   I looked in syslog and no go.  I wouldn't expect to see anything in syslog that was not found locally anyway.   My hope is that a syslog message would happen that I could build an alarm with.   Thanks   John Kaftan IT Infrastructure Manager Utica College      --- To unsubscribe from enterasys, send email to lists...@unc.edu with the body: unsubscribe enterasys lewayne.ball...@gvtc.net     CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential or proprietary information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, immediately contact the sender by reply e-mail and destroy all copies of the original message. --To unsubscribe from enterasys, send email to lists...@unc.edu with the body: unsubscribe enterasys jkaf...@utica.edu --To unsubscribe from enterasys, send email to lists...@unc.edu with the body: unsubscribe enterasys lewayne.ball...@gvtc.net   CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential or proprietary information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, immediately contact the sender by reply e-mail and destroy all copies of the original message. --To unsubscribe from enterasys, send email to lists...@unc.edu with the body: unsubscribe enterasys jkaf...@utica.edu --To unsubscribe from enterasys, send email to lists...@unc.edu with the body: unsubscribe enterasys wr...@franciscan.edu Scanned by for virus, malware and spam by SCM appliance --To unsubscribe from enterasys, send email to lists...@unc.edu with the body: unsubscribe enterasys arch...@mail-archive.com