H3C Technologies H3C Intelligent Management Center User Manual
Page 475
453
−
MAC—Record the matching count for each MAC address against the signature rule on
every channel supported by the country code. When the matching count for a MAC
address reaches the threshold, the sensor generates an alarm event, and reports the
event to the AC.
−
Signature—Record the matching count for each signature rule against 802.11 frames on
every channel supported by the country code. When the matching count for a signature
rule reaches the threshold, the sensor generates an alarm event, and reports the event to
the AC.
−
MAC and Signature—Use both tracking modes.
{
Threshold For MAC Address Tracking—Set the threshold for MAC address tracking, in the
range of 1 to 32000. The default value is 1000. When the matching count of a MAC
address reaches the threshold, the sensor generates an alarm event. This option is required
when the tracking mode is MAC or MAC and Signature.
{
Threshold For Signature Tracking—Set the threshold for signature tracking, in the range of 1
to 32000. The default value is 1000. When the matching count of a signature rule reaches
the threshold, the sensor generates an alarm event. This option is required when the tracking
mode is Signature or MAC and Signature.
{
Statistics Collection Interval (s)—Set the interval at which the sensor collects signature rule
matching statistics, in the range of 1 to 3600. The default value is 60.
{
Quiet Time (s)—Set the quiet time for the signature rule or MAC address, depending on the
tracking mode. When the tracking mode is MAC, this option takes effect on MAC addresses.
When the tracking mode is Signature, this option takes effect on signature rules. When the
tracking mode is MAC and Signature, this option takes effect on both MAC addresses and
signature rules. Assume that you select the MAC and Signature tracking mode. When the
matching count for a MAC address reaches the threshold and WIPS generates an alarm
event, the MAC address enters the quiet time, and does not match any signature rule until
the quiet time expires. WIPS continues to match the signature rule against 802.11 frames until
the matching count reaches the threshold. Then the signature rule enters the quiet time.
{
Matching Relations—Set the matching relations for each match item. Options are AND and
OR. AND indicates an 802.11 frame matches a signature rule only when it matches all items.
OR indicates an 802.11 frame matches a signature rule as long as it matches one item.
7.
Configure match items. Options are Match Frame Type, Match MAC Address, Match SSID,
Match SSID Length, and Match Packet Sequence Number.
The parameters for a match item is displayed only when you select the match item. For how to
configure match items, see
.
Table 35 Configure match items
Match item
Description
Parameter
Match Frame
Type
When this item is
enabled, WIPS detects
the frame type and sub
type for each 802.11
frame it receives for a
match.
•
Frame type—Select a frame type. Options are
Management Frame, Control Frame, and Data Frame.
•
Match Frame Sub Type—Select a frame sub type.
Options are None, Dis-association, Probe Request,
Beacon, Association Response, De-authentication,
Association Request, and Authentication. This
parameter is required when the frame type is
Management Frame. If you select None, frame sub
type is not matched.
Match MAC
When this item is
•
MAC address—Enter a MAC address in the format of