cancel
Showing results for 
Search instead for 
Did you mean: 

Air Marshall Spoof Alert

Getting noticed

Air Marshall Spoof Alert

Hi,

I have a quick question.

We received an alert that Air Marshall has detected a SSID spoof. This SSID was for our Corp network.

Looking at the detail in Air Marshall all it tells me is that a spoof was detected by one of our MR 32s. The MAC address is listed as 00:00:00:00:00:00.

Is this actually a spoof?
And if it is, how do I know what action the MR32 has taken.

I've had a look around the community and the suggestion is to patch the firmware and/or reboot the AP (which I have done).

ps. The Air marshall page tells me that the Spoof was only seen 52 minutes ago. I can't find any other evidence that it is still out there.

9 REPLIES
Getting noticed

Re: Air Marshall Spoof Alert

ps. I think I put this in the wrong forum. It should really be in Wireless. Sorry about that.

pps. I don't think is a spoof but that the AP is detecting itself. I've rebooted the AP and so far no more alerts.

Kind of a big deal

Re: Air Marshall Spoof Alert

It is too hard to say if it is a real spoof or not - but either way, their is almost nothing you can do about spoofs.

Getting noticed

Re: Air Marshall Spoof Alert

True. Unless you track it down. I spent some time yesterday wondering around testing the signal strength and I couldn't find anything. I've a suspicion that the router detected itself. It alerted then didn't alert again.

in another environment I did find a spoof once which turned out to be an old access point which had the same SSID as the current corp one. Someone had found it in a corner and plugged it in. In that case there was something I definitely could do about it...

The information about spoofs that's available in Air Marshall is sparse. It would be good if it could provide everything the aerial found.
Getting noticed

Re: Air Marshall Spoof Alert

One thing our location has been running into a lot with our new computers is Air Marshall seeing a Rouge AP every time someone looks for a new printer. Seems like the new Intel Wireless cards throw out a random-ish SSID for a direct connect, and searching for a printer triggers it. I spent more time then I would like to admit tracking that down.

Getting noticed

Re: Air Marshall Spoof Alert

Now, that's interesting. I will keep an eye out for that.
Getting noticed

Re: Air Marshall Spoof Alert

So I ran into a similar issue with my Juniper equipment when I initially started swapping over to Merakis. 

 

The Junipers had a version of Air Marshall enabled, and were directing de-auth packets at my Meraki network, which the Merakis were picking up as a spoofed version of the network.

 

Not sure if you have another wireless system co-deployed, but it might be something to investigate.

 

No one here even knew we had the Juniper Air Marshall enabled... was fun to track down. I used a cell phone and tracked signal strength, and it was strongest near some of the old APs that were still enabled and broadcasting, so then had to dig through settings on the old system.

Getting noticed

Re: Air Marshall Spoof Alert

Definitely no wireless kit directly attached to the network any more. Although like you I've seen that before.

I really do think that the MR was detecting itself or perhaps another unit.

It's not happened since I saw the alert I am keeping an eye out though.
Comes here often

Re: Air Marshall Spoof Alert

That's funny as I was just going to make a post about this.

 

I've seen this for months on the network. It randomly appears during the week, then doesn't get detected for a day or two. I assume this is a false positive then?

 

When messing around on my home network spoofing I'd normally use 00:00:00:00:00:00 or 11:22:33:44:55:66 as they are easy to type.

 

Finally got around to put a block in, to block any device with the MAC 00:00:00:00:00:00 yet today, I see the Spoof warning again.

 

I added the block in Network-Wide, Clients.

 

Is this a bug then?

Getting noticed

Re: Air Marshall Spoof Alert

No idea. I've asked around and no one seems to be able to provide an answer.