Forum

What scenario could cause a 'false positive' intrusion alarm in a wireless intrusion prevention system (WIPS)?(Choose 1)

A : A reporting delay from a remote RF sensor due to busy WAN links.
B : A client device disassociates and reassociates to an AP several times in quick succession due to a low RSSI value.
C : A rogue access point is located and found to have the same SSID as the authorized network.
D : A client device has a high rate of frame retransmissions due to a noisy RF environment

CWSP Test pool A says correct answer "B"...I seleceted ans "D" because......Corrupted frames are the leading cause of flase positive.However ,improper configuration of the WIPS or ............." according to CWSP guide (page 409).

As Corrupted frames leads retransmissions ...what do u say?

Anyone can help me out?

B is the right Answer.

If a client reassocaites often its could trigger a Deauth/Disassoc attack trigger .

Answer D is not right because WIPS have triggers for retries .WIPS can also detect and identity interference source.

Thanks
Senthil

Hi Senthil,

False positive means WIPS triggering up without any kind of attacks?...that can be due to corrupted frame or wrong WIPS configuration?..and due to noisy environment there will be frame retransmissions which triggers WIPS even there is no attack?that?s why I selected answer ?D??..Please correct me if I m wrong.

Answer can be A or D