Topics

Author

Nzyme is a free intrusion detection system that can analyze data from Ethernet or WiFi networks and Bluetooth devices to identify potential threats.

Learn More

Not written by AI.

Monitoring SSIDs (Networks) in Range

Monitoring SSIDs (wireless network names) in range provides situational awareness, allowing you to manually verify that no potentially malicious networks are nearby—especially those that similar-sounding or restricted SSID monitoring might miss. It also enables you to detect new, unexpected networks, such as a printer automatically starting its own network for device adoption, or unauthorized mobile hotspots which could introduce vulnerabilities without your knowledge.

Process

You should continuously monitor and keep track of all WiFi networks in range, if possible using multiple sensors that cover the entire area your WiFi clients usually operate in.

Once a previously unknown network has been detected, security or operations staff should be alerted and investigate the new network.

Responding to Alerts

In most environments, alerts for new networks should be considered informational rather than potential threats, unless further investigation proves otherwise.

For example, you might receive an alert for a new network named HP_24562-Setup. When determining whether this network poses a risk, consider the following factors:

What is the physical location of the access point advertising this network?
Can internet search engines find the SSID pattern or similar SSIDs in documentation or support articles of products?
Has the access point been identified as a known attack platform?
Is the access point advertising other SSIDs?
Is the access point emitting unusual patterns of WiFi frames?
Which devices are connected to the access point, if any?
Is the access point physically moving?
Has someone been setting up new devices at the physical location of the access point?

It is good practice to document steps to resolve these types of alerts in your incident response policies and procedures.

Caveats & Considerations

An alert should only be triggered when a network has been consistently detected for a certain period. (Dwell time) This prevents unnecessary alerts for transient networks, such as those from passing vehicles.
It may not be possible to definitively approve every network. In such cases, consider marking a network as ignored to prevent ongoing alerts while your investigation and observation continues.
Run the detection system for several hours to learn the environment. Only enable alerting after approving or ignoring networks it has discovered to minimize alarms.

SSID / Network Name Monitoring in nzyme

You can configure SSID monitoring in nzyme using the WiFi - Monitoring pages in your web interface. Learn more about how to set up SSID monitoring in the nzyme documentation.

Found a problem?

Did you find a mistake or think something can be improved? You can file issues on GitHub, join the nzyme Discord or post in the discussion forums to provide your feedback. Thank you so much!