More deauthentication or disassociation frames than usual were recorded. The expected number of frames can be different
in any environment and is configured in your nzyme.conf file at
attacks are an attempt to force a device to disconnect from a legitimate access point and re-connect to a rogue access
point controlled by an attacker. Such attacks can also be used for jamming, rendering the WiFi environment unusable
through mass disconnections. Note that deauthentication and disassociation frames are an important part of WiFi
communication and their occurrence is normal. This is why you have to find and configure a threshold that defines at
what level an attack might be taking place.
For this alert to be enabled, you need to configure the
deauth_monitor.global_threshold variable in your
file. Learn more about it in the Configuration Reference.
Let nzyme run for 24 hours and look at the deauthentication frame count chart on the web interface dashboard/homepage.
Use that information to find out what a normal rate is and set the
deauth_monitor.global_threshold variable accordingly.
- Your threshold may be configured too low and normal deauthentication/disassociation activity in your network is causing the alert.