An SSID (network name) that has not been seen before was detected. Nzyme keeps a list of networks it has seen and this alert was triggered because a previously unknown network was advertised. Note that this is very often a legitimate network (see false positives below) and should be treated as a notice that needs further human investigation to determine if it is a potential threat or not.
This alert works by constantly comparing every network advertisement (beacon or probe response frame) against a database-backed list of networks that nzyme has seen before.
Because nzyme begins it's life without knowning any networks, it is normal and expected to receive an initial set
UNKNOWN_SSID alerts when you start nzyme for the first time.
- A new and legitimate network might have been enabled by someone in the vicinity.
- A legitimate network could have been in range temporarily. A common example is a car with smart functionality that brings its own WiFi network passing through the coverage area of nzyme.
- Because nzyme begins it's life without knowning any networks, it is normal and expected to receive an initial set
UNKNOWN_SSIDalerts when you start nzyme for the first time.
- Expect alerts about SSIDs that are not at all malicious. Build the verification and classification of SSIDs into your workflows.