Skip to main content
Version: Next

UNKNOWN_SSID

Summary#

An SSID (network name) that has not been seen before was detected. Nzyme keeps a list of networks it has seen and this alert was triggered because a previously unknown network was advertised. Note that this is very often a legitimate network (see false positives below) and should be treated as a notice that needs further human investigation to determine if it is a potential threat or not.

This alert works by constantly comparing every network advertisement (beacon or probe response frame) against a database-backed list of networks that nzyme has seen before.

Because nzyme begins it's life without knowning any networks, it is normal and expected to receive an initial set of UNKNOWN_SSID alerts when you start nzyme for the first time.

Possible False Positives#

  • A new and legitimate network might have been enabled by someone in the vicinity.
  • A legitimate network could have been in range temporarily. A common example is a car with smart functionality that brings its own WiFi network passing through the coverage area of nzyme.

Notes#

  • Because nzyme begins it's life without knowning any networks, it is normal and expected to receive an initial set of UNKNOWN_SSID alerts when you start nzyme for the first time.
  • Expect alerts about SSIDs that are not at all malicious. Build the verification and classification of SSIDs into your workflows.

See Also#

  • None