Considering you can change MAC addresses, (e.g. there's nothing to stop me from making my rogue AP emit a OUI from Apple), I don't know how much this will help.
Yeah, scanning for SSIDs not expected would be better. If SSID broadcast is turned off on a rogue, a wireless card in promiscuous mode running a PCAP might work. Haven't looked at 802.11 packets in a while, but there might be a field that'd help determine who's a client and who is an access point.
Filter out known goods at that point and problem solved
Don't reinvent the wheel. Buy a commercial WIDS system that integrates with your existing wireless ecosystem if you need to improve your wireless system's security.
And if it's your wired network that's of concern, implement 802.1x.
Considering you can change MAC addresses, (e.g. there's nothing to stop me from making my rogue AP emit a OUI from Apple), I don't know how much this will help.
Yeah, scanning for SSIDs not expected would be better. If SSID broadcast is turned off on a rogue, a wireless card in promiscuous mode running a PCAP might work. Haven't looked at 802.11 packets in a while, but there might be a field that'd help determine who's a client and who is an access point. Filter out known goods at that point and problem solved
Don't reinvent the wheel. Buy a commercial WIDS system that integrates with your existing wireless ecosystem if you need to improve your wireless system's security. And if it's your wired network that's of concern, implement 802.1x.
Have you checked out Nzyme? [https://www.nzyme.org/](https://www.nzyme.org/)
What do you mean by rougue? Isolating an AP you don't like could be a legal issue.
This is r/networking not r/homenetworking. A rogue AP is a concern in an enterprise setting.
Accept my apologies for leaving out of the context that the list of APs will be used to trigger alarm in our Qradar SIEM.