Alerting for IDS attacks

SOLVED
Dylan_YYC
Getting noticed

Alerting for IDS attacks

Good morning, 
I was looking around our firewall and noticed a series of IDS attacks being blocked by our MX. I was hoping there was a way to just get alerts when an IDS ruleset was being triggered vs getting an alert anytime malware is blocked. Is there a way to get only this kind of alert?

 

Thanks.

1 ACCEPTED SOLUTION
jdsilva
Kind of a big deal

9 REPLIES 9
jdsilva
Kind of a big deal

Not that I know of 😞

Darn, ok. Maybe ill add a feature request on that. Thanks!
PhilipDAth
Kind of a big deal
Kind of a big deal

You generally don't want email alerting for IDS alerts.  What happens is it tends to come in waves, and your inbox will get flooded.

 

+1 to @jdsilva , the Meraki platform can not alert on just IDS alerts.  I would be surprised if it was added for the above reason.

I would like to be notified for these events, maybe not all of them but if the MX sees a bunch of events at least let me know its happening. 

jdsilva
Kind of a big deal

Oh! If all you want is to know that they've happened then that can actually be done. If you go into Organization > Summary reports, select you appliance network at the top under "Networks(s)", and then scroll WAYYYYY down to the bottom right where you will find the section "Top Security Threats by Signature". There you will find all the IDS/IPS rules that have been triggered, and how many times. You can then set up an auto email of this report to yourself on a reoccurring frequency (daily? weekly?).

 

So not real time alerting by a long shot, but maybe that would work for you?

Oh thats an idea! But i do want real time alerting, but i agree i dont want a ton of emails for every event more or less a summary. 

jdsilva
Kind of a big deal

OK, one last possibility and then I'm tapping out on this one 🙂

 

You can also configure Syslog message to send security events:

 

image.png

 

Judging by the docs, IDS signature messages are included in these (among a few others).

 

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Event_Types...

 

image.png

 

So if you're running a syslog server somewhere (or maybe a SIEM?) you can pipe these messages into that, and then presumably have that send you emails. 

Ah! I really should spin up a syslog server.......

One solution we have used that has allowed us to customize the log format etc... as they come into our dashboard via grock is ELK.  https://www.elastic.co/

 

My coworker built these configuration files to help with the syslog, netflow parsing.

https://github.com/jystowell/logstash

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels