Enable Intrusion detection and prevention

romualdt
Here to help

Enable Intrusion detection and prevention

We recently upgraded to the advanced security license and wondering if there is a way to enable/change the Intrusion Detection settings globally for all of or security devices?  Is this exposed via the dashboard API?

5 Replies 5
GuilhermeMacedo
Getting noticed

You can enable intrusion detection by setting the Mode to Detection under Security & SD-WAN > Configure > Threat protection > Intrusion detection and prevention. When enabling intrusion detection, there are three distinct detection rulesets to choose from using the Ruleset selector:

  • Connectivity: Contains rules from the current year and the previous two years for vulnerabilities with a CVSS score of 10.
  • Balanced: Contains rules that are from the current year and the previous two years, are for vulnerabilities with a CVSS score of 9 or greater, and are in one of the following categories:
    • Malware-CNC: Rules for known malicious command and control activity for identified botnet traffic. This includes call home, downloading of dropped files, and exfiltration of data.
    • Blacklist: Rules for URIs, user agents, DNS hostnames, and IP addresses that have been determined to be indicators of malicious activity.
    • SQL Injection: Rules that are designed to detect SQL Injection attempts.
    • Exploit-kitRules that are designed to detect exploit kit activity.
  • Security: Contains rules that are from the current year and the previous three years, are for vulnerabilities with a CVSS score of 8 or greater, and are in one of the following categories:
    • Malware-CNC: Rules for known malicious command and control activity for identified botnet traffic. This includes call home, downloading of dropped files, and exfiltration of data.
    • Blacklist: Rules for URIs, user agents, DNS hostnames, and IP addresses that have been determined to be indicators of malicious activity.
    • SQL Injection: Rules that are designed to detect SQL Injection attempts.
    • Exploit-kit: Rules that are designed to detect exploit kit activity.
    • App-detect: Rules that look for and control the traffic of certain applications that generate network activity.

The Balanced ruleset will be selected by default.

 

You are able to see more in Configuring_Intrusion_Detection_and_Prevention.

PhilipDAth
Kind of a big deal
Kind of a big deal

Great answer by @GuilhermeMacedo .  We use "Security" for 99% of our customers.

 

If you are using a template and have networks bound to it then you can update the template and that will update every site using it.

 

I'm not aware of any API to configure this automatically.

 

For "Content Filtering" we also filter the below four entries for every client, purely for security reasons.  Some clients have more categories, but we use this as our baseline.

  • Bot Nets
  • Illegal
  • Malware Sites
  • Proxy Avoidance

 

This gives you an extra layer of defence.  Content Filtering to stop them accessing bad things in the first place, and IPS to catch the other things.

VitorSalles
Just browsing

@GuilhermeMacedo

 

How can I get logs about Intrusion detection and Prevention? There`s a report at Meraki dashboard?

PhilipDAth
Kind of a big deal
Kind of a big deal

Navitagte to "Security & SD-WAN/Security Centre" and click on the "MX Events" tab.

 

1.PNG

CLEBERPENTEADO
Here to help

Hi,

There is another 'granular' detailed way to get logs from MX ?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels