Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Feature Feedback: IDS/IPS Whitelisting

rhbirkelund
Kind of a big deal
2 weeks ago
2 weeks ago

Feature Feedback: IDS/IPS Whitelisting

I shared this feedback on some other channels, without getting much of response, so I've decided to share it here aswell.

We have a customer running a case with Meraki Support. Long story short, client seemed to be getting marked as a hit on the Snort ID "SERVER-OTHER BOOTP overflow", resulting in a boatload of hits, and ended up making IPS to simply block all DHCP at a site. Meraki Support then suggested to whitelist this rule.

Skærmbillede 2024-05-03 kl. 07.59.31.png

Whitelisting Snort rules can be done on Security & SDWAN > Threat Protection. This implies that the whitelisting is only done locally on the Network, however, when you hover over the tooltip for Whitelisting, it clearly states that this setting is for the entire Organization.

Skærmbillede 2024-05-03 kl. 07.59.18.png

A colleague and I feel like this is very misleading, and quite frankly think this feature should either a) be moved to the Organization Menu, as it's a organization-wide setting, or b) changed so it only affects the network on which it is configured.

Additionally, and this ties in a bit to the above feedback, the list to choose a rule of this which to whitelist, is generated per network. That means if Network A has a hit on a Snort Rule, it show up on the list, however, if there are no hits on Network B, there's nothing to select. This kind of contradicts the organization-wide setting from above. Furthermore, if I actually configure it on Network A, it shows the name and rule id of it i.e. "SERVER-OTHER BOOTP overflow 1:20611", but if I then switch to Network B, it simply show "null 1:20611", there 1:20611 is the rule ID. So if I stand on Network B, which is not affected by the snort rule, I can not see what is configured, unless I manually have to look up the ID on the Snort page.

Skærmbillede 2024-05-03 kl. 07.59.05.png

Also, after whitelisting the Snort rule, its hits will at some point drop out of the list in Security Events. Or at least, that is what we think. So when I again stand on Network A, after some time the Whitelisted rule will then also show as "null 1:20611", instead of what I had configured in the first place, i.e. "SERVER-OTHER BOOTP overflow 1:20611".

 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Subscribe
2 Replies 2
ww
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

In addition to this.

It can be annoying that read only accounts cant see this. They dont know if someting is whitelisted

Subscribe
RaphaelL
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

One of the many reasons why I dislike the IDS/IPS on the MX. Great write up.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.