Meraki

Community

Fluctuating IDS alert - action blocked then allowed

Essam
Comes here often
‎Jun 13 2021 12:23 PM
‎Jun 13 2021 12:23 PM

Fluctuating IDS alert - action blocked then allowed

in the Security Center > Event view, I have received many IDS alerts related to the same  threat :

Microsoft Edge Intl.js memory corruption attempt. However this IDS was blocked in all the reported alerts (Whitelist is off), but there were one or two alerts that allowed .see attached screenshot where there are two IDS alerts with similar source and destination only the time differs.

Does that mean the threat at one point was allowed to the network?

blocked then allowed IDS.PNG

0 Kudos
2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 13 2021 12:39 PM
‎Jun 13 2021 12:39 PM

Gave you got the IDS set to prefer security?  I would have expected that to block it?

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection#Intrus... 

0 Kudos
Bruce
Kind of a big deal
‎Jun 13 2021 4:13 PM
‎Jun 13 2021 4:13 PM

Did the destination happen to be across an AutoVPN tunnel, and you’re using a full tunnel with this MX as the exit hub? If that’s the case then the IDS/IPS only operates in IDS (i.e. non-blocking mode) for traffic destined across the AutoVPN tunnel. (Reference, https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings, first blue highlighted box).

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.