Meraki

Community

Hammered with IDS alerts

JonP
Getting noticed
‎Jul 3 2023 9:43 AM
‎Jul 3 2023 9:43 AM

Hammered with IDS alerts

Hi guys,

 

For a few weeks now, we have been hammered with Apache Log4j logging remote code execution attempts from host0484.sdjihtbwyu8rtgutrw.com / 95.214.55.244. How can I absolutely ensure this traffic is dropped?

 

The MX identifies that this traffic originates from Poland, so I have added that country to our Geo blocklist. I've also added a L7 rule to deny this IP. Are there any other steps I should take to combat this threat actor? We are an SME and there's only a handful of us in IT, none of us are security specialists, so I want to make as sure as I can that this IP is blackholed, blocked, bounced, whatever - as long as it doesn't get though!

 

Thanks all

J 🙂

0 Kudos
3 Replies 3
FabianSchleef
Here to help
‎Jul 3 2023 11:31 AM
‎Jul 3 2023 11:31 AM

Hi,

 

if your MX is running in IPS mode with Security ruleset selected and if your firmware is up to date the SNORT engine will catch these for you.

 

Had these at several customer sites and it was always catched by the MX. Regardless of the source IP.

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 3 2023 3:09 PM
‎Jul 3 2023 3:09 PM

Create a layer 7 firewall rule blocking traffic for this host.  This blocks both inbound and outbound traffic.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_a_Layer_7_Fi... 

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 3 2023 3:11 PM
‎Jul 3 2023 3:11 PM

PhilipDAth_0-1688422258361.png

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.