How can we verify the MX Intrusion Prevention Rules is updated?

Natthaphol
Here to help

How can we verify the MX Intrusion Prevention Rules is updated?

Dear all, 

 

How can we verify the MX Intrusion Prevention Rules is updated from SNORT? How can we verify that MX has rules or a rule to protect the recently CVE-2021-34481 or any other CVE?

 

Thank you and appreciate your advice,

Natthaphol.

7 Replies 7
ww
Kind of a big deal
Kind of a big deal

To see the version:

 

Go to event log.

Filter on "Intrusion detection rules update"

Natthaphol
Here to help

Thanks, WW,

 

How can I verify the rules for CVE, ex CVE-2021-34481?

 

Natthaphol.

ww
Kind of a big deal
Kind of a big deal
Natthaphol
Here to help

Dear ww,

 

Thanks for your tip. But how can we make sure that the rule or rules are actually on MX?

 

Natthaphol

PhilipDAth
Kind of a big deal
Kind of a big deal

You can't verify that a specific CVE is included in a specific update.  You can only go by the ruleset definitions:

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection#Config... 

 

In short summary (make sure you read the whole definition - this is just to give you a quick feel):

  • Connectivity: Contains rules from the current year and the previous two years for vulnerabilities with a CVSS score of 10.
  • Balanced: Contains rules that are from the current year and the previous two years, are for vulnerabilities with a CVSS score of nine (9) or greater,
  • Security: Contains rules that are from the current year and the previous three years, are for vulnerabilities with a CVSS score of eight (8) or greater

 

ps. We use "Security" for everyone of our customers.  Works great.

 

I note that this CVE currently has a rating of 7.8 - so there is no profile that will block it.

https://nvd.nist.gov/vuln/detail/CVE-2021-34481 

Note that the score can go up and down.  I suspect it might only be 7.8 because patches are available and the limited circumstances in which it can be used.

Natthaphol
Here to help

Dear Philip,

 

Thanks for your explanation. Can we verify the CVE[s] include in the MX appliance box?

 

And in the case of CVSS score change, how does the MX verify the CVSS score of specific CVE to prevent the threats?

 

Thanks,

Natthaphol.

AnythingHosted
Building a reputation

Interesting, running this in the event log, my MX84 hasn't had an update since April 30th...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels