Solved! Go to solution.
I haven't had that one fire - so I think that is bad news.
Which snort signature is it (the number)?
What is the source of those? Are they sourcing form an external country that would allow you to create an L7 firewall rule to deny? Does the source IP change or is it always coming from the same IP or handful of IPs?
It's from our internal Trusted File Server. The Vulnerability was a zero day on October 9th. Microsoft Release Patches & we applied them on October 13th. It’s almost like the new Microsoft Patch hasn’t been imported into Meraki’s repository. Our IPS Started Alerting on Friday. Only found a few others with same issue so far
https://www.reddit.com/r/meraki/comments/9oz364/microsoft_windows_filter_manager_elevation_of/
Maybe will get to 10k by tomorrow
This is the Microsoft CVE relating to it.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8333
If you have the specific updates installed then I would say you should be safe to whitelist the threat.
PhillipDAth,
I would definitely create a white list rule if there way a way to only "whitelist specific host /internal network". I definitely do not want to open it up externally in case an unpatched machine slips through the cracks & from what support said there was no way the segment the whitelist rule from Lan or Wan traffic.
If users or other Admins haven't reported any application issues related to these IPS events I would leave the rule in place and inform the relevant Microsoft administrators to investigate.
Owen,
Definitely leaving the rule in place & since the counts keep going, I'm escalating this to Microsoft & if need be an outside Security Expert.
**Update**