Meraki

Community

Huge Number of Threats on Snort Rule

Solved
ArpTableCorrupt
Here to help
‎Oct 22 2018 1:19 PM
‎Oct 22 2018 1:19 PM

Huge Number of Threats on Snort Rule

  • Getting a Large Number of these events since Friday. 
  • Anyone able to Shed light on the subject or seeing the same thing?  
  • I really don't want to whitelist the rule as support suggested.
  • All of the Traffic it is blocking is coming from a Windows 2012 R2 File Server.  on 445 (File Sharing)
  • All Windows Updates are current on both Server & Windows 10 / 7 PC's
  • Ran Multiple Vendor Scans for Malware / AV, Rootkits on File Server, Found Nothing.
  • Didn't see anything crazy in Process Explorer attached to normal Windows Services.

 

wtf_meraki.JPG

 

 

0 Kudos
1 Accepted Solution
In response to ArpTableCorrupt
ArpTableCorrupt
Here to help
‎Oct 25 2018 4:48 AM
‎Oct 25 2018 4:48 AM

  • No More alerts for the as of this morning 6:30CST AM

 

Updated_Threat_graph_102518.JPG

 

 

  • We had quite a few users from Friday 10/19 - lunchtime yesterday 10/24 that would randomly get blocked access to our File Server, which caused headaches.
  • Would like the ability to "whitelist" an internal server on the IDS & not the "whole ball of wax, LAN/WAN"
  • Being that there is no way to limit "whitelisted" IDS to internal traffic only, it prevented me from being able to whitelist the Rule ID 1-48205. 
  • Would like access to a "Meraki Security Threat" team, so when I call support in the future, someone can get me a definitive answer if this is a "waiting on patterns to catch up" or "you are being hacked sir".

View solution in original post

0 Kudos
13 Replies 13
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 22 2018 11:47 PM
‎Oct 22 2018 11:47 PM

I haven't had that one fire - so I think that is bad news.

 

Which snort signature is it (the number)?

0 Kudos
In response to PhilipDAth
ArpTableCorrupt
Here to help
‎Oct 23 2018 4:26 AM
‎Oct 23 2018 4:26 AM

rule.JPG

 

0 Kudos
In response to ArpTableCorrupt
ThtMakesNoSense
Conversationalist
‎Oct 23 2018 6:35 AM
‎Oct 23 2018 6:35 AM

Same thing happening here at all of our data centers. Started noticing it on Friday, pinged support and they weren't very helpful. I haven't seen any user issues yet but now im nervous this could trigger something bigger that'll force me to whitelist. Some non Meraki related articles on the subject: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8333 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8333
MacuserJim
A model citizen
‎Oct 23 2018 6:52 AM
‎Oct 23 2018 6:52 AM

What is the source of those? Are they sourcing form an external country that would allow you to create an L7 firewall rule to deny? Does the source IP change or is it always coming from the same IP or handful of IPs?

0 Kudos
In response to MacuserJim
ArpTableCorrupt
Here to help
‎Oct 23 2018 7:13 AM
‎Oct 23 2018 7:13 AM

It's from our internal Trusted File Server.  The Vulnerability was a zero day on October 9th.  Microsoft Release Patches & we applied them on October 13th.   It’s almost like the new Microsoft Patch hasn’t been imported into Meraki’s repository.  Our IPS Started Alerting on Friday.   Only found a few others with same issue so far

https://www.reddit.com/r/meraki/comments/9oz364/microsoft_windows_filter_manager_elevation_of/

0 Kudos
In response to ArpTableCorrupt
ArpTableCorrupt
Here to help
‎Oct 23 2018 8:50 AM
‎Oct 23 2018 8:50 AM

Maybe will get to 10k by tomorrow

tally_102318.JPG

 

0 Kudos
In response to ArpTableCorrupt
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 23 2018 12:54 PM
‎Oct 23 2018 12:54 PM

This is the Microsoft CVE relating to it.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8333

 

If you have the specific updates installed then I would say you should be safe to whitelist the threat.

0 Kudos
In response to PhilipDAth
ArpTableCorrupt
Here to help
‎Oct 23 2018 3:44 PM
‎Oct 23 2018 3:44 PM

PhillipDAth,

 

I would definitely create a white list rule if there way a way to only "whitelist specific host /internal network".  I definitely do not want to open it up externally in case an unpatched machine slips through the cracks & from what support said there was no way the segment the whitelist rule from Lan or Wan traffic.

0 Kudos
In response to ArpTableCorrupt
Owen
Getting noticed
‎Oct 23 2018 9:24 PM
‎Oct 23 2018 9:24 PM

If users or other Admins haven't reported any application issues related to these IPS events I would leave the rule in place and inform the relevant Microsoft administrators to investigate.

0 Kudos
In response to Owen
ArpTableCorrupt
Here to help
‎Oct 24 2018 4:52 AM
‎Oct 24 2018 4:52 AM

thanks_meraki.JPG

 

Owen,

 

Definitely leaving the rule in place & since the counts keep going, I'm escalating this to Microsoft & if need be an outside Security Expert.

0 Kudos
In response to ArpTableCorrupt
ArpTableCorrupt
Here to help
‎Oct 24 2018 11:06 AM
‎Oct 24 2018 11:06 AM

**Update**

 

  • Last IDS Threat Detected at 11:48CST
  • @ 11:50 CST Snort Ruleset Updated : snort_rules_version: 2.9.8.3, source: ids-vrt-security, rules: 5bef5aafbdc45de20f650555f17fae4c7a41a57f
  • No Alert yet Hopefully this is over & was a false positivesnort_update.JPG

     

    detect_graph_102418.JPG

     

0 Kudos
In response to ArpTableCorrupt
ArpTableCorrupt
Here to help
‎Oct 24 2018 4:47 PM
‎Oct 24 2018 4:47 PM

  • As of 6:30CST. no more alarms since the one at 11:48CST.
  • Everything is leaning towards the Snort Patterns that were applied at 11:50CST must have contained an updated whitelist of the Microsoft Patches released two weeks ago
  • Either that or "hackers" are very crafty and decided to take a break before their next assault on our network.
0 Kudos
In response to ArpTableCorrupt
ArpTableCorrupt
Here to help
‎Oct 25 2018 4:48 AM
‎Oct 25 2018 4:48 AM

  • No More alerts for the as of this morning 6:30CST AM

 

Updated_Threat_graph_102518.JPG

 

 

  • We had quite a few users from Friday 10/19 - lunchtime yesterday 10/24 that would randomly get blocked access to our File Server, which caused headaches.
  • Would like the ability to "whitelist" an internal server on the IDS & not the "whole ball of wax, LAN/WAN"
  • Being that there is no way to limit "whitelisted" IDS to internal traffic only, it prevented me from being able to whitelist the Rule ID 1-48205. 
  • Would like access to a "Meraki Security Threat" team, so when I call support in the future, someone can get me a definitive answer if this is a "waiting on patterns to catch up" or "you are being hacked sir".
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.