Huge Number of Threats on Snort Rule

Solved
ArpTableCorrupt
Here to help

Huge Number of Threats on Snort Rule

  • Getting a Large Number of these events since Friday. 
  • Anyone able to Shed light on the subject or seeing the same thing?  
  • I really don't want to whitelist the rule as support suggested.
  • All of the Traffic it is blocking is coming from a Windows 2012 R2 File Server.  on 445 (File Sharing)
  • All Windows Updates are current on both Server & Windows 10 / 7 PC's
  • Ran Multiple Vendor Scans for Malware / AV, Rootkits on File Server, Found Nothing.
  • Didn't see anything crazy in Process Explorer attached to normal Windows Services.

 

wtf_meraki.JPG

 

 

1 Accepted Solution
ArpTableCorrupt
Here to help

  • No More alerts for the as of this morning 6:30CST AM

 

Updated_Threat_graph_102518.JPG

 

 

  • We had quite a few users from Friday 10/19 - lunchtime yesterday 10/24 that would randomly get blocked access to our File Server, which caused headaches.
  • Would like the ability to "whitelist" an internal server on the IDS & not the "whole ball of wax, LAN/WAN"
  • Being that there is no way to limit "whitelisted" IDS to internal traffic only, it prevented me from being able to whitelist the Rule ID 1-48205. 
  • Would like access to a "Meraki Security Threat" team, so when I call support in the future, someone can get me a definitive answer if this is a "waiting on patterns to catch up" or "you are being hacked sir".

View solution in original post

13 Replies 13
PhilipDAth
Kind of a big deal
Kind of a big deal

I haven't had that one fire - so I think that is bad news.

 

Which snort signature is it (the number)?

ArpTableCorrupt
Here to help

rule.JPG

 

ThtMakesNoSense
Conversationalist

Same thing happening here at all of our data centers. Started noticing it on Friday, pinged support and they weren't very helpful. I haven't seen any user issues yet but now im nervous this could trigger something bigger that'll force me to whitelist. Some non Meraki related articles on the subject: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8333 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8333
MacuserJim
A model citizen

What is the source of those? Are they sourcing form an external country that would allow you to create an L7 firewall rule to deny? Does the source IP change or is it always coming from the same IP or handful of IPs?

ArpTableCorrupt
Here to help

It's from our internal Trusted File Server.  The Vulnerability was a zero day on October 9th.  Microsoft Release Patches & we applied them on October 13th.   It’s almost like the new Microsoft Patch hasn’t been imported into Meraki’s repository.  Our IPS Started Alerting on Friday.   Only found a few others with same issue so far

https://www.reddit.com/r/meraki/comments/9oz364/microsoft_windows_filter_manager_elevation_of/

ArpTableCorrupt
Here to help

Maybe will get to 10k by tomorrow

tally_102318.JPG

 

PhilipDAth
Kind of a big deal
Kind of a big deal

This is the Microsoft CVE relating to it.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8333

 

If you have the specific updates installed then I would say you should be safe to whitelist the threat.

ArpTableCorrupt
Here to help

PhillipDAth,

 

I would definitely create a white list rule if there way a way to only "whitelist specific host /internal network".  I definitely do not want to open it up externally in case an unpatched machine slips through the cracks & from what support said there was no way the segment the whitelist rule from Lan or Wan traffic.

Owen
Getting noticed

If users or other Admins haven't reported any application issues related to these IPS events I would leave the rule in place and inform the relevant Microsoft administrators to investigate.

ArpTableCorrupt
Here to help

thanks_meraki.JPG

 

Owen,

 

Definitely leaving the rule in place & since the counts keep going, I'm escalating this to Microsoft & if need be an outside Security Expert.

ArpTableCorrupt
Here to help

**Update**

 

  • Last IDS Threat Detected at 11:48CST
  • @ 11:50 CST Snort Ruleset Updated : snort_rules_version: 2.9.8.3, source: ids-vrt-security, rules: 5bef5aafbdc45de20f650555f17fae4c7a41a57f
  • No Alert yet Hopefully this is over & was a false positivesnort_update.JPG

     

    detect_graph_102418.JPG

     

ArpTableCorrupt
Here to help

  • As of 6:30CST. no more alarms since the one at 11:48CST.
  • Everything is leaning towards the Snort Patterns that were applied at 11:50CST must have contained an updated whitelist of the Microsoft Patches released two weeks ago
  • Either that or "hackers" are very crafty and decided to take a break before their next assault on our network.
ArpTableCorrupt
Here to help

  • No More alerts for the as of this morning 6:30CST AM

 

Updated_Threat_graph_102518.JPG

 

 

  • We had quite a few users from Friday 10/19 - lunchtime yesterday 10/24 that would randomly get blocked access to our File Server, which caused headaches.
  • Would like the ability to "whitelist" an internal server on the IDS & not the "whole ball of wax, LAN/WAN"
  • Being that there is no way to limit "whitelisted" IDS to internal traffic only, it prevented me from being able to whitelist the Rule ID 1-48205. 
  • Would like access to a "Meraki Security Threat" team, so when I call support in the future, someone can get me a definitive answer if this is a "waiting on patterns to catch up" or "you are being hacked sir".
Get notified when there are additional replies to this discussion.