cancel
Showing results for 
Search instead for 
Did you mean: 

Huge Number of Threats on Snort Rule

SOLVED
Here to help

Huge Number of Threats on Snort Rule

  • Getting a Large Number of these events since Friday. 
  • Anyone able to Shed light on the subject or seeing the same thing?  
  • I really don't want to whitelist the rule as support suggested.
  • All of the Traffic it is blocking is coming from a Windows 2012 R2 File Server.  on 445 (File Sharing)
  • All Windows Updates are current on both Server & Windows 10 / 7 PC's
  • Ran Multiple Vendor Scans for Malware / AV, Rootkits on File Server, Found Nothing.
  • Didn't see anything crazy in Process Explorer attached to normal Windows Services.

 

wtf_meraki.JPG

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Here to help

Re: Huge Number of Threats on Snort Rule

  • No More alerts for the as of this morning 6:30CST AM

 

Updated_Threat_graph_102518.JPG

 

 

  • We had quite a few users from Friday 10/19 - lunchtime yesterday 10/24 that would randomly get blocked access to our File Server, which caused headaches.
  • Would like the ability to "whitelist" an internal server on the IDS & not the "whole ball of wax, LAN/WAN"
  • Being that there is no way to limit "whitelisted" IDS to internal traffic only, it prevented me from being able to whitelist the Rule ID 1-48205. 
  • Would like access to a "Meraki Security Threat" team, so when I call support in the future, someone can get me a definitive answer if this is a "waiting on patterns to catch up" or "you are being hacked sir".
13 REPLIES 13
Kind of a big deal

Re: Huge Number of Threats on Snort Rule

I haven't had that one fire - so I think that is bad news.

 

Which snort signature is it (the number)?

Here to help

Re: Huge Number of Threats on Snort Rule

rule.JPG

 

Conversationalist

Re: Huge Number of Threats on Snort Rule

Same thing happening here at all of our data centers. Started noticing it on Friday, pinged support and they weren't very helpful. I haven't seen any user issues yet but now im nervous this could trigger something bigger that'll force me to whitelist. Some non Meraki related articles on the subject: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8333 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8333
A model citizen

Re: Huge Number of Threats on Snort Rule

What is the source of those? Are they sourcing form an external country that would allow you to create an L7 firewall rule to deny? Does the source IP change or is it always coming from the same IP or handful of IPs?

Here to help

Re: Huge Number of Threats on Snort Rule

It's from our internal Trusted File Server.  The Vulnerability was a zero day on October 9th.  Microsoft Release Patches & we applied them on October 13th.   It’s almost like the new Microsoft Patch hasn’t been imported into Meraki’s repository.  Our IPS Started Alerting on Friday.   Only found a few others with same issue so far

https://www.reddit.com/r/meraki/comments/9oz364/microsoft_windows_filter_manager_elevation_of/

Here to help

Re: Huge Number of Threats on Snort Rule

Maybe will get to 10k by tomorrow

tally_102318.JPG

 

Kind of a big deal

Re: Huge Number of Threats on Snort Rule

This is the Microsoft CVE relating to it.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8333

 

If you have the specific updates installed then I would say you should be safe to whitelist the threat.

Here to help

Re: Huge Number of Threats on Snort Rule

PhillipDAth,

 

I would definitely create a white list rule if there way a way to only "whitelist specific host /internal network".  I definitely do not want to open it up externally in case an unpatched machine slips through the cracks & from what support said there was no way the segment the whitelist rule from Lan or Wan traffic.

Here to help

Re: Huge Number of Threats on Snort Rule

If users or other Admins haven't reported any application issues related to these IPS events I would leave the rule in place and inform the relevant Microsoft administrators to investigate.

Here to help

Re: Huge Number of Threats on Snort Rule

thanks_meraki.JPG

 

Owen,

 

Definitely leaving the rule in place & since the counts keep going, I'm escalating this to Microsoft & if need be an outside Security Expert.

Here to help

Re: Huge Number of Threats on Snort Rule

**Update**

 

  • Last IDS Threat Detected at 11:48CST
  • @ 11:50 CST Snort Ruleset Updated : snort_rules_version: 2.9.8.3, source: ids-vrt-security, rules: 5bef5aafbdc45de20f650555f17fae4c7a41a57f
  • No Alert yet Hopefully this is over & was a false positivesnort_update.JPG

     

    detect_graph_102418.JPG

     

Here to help

Re: Huge Number of Threats on Snort Rule

  • As of 6:30CST. no more alarms since the one at 11:48CST.
  • Everything is leaning towards the Snort Patterns that were applied at 11:50CST must have contained an updated whitelist of the Microsoft Patches released two weeks ago
  • Either that or "hackers" are very crafty and decided to take a break before their next assault on our network.
Here to help

Re: Huge Number of Threats on Snort Rule

  • No More alerts for the as of this morning 6:30CST AM

 

Updated_Threat_graph_102518.JPG

 

 

  • We had quite a few users from Friday 10/19 - lunchtime yesterday 10/24 that would randomly get blocked access to our File Server, which caused headaches.
  • Would like the ability to "whitelist" an internal server on the IDS & not the "whole ball of wax, LAN/WAN"
  • Being that there is no way to limit "whitelisted" IDS to internal traffic only, it prevented me from being able to whitelist the Rule ID 1-48205. 
  • Would like access to a "Meraki Security Threat" team, so when I call support in the future, someone can get me a definitive answer if this is a "waiting on patterns to catch up" or "you are being hacked sir".
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.