Meraki

Community

IDS/AMP still scanning client even if white-listed - broke remote desktop connection

LV_MW_MSP
Getting noticed
‎Jan 31 2019 6:54 AM
‎Jan 31 2019 6:54 AM

IDS/AMP still scanning client even if white-listed - broke remote desktop connection

We have an MX 100 on the front, tagged a WAN IP with 1:1 NAT to a MX64 (for a second business in same network) and the second business has some remote desktop servers.

 

On January 30th 2019 in the morning, SNORT released the following rule:

- OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt

- Rule ID 1-49040

 

What I just learned from Meraki support, even though the client was white-listed, they are telling me white listing only affects outbound traffic initiated from that device. White listing has nothing to do with external traffic hitting an internal device. I guess not many people are doing what we are doing, and we will be using a layer 3 switch in front moving forward to prevent the 1:1NAT rule.

 

It did peak my curiosity, can anyone confirm this. It seems that white listing doesn't disable AMP or IDS. Secondly, if you create a custom group policy, it is possible to disable AMP, but you can't disable IDS for a specific device.

 

In any event, the fix was to white-list the new rule the SNORT released, and everything is working again.

3 Replies 3
Cmiller
Building a reputation
‎Jan 31 2019 7:39 AM
‎Jan 31 2019 7:39 AM

Thanks for all the heavy lifting on this solution, this may come is handy
0 Kudos
BrechtSchamp
Kind of a big deal
‎Jan 31 2019 8:05 AM
‎Jan 31 2019 8:05 AM

I'm all for options and this sound like a valid feature request! Thanks for posting the workaround.

 

Edit: Would it be related to the problem @jdsilva experienced. Basically for him the rule is triggered if you use a non-standard port for the RDP session. So another solution would be to keep the port internally and externally the same:

https://community.meraki.com/t5/Security-SD-WAN/IDS-AMP-still-scanning-client-even-if-white-listed-b...

 

 

0 Kudos
In response to BrechtSchamp
jdsilva
Kind of a big deal
‎Jan 31 2019 8:13 AM
‎Jan 31 2019 8:13 AM

Ignore me. I'm confusing things and quoting the wrong rule. Our problem is the same as the rule quoted in this thread.

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.