IDS Alert Allowed

SJones
Here to help

IDS Alert Allowed

Did a quick bit of searching and couldn't find anything, thought I'd ask here and see if I could get an explanation a little quicker.

 

In the security events, I actually have 2 IDS alerts that show 'allowed'

 

Allowed   SERVER-WEBAPP   DrayTek multiple products command injection attempt

 

I have about 20 of the same rule being blocked.  My question is why were those two 'allowed'?  MX over worked at that instant and let it through?  Just curious more than anything - we're just getting probed and I'm blocking IPs as they come in.  I do still wish we could setup a rule to shun IPs doing this kind of stuff.

8 REPLIES 8
CptnCrnch
Kind of a big deal
Kind of a big deal

Just to get this straight:

 

- There are several events that are allows

- Some events (same type) are being blocked?

Only 2 allowed, about 20 blocked over the course of ~ 24 hours.  Not bursty at all.

Nothing whitelisted - the 2 allows are from other countries.

They're even spaced apart - same rule was blocked around 0730, allowed at 0800, blocked at 0815, allowed at 0930, blocked at 1000.

WillG
Meraki Employee
Meraki Employee

I've seen this before when the attack is against a port/user that did not currently have a mapping through the MX.

 

I'd check and see if the details of the event show a PC or port that would have been active at the time, if there was no active flow, then the "attack" would have been denied at the firewall and recorded by IDS/IPS but it would have never been blocked at that level, as the firewall would've denied it first.

Not sure if that's happening here - there is a port/machine active.  It's the same destination as the other events that were blocked.  It's still happening today - 9 'blocked' with that same signature to the same destination, 1 'allowed' right in the middle of it.

MPycsi
Conversationalist

I am seeing exactly the same thing:
DrayTek multiple products command injection attempt
5:50 Blocked
6:33 Allowed
7:41 Blocked

Different source IPs, and almost identical packets.
Could not find anything to really explain this...

Me as well! I do not have any Draytek equipment. I do not know why these are marked as "allowed".  Would like to just see "Blocked". 

 

Einstein_0-1588264022637.png

 

Texbear
Comes here often

Did anyone ever find an answer to this question.  I have had the same issue.  It was "allowed" the 2 times I see it listed.

 

AlexP
Meraki Employee
Meraki Employee

Are the alerts in question being thrown by traffic directed to the MX's WAN/Public IP? If so, you're going to see "Allowed" as a decision, because the IDS sees and processes packets before the inbound firewall does.

If there are no port forwards, or other static NAT rules in place that permit that traffic, the IDS will alert that it's seen a payload matching a signature, and start waiting for additional traffic to drop. If no more comes - in this case, because the packet in question never gets a response because the inbound firewall dropped it - the IDS effectively cannot block any further traffic, so it notes it as Allowed.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels