IPS/IDS whitelist

Solved
Johnfnadez
Building a reputation

IPS/IDS whitelist

Hi Merakiers!

 

I need to apply whitelist rules in my IPS/IDS rules to specific IP, but I cannot have the option and I`m wondering if anyone knows how to do it, bc I`m just seeing the option to whitelist Rules and not IP wich I think that is very unsecure...

Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA
1 Accepted Solution
CptnCrnch
Kind of a big deal
Kind of a big deal

Just believe what you‘re seeing: you‘re able to whitelist specific IPS rules, but not IP addresses.

 

On the other hand, it‘d be a real burden with „real“ Firepower or Snort alone.

View solution in original post

12 Replies 12
CptnCrnch
Kind of a big deal
Kind of a big deal

Just believe what you‘re seeing: you‘re able to whitelist specific IPS rules, but not IP addresses.

 

On the other hand, it‘d be a real burden with „real“ Firepower or Snort alone.

BrechtSchamp
Kind of a big deal

I agree, whitelisting IPs would be very insecure.

trick227
Conversationalist

I don't agree. Only being able to whitelist a Signature is like taking a sledghammer to crack a nut. We are seeing false positives caused by signatures, so being able to whitelist based on a source and destination ip adress would be a really good idea. At the moment I have 2 options. Don't whitlelist and keep seeing the same false positive being flagged in security events  (which incidently means a ticket is raised every time) or whitelist the signature but then potentially miss a a true positive event (which really is not what I would do).

Cb3dwa
Conversationalist

Same it's crazy, we have so many issues with this. 

 

Checkpoint, juniper can all whitelist a IP so how come meraki cannot. 

 

Sort it out 

JAIT
Conversationalist

agreed with @trick227. We are having several SSH_EVENT_RESPONSEFLOW IDS Alert between two endpoints that communicate over the SDWAN. We need to whitelist the source/destination ip addresses and not the whole event.

Cb3dwa
Conversationalist

Why do you think this is insecure ? 

 

Whitelist a signature will let any host through, whitelistimg a IP to allow one trusted host through 

 

 

 

 

Cb3dwa
Conversationalist

Pen testers must love meraki

 

Oderbang
Here to help

Its not the Pen Testers that hate it.. its the customers.. as we have to turn off a key security feature to let pen testers do their job...

We also have issues with 2 diffrent pairs of endpoints talking across SDWAN... i have MANY time woken up to our reporting system blaring alarms stating Replication of VM has failed... or that Emails are queued up because the mailbox server cannot talk to each other.... 
It has become a complete joke! literally any issue with have that is remotely related to 2 devices communicating that goes via an MX appliance you can place a pretty firm bet that its IDS and IPS messing stuff up again!

Oderbang
Here to help

Also to top it off.. if you use MX250 and IDS IPS set to prevent... do NOT go anywhere near the 16.15 stable RC firmware... it no longer abides by the whitelist for snort rules... so everything gets blocked!! an with no way to unblock it...we experianced this on multiple MX250 recently when moving the Stable RC as advised by Meraki due to ANOTHER issue with their firmware on on the current stable fork... (memory overload causing MX to panic and reboot) 

nightmare.

GM1
Just browsing

Late to this thread but searching around. I have a device with a false positive for snort signature and attempting to create an exception between the source/dest w/o creating a bypass for the signature for all. Is this not possible? The rule is SSH_EVENT_RESPOVERFLOW which is due to a backup. 

Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)

That's not possible. Meraki allows you to bypass all or nothing. It would be a great feature but it is not supported by Meraki for now. 

PhilipDAth
Kind of a big deal
Kind of a big deal
Get notified when there are additional replies to this discussion.