cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPS/IDS whitelist

SOLVED
Getting noticed

IPS/IDS whitelist

Hi Merakiers!

 

I need to apply whitelist rules in my IPS/IDS rules to specific IP, but I cannot have the option and I`m wondering if anyone knows how to do it, bc I`m just seeing the option to whitelist Rules and not IP wich I think that is very unsecure...

1 ACCEPTED SOLUTION

Accepted Solutions
Kind of a big deal

Re: IPS/IDS whitelist

Just believe what you‘re seeing: you‘re able to whitelist specific IPS rules, but not IP addresses.

 

On the other hand, it‘d be a real burden with „real“ Firepower or Snort alone.

View solution in original post

7 REPLIES 7
Kind of a big deal

Re: IPS/IDS whitelist

Just believe what you‘re seeing: you‘re able to whitelist specific IPS rules, but not IP addresses.

 

On the other hand, it‘d be a real burden with „real“ Firepower or Snort alone.

View solution in original post

Kind of a big deal

Re: IPS/IDS whitelist

I agree, whitelisting IPs would be very insecure.

New here

Re: IPS/IDS whitelist

I don't agree. Only being able to whitelist a Signature is like taking a sledghammer to crack a nut. We are seeing false positives caused by signatures, so being able to whitelist based on a source and destination ip adress would be a really good idea. At the moment I have 2 options. Don't whitlelist and keep seeing the same false positive being flagged in security events  (which incidently means a ticket is raised every time) or whitelist the signature but then potentially miss a a true positive event (which really is not what I would do).

Conversationalist

Re: IPS/IDS whitelist

Same it's crazy, we have so many issues with this. 

 

Checkpoint, juniper can all whitelist a IP so how come meraki cannot. 

 

Sort it out 

Conversationalist

Re: IPS/IDS whitelist

Why do you think this is insecure ? 

 

Whitelist a signature will let any host through, whitelistimg a IP to allow one trusted host through 

 

 

 

 

Conversationalist

Re: IPS/IDS whitelist

Pen testers must love meraki

 

Conversationalist

Re: IPS/IDS whitelist

agreed with @trick227. We are having several SSH_EVENT_RESPONSEFLOW IDS Alert between two endpoints that communicate over the SDWAN. We need to whitelist the source/destination ip addresses and not the whole event.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.