cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPS/IDS whitelist

SOLVED
Go to solution
Johnfnadez
Getting noticed
‎06-10-2020 10:48 AM
‎06-10-2020 10:48 AM

IPS/IDS whitelist

Hi Merakiers!

 

I need to apply whitelist rules in my IPS/IDS rules to specific IP, but I cannot have the option and I`m wondering if anyone knows how to do it, bc I`m just seeing the option to whitelist Rules and not IP wich I think that is very unsecure...

0 Kudos
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
CptnCrnch
Kind of a big deal
Kind of a big deal
‎06-10-2020 10:53 AM
‎06-10-2020 10:53 AM

Re: IPS/IDS whitelist

Just believe what you‘re seeing: you‘re able to whitelist specific IPS rules, but not IP addresses.

 

On the other hand, it‘d be a real burden with „real“ Firepower or Snort alone.

View solution in original post

Reply
7 REPLIES 7
CptnCrnch
Kind of a big deal
Kind of a big deal
‎06-10-2020 10:53 AM
‎06-10-2020 10:53 AM

Re: IPS/IDS whitelist

Just believe what you‘re seeing: you‘re able to whitelist specific IPS rules, but not IP addresses.

 

On the other hand, it‘d be a real burden with „real“ Firepower or Snort alone.

View solution in original post

Reply
BrechtSchamp
Kind of a big deal
Kind of a big deal
‎06-10-2020 11:54 PM
‎06-10-2020 11:54 PM

Re: IPS/IDS whitelist

I agree, whitelisting IPs would be very insecure.

Reply
trick227
New here
‎10-16-2020 01:42 AM
‎10-16-2020 01:42 AM

Re: IPS/IDS whitelist

I don't agree. Only being able to whitelist a Signature is like taking a sledghammer to crack a nut. We are seeing false positives caused by signatures, so being able to whitelist based on a source and destination ip adress would be a really good idea. At the moment I have 2 options. Don't whitlelist and keep seeing the same false positive being flagged in security events  (which incidently means a ticket is raised every time) or whitelist the signature but then potentially miss a a true positive event (which really is not what I would do).

Reply
Cb3dwa
Conversationalist
‎10-16-2020 02:55 PM
‎10-16-2020 02:55 PM

Re: IPS/IDS whitelist

Same it's crazy, we have so many issues with this. 

 

Checkpoint, juniper can all whitelist a IP so how come meraki cannot. 

 

Sort it out 

0 Kudos
Reply
Cb3dwa
Conversationalist
‎10-16-2020 02:58 PM
‎10-16-2020 02:58 PM

Re: IPS/IDS whitelist

Why do you think this is insecure ? 

 

Whitelist a signature will let any host through, whitelistimg a IP to allow one trusted host through 

 

 

 

 

0 Kudos
Reply
Cb3dwa
Conversationalist
‎10-16-2020 03:00 PM
‎10-16-2020 03:00 PM

Re: IPS/IDS whitelist

Pen testers must love meraki

 

0 Kudos
Reply
JAIT
Conversationalist
‎12-15-2020 08:13 AM
‎12-15-2020 08:13 AM

Re: IPS/IDS whitelist

agreed with @trick227. We are having several SSH_EVENT_RESPONSEFLOW IDS Alert between two endpoints that communicate over the SDWAN. We need to whitelist the source/destination ip addresses and not the whole event.

0 Kudos
Reply
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2021 Meraki