Intrusion Detection Error - Log

rarodrigo
Getting noticed

Intrusion Detection Error - Log

Hello Everyone,

 

I have some doubts about this error based in intrusion detection, because all the time the logs keep the same. My concern is related with message based in " Unable start sniffer ", however on the same time you can verify rules started.

 

So, why receiving error putting with unable start sniffer based specific rules and keep starting same rules  based in updates?

 

event_log_snort.png


Kind Regards,
Rodrigo
Twitter: @rar_21
If this was helpful Kudo me 🙂
12 Replies 12
Adam
Kind of a big deal

I've never noticed that before but hopefully it is a normal part of the IDS process after it gets its rule updates or something.  Here are some snippets from my logs as well.  I'm at firmware 13.28 and Prevention/Balanced mode. 

 

Capture.PNG

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
rarodrigo
Getting noticed

I am using the same version 13.28 and selected as Prevention/Security.

 

For me it's weird message, because maybe rules are not in place.


Kind Regards,
Rodrigo
Twitter: @rar_21
If this was helpful Kudo me 🙂
Ole_Soerensen
Here to help

Seeing the same issue here... Version 13.33 - It´s almost like a "hickup" everytime it needs to start...

 

Aug 19 17:50:59 Intrusion detection startedsnort_rules_version: 2.9.8.3, source: ids-vrt-balanced, rules: 828397756caef914fe42dc8bbb53da58b6815a2e
Aug 19 17:50:59 Intrusion detection errorwhat: unable to start sniffer, snort_rules_version: 2.9.8.3, source: ids-vrt-balanced  more »
Aug 19 17:50:59 Intrusion detection rules updatesnort_rules_version: 2.9.8.3, source: ids-vrt-balanced, rules: 828397756caef914fe42dc8bbb53da58b6815a2e
Kenny-Netravine
Conversationalist

Same issue here.  I'm seeing it about every hour or so.  I'm not sure we are protected and so I opened a support case.  I'd urge y'all to do the same.

Kenny-Netravine
Conversationalist

OK I just got this back from Meraki support:

 

"Greetings Kenny,

Thank you for contacting Cisco Meraki Support!

The issue you're facing is known, and we have released a resolution for it on our newest beta firmware 14.31. We suggest upgrading your MX to 14.31.

If you want to upgrade firmware make sure to do it over maintenance window (MX will reboot) and if you want to roll back to the previous version you have always option to downgrade.

Please let me know if there is anything else I can assist you with."

dmogavero42
Just browsing

Hello Kenny - Did you actually go to this beta code and if so, did the resolve the issue?

 

We have 20+ sites with MX64's with the same issue.

 

Thanks

Kenny-Netravine
Conversationalist

Yes, My issue was resolved with the upgrade.

rarodrigo
Getting noticed

@Charlie In my case I keep using " AMP " as enable and looking the same error on the event log.

I verified those guys mentioned about version 14.31, however this version for my case is not available and have only 13.36 ( stable release ) and 14.36 ( latest beta ).

 

Opera Snapshot_2018-12-04_093805_n116.meraki.com.png

However I can verify release information about version 14.31, but keep without any information about fix issue. Weird!!!

I will do upgrade of only one box and verify environment.

 

 


Kind Regards,
Rodrigo
Twitter: @rar_21
If this was helpful Kudo me 🙂
Charlie
Getting noticed

I was about to open a case when I ran across this thread.  I always attributed this to the fact that I disabled Advanced Malware Protection.  We had many secure URLs that would be very slow to respond sometimes not at all.  We turned that off and it resolved that issue. Beyond that I am curious to know if you guys have disabled AMP and if this is part and parcel to that error. 

 

"Intrusion detection error    what: unable to start sniffer"

Martin_Oyarzun
New here

Hello,

 

I have same messages but my MX version is 15.11 and I have enabled Malware protection.

 

Well, who could know reason why those messages?.

 

Regards,

 

Martin.

rarodrigo
Getting noticed

I don't have more this log in my system and keep using " AMP ".

I am running inside 14.38 and keep stable without replicating the message. 


Kind Regards,
Rodrigo
Twitter: @rar_21
If this was helpful Kudo me 🙂
JoeLouis
New here

I can't believe three years later, that this is STILL a problem. I am losing faith in Cisco products related to security. I have the same problem with false positives other Cisco products with AMP and their support is horrid for these features. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels