Meraki

Community

Intrusion Detection Error - Log

rarodrigo
Getting noticed
‎Jun 5 2018 6:51 AM
‎Jun 5 2018 6:51 AM

Intrusion Detection Error - Log

Hello Everyone,

 

I have some doubts about this error based in intrusion detection, because all the time the logs keep the same. My concern is related with message based in " Unable start sniffer ", however on the same time you can verify rules started.

 

So, why receiving error putting with unable start sniffer based specific rules and keep starting same rules  based in updates?

 

event_log_snort.png

Kind Regards,
Rodrigo
Twitter: @rar_21
If this was helpful Kudo me 🙂
12 Replies 12
Adam
Kind of a big deal
‎Jun 5 2018 8:07 AM
‎Jun 5 2018 8:07 AM

I've never noticed that before but hopefully it is a normal part of the IDS process after it gets its rule updates or something.  Here are some snippets from my logs as well.  I'm at firmware 13.28 and Prevention/Balanced mode. 

 

Capture.PNG

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
In response to Adam
rarodrigo
Getting noticed
‎Jun 5 2018 8:36 AM
‎Jun 5 2018 8:36 AM

I am using the same version 13.28 and selected as Prevention/Security.

 

For me it's weird message, because maybe rules are not in place.

Kind Regards,
Rodrigo
Twitter: @rar_21
If this was helpful Kudo me 🙂
0 Kudos
In response to rarodrigo
Ole_Soerensen
Here to help
‎Aug 28 2018 5:55 AM
‎Aug 28 2018 5:55 AM

Seeing the same issue here... Version 13.33 - It´s almost like a "hickup" everytime it needs to start...

 

Aug 19 17:50:59 Intrusion detection startedsnort_rules_version: 2.9.8.3, source: ids-vrt-balanced, rules: 828397756caef914fe42dc8bbb53da58b6815a2e
Aug 19 17:50:59 Intrusion detection errorwhat: unable to start sniffer, snort_rules_version: 2.9.8.3, source: ids-vrt-balanced  more »
Aug 19 17:50:59 Intrusion detection rules updatesnort_rules_version: 2.9.8.3, source: ids-vrt-balanced, rules: 828397756caef914fe42dc8bbb53da58b6815a2e
0 Kudos
In response to Ole_Soerensen
Kenny-Netravine
Conversationalist
‎Aug 29 2018 11:10 AM
‎Aug 29 2018 11:10 AM

Same issue here.  I'm seeing it about every hour or so.  I'm not sure we are protected and so I opened a support case.  I'd urge y'all to do the same.

0 Kudos
In response to Kenny-Netravine
Kenny-Netravine
Conversationalist
‎Aug 29 2018 11:26 AM
‎Aug 29 2018 11:26 AM

OK I just got this back from Meraki support:

 

"Greetings Kenny,

Thank you for contacting Cisco Meraki Support!

The issue you're facing is known, and we have released a resolution for it on our newest beta firmware 14.31. We suggest upgrading your MX to 14.31.

If you want to upgrade firmware make sure to do it over maintenance window (MX will reboot) and if you want to roll back to the previous version you have always option to downgrade.

Please let me know if there is anything else I can assist you with."

In response to Kenny-Netravine
dmogavero42
Just browsing
‎Dec 3 2018 9:48 AM
‎Dec 3 2018 9:48 AM

Hello Kenny - Did you actually go to this beta code and if so, did the resolve the issue?

 

We have 20+ sites with MX64's with the same issue.

 

Thanks

0 Kudos
In response to dmogavero42
Kenny-Netravine
Conversationalist
‎Dec 3 2018 10:56 AM
‎Dec 3 2018 10:56 AM

Yes, My issue was resolved with the upgrade.

0 Kudos
In response to Kenny-Netravine
rarodrigo
Getting noticed
‎Dec 4 2018 3:48 AM
‎Dec 4 2018 3:48 AM

@Charlie In my case I keep using " AMP " as enable and looking the same error on the event log.

I verified those guys mentioned about version 14.31, however this version for my case is not available and have only 13.36 ( stable release ) and 14.36 ( latest beta ).

 

Opera Snapshot_2018-12-04_093805_n116.meraki.com.png

However I can verify release information about version 14.31, but keep without any information about fix issue. Weird!!!

I will do upgrade of only one box and verify environment.

 

 

Kind Regards,
Rodrigo
Twitter: @rar_21
If this was helpful Kudo me 🙂
0 Kudos
In response to Ole_Soerensen
Charlie
Getting noticed
‎Aug 29 2018 2:08 PM
‎Aug 29 2018 2:08 PM

I was about to open a case when I ran across this thread.  I always attributed this to the fact that I disabled Advanced Malware Protection.  We had many secure URLs that would be very slow to respond sometimes not at all.  We turned that off and it resolved that issue. Beyond that I am curious to know if you guys have disabled AMP and if this is part and parcel to that error. 

 

"Intrusion detection error    what: unable to start sniffer"

0 Kudos
Martin_Oyarzun
New here
‎Jan 31 2019 12:31 PM
‎Jan 31 2019 12:31 PM

Hello,

 

I have same messages but my MX version is 15.11 and I have enabled Malware protection.

 

Well, who could know reason why those messages?.

 

Regards,

 

Martin.

0 Kudos
In response to Martin_Oyarzun
rarodrigo
Getting noticed
‎Feb 1 2019 9:44 AM
‎Feb 1 2019 9:44 AM

I don't have more this log in my system and keep using " AMP ".

I am running inside 14.38 and keep stable without replicating the message. 

Kind Regards,
Rodrigo
Twitter: @rar_21
If this was helpful Kudo me 🙂
0 Kudos
In response to Martin_Oyarzun
JoeLouis
New here
‎Jun 27 2022 9:08 AM
‎Jun 27 2022 9:08 AM

I can't believe three years later, that this is STILL a problem. I am losing faith in Cisco products related to security. I have the same problem with false positives other Cisco products with AMP and their support is horrid for these features. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.