cancel
Showing results for 
Search instead for 
Did you mean: 

Intrusion Detection Error - Log

Here to help

Intrusion Detection Error - Log

Hello Everyone,

 

I have some doubts about this error based in intrusion detection, because all the time the logs keep the same. My concern is related with message based in " Unable start sniffer ", however on the same time you can verify rules started.

 

So, why receiving error putting with unable start sniffer based specific rules and keep starting same rules  based in updates?

 

event_log_snort.png


Kind Regards,
Rodrigo
Twitter: @rar_21
If this was helpful Kudo me Smiley Happy
9 REPLIES
Kind of a big deal

Re: Intrusion Detection Error - Log

I've never noticed that before but hopefully it is a normal part of the IDS process after it gets its rule updates or something.  Here are some snippets from my logs as well.  I'm at firmware 13.28 and Prevention/Balanced mode. 

 

Capture.PNG

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Here to help

Re: Intrusion Detection Error - Log

I am using the same version 13.28 and selected as Prevention/Security.

 

For me it's weird message, because maybe rules are not in place.


Kind Regards,
Rodrigo
Twitter: @rar_21
If this was helpful Kudo me Smiley Happy
Here to help

Re: Intrusion Detection Error - Log

Seeing the same issue here... Version 13.33 - It´s almost like a "hickup" everytime it needs to start...

 

Aug 19 17:50:59 Intrusion detection startedsnort_rules_version: 2.9.8.3, source: ids-vrt-balanced, rules: 828397756caef914fe42dc8bbb53da58b6815a2e
Aug 19 17:50:59 Intrusion detection errorwhat: unable to start sniffer, snort_rules_version: 2.9.8.3, source: ids-vrt-balanced  more »
Aug 19 17:50:59 Intrusion detection rules updatesnort_rules_version: 2.9.8.3, source: ids-vrt-balanced, rules: 828397756caef914fe42dc8bbb53da58b6815a2e
Conversationalist

Re: Intrusion Detection Error - Log

Same issue here.  I'm seeing it about every hour or so.  I'm not sure we are protected and so I opened a support case.  I'd urge y'all to do the same.

Conversationalist

Re: Intrusion Detection Error - Log

OK I just got this back from Meraki support:

 

"Greetings Kenny,

Thank you for contacting Cisco Meraki Support!

The issue you're facing is known, and we have released a resolution for it on our newest beta firmware 14.31. We suggest upgrading your MX to 14.31.

If you want to upgrade firmware make sure to do it over maintenance window (MX will reboot) and if you want to roll back to the previous version you have always option to downgrade.

Please let me know if there is anything else I can assist you with."

Here to help

Re: Intrusion Detection Error - Log

I was about to open a case when I ran across this thread.  I always attributed this to the fact that I disabled Advanced Malware Protection.  We had many secure URLs that would be very slow to respond sometimes not at all.  We turned that off and it resolved that issue. Beyond that I am curious to know if you guys have disabled AMP and if this is part and parcel to that error. 

 

"Intrusion detection error    what: unable to start sniffer"

Just browsing

Re: Intrusion Detection Error - Log

Hello Kenny - Did you actually go to this beta code and if so, did the resolve the issue?

 

We have 20+ sites with MX64's with the same issue.

 

Thanks

Conversationalist

Re: Intrusion Detection Error - Log

Yes, My issue was resolved with the upgrade.

Here to help

Re: Intrusion Detection Error - Log

@Charlie In my case I keep using " AMP " as enable and looking the same error on the event log.

I verified those guys mentioned about version 14.31, however this version for my case is not available and have only 13.36 ( stable release ) and 14.36 ( latest beta ).

 

Opera Snapshot_2018-12-04_093805_n116.meraki.com.png

However I can verify release information about version 14.31, but keep without any information about fix issue. Weird!!!

I will do upgrade of only one box and verify environment.

 

 


Kind Regards,
Rodrigo
Twitter: @rar_21
If this was helpful Kudo me Smiley Happy