Meraki

Community

MX-84 Passing traffic to a Meraki AP

Solved
DannyR76
Here to help
‎Apr 20 2022 2:33 PM
‎Apr 20 2022 2:33 PM

MX-84 Passing traffic to a Meraki AP

My firewall has IDS alerts for a few addresses, it's marking them as "OS-MOBILE Android Stagefright MP4 buffer overflow attempt", and it is allowing them. All on port 80. 

Why is it allowing this traffic if it shows up as an IDS?

 

The AP is a Meraki AP33

1 Accepted Solution
In response to DannyR76
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 22 2022 3:46 PM
‎Apr 22 2022 3:46 PM

Good plan.  I don't know specifically why it was allowed.  It may be that the SNORT rule has low confidence (so a high chance of a false positive and blocking legit traffic).  It may be that the CVSS score is not high enough to meet the threshold to take action so it is only reported.

View solution in original post

3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 21 2022 3:45 PM
‎Apr 21 2022 3:45 PM

Have you got IPS set to prefer "security"?

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection#Intrus... 

My guess is the IPS event is below the configured level so no action is being taken.

In response to PhilipDAth
DannyR76
Here to help
‎Apr 22 2022 7:18 AM
‎Apr 22 2022 7:18 AM

@PhilipDAth yes, I actually figured that one out on my own a long time ago. But very good call of course.

DannyR76_0-1650637027604.png

I think for now I will just make Layer 7 rules to block these until something breaks. 

Just makes me nervous when it says allow - and the AP is at the other end. 

Thanks.

In response to DannyR76
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 22 2022 3:46 PM
‎Apr 22 2022 3:46 PM

Good plan.  I don't know specifically why it was allowed.  It may be that the SNORT rule has low confidence (so a high chance of a false positive and blocking legit traffic).  It may be that the CVSS score is not high enough to meet the threshold to take action so it is only reported.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.