Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX-84 Passing traffic to a Meraki AP

Solved
DannyR76
Here to help
‎Apr 20 2022 2:33 PM
‎Apr 20 2022 2:33 PM

MX-84 Passing traffic to a Meraki AP

My firewall has IDS alerts for a few addresses, it's marking them as "OS-MOBILE Android Stagefright MP4 buffer overflow attempt", and it is allowing them. All on port 80. 

Why is it allowing this traffic if it shows up as an IDS?

 

The AP is a Meraki AP33

Subscribe
1 Accepted Solution
In response to DannyR76
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 22 2022 3:46 PM
‎Apr 22 2022 3:46 PM

Good plan.  I don't know specifically why it was allowed.  It may be that the SNORT rule has low confidence (so a high chance of a false positive and blocking legit traffic).  It may be that the CVSS score is not high enough to meet the threshold to take action so it is only reported.

View solution in original post

Subscribe
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 21 2022 3:45 PM
‎Apr 21 2022 3:45 PM

Have you got IPS set to prefer "security"?

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection#Intrus... 

My guess is the IPS event is below the configured level so no action is being taken.

Subscribe
In response to PhilipDAth
DannyR76
Here to help
‎Apr 22 2022 7:18 AM
‎Apr 22 2022 7:18 AM

@PhilipDAth yes, I actually figured that one out on my own a long time ago. But very good call of course.

DannyR76_0-1650637027604.png

I think for now I will just make Layer 7 rules to block these until something breaks. 

Just makes me nervous when it says allow - and the AP is at the other end. 

Thanks.

Subscribe
In response to DannyR76
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 22 2022 3:46 PM
‎Apr 22 2022 3:46 PM

Good plan.  I don't know specifically why it was allowed.  It may be that the SNORT rule has low confidence (so a high chance of a false positive and blocking legit traffic).  It may be that the CVSS score is not high enough to meet the threshold to take action so it is only reported.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.