MX-84 Passing traffic to a Meraki AP

Solved
DannyR76
Here to help

MX-84 Passing traffic to a Meraki AP

My firewall has IDS alerts for a few addresses, it's marking them as "OS-MOBILE Android Stagefright MP4 buffer overflow attempt", and it is allowing them. All on port 80. 

Why is it allowing this traffic if it shows up as an IDS?

 

The AP is a Meraki AP33

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Good plan.  I don't know specifically why it was allowed.  It may be that the SNORT rule has low confidence (so a high chance of a false positive and blocking legit traffic).  It may be that the CVSS score is not high enough to meet the threshold to take action so it is only reported.

View solution in original post

3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal

Have you got IPS set to prefer "security"?

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection#Intrus... 

My guess is the IPS event is below the configured level so no action is being taken.

DannyR76
Here to help

@PhilipDAth yes, I actually figured that one out on my own a long time ago. But very good call of course.

DannyR76_0-1650637027604.png

I think for now I will just make Layer 7 rules to block these until something breaks. 

Just makes me nervous when it says allow - and the AP is at the other end. 

Thanks.

PhilipDAth
Kind of a big deal
Kind of a big deal

Good plan.  I don't know specifically why it was allowed.  It may be that the SNORT rule has low confidence (so a high chance of a false positive and blocking legit traffic).  It may be that the CVSS score is not high enough to meet the threshold to take action so it is only reported.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels