Meraki MX device IDS descriptions

Thomas99
New here

Meraki MX device IDS descriptions

We have been looking through the Meraki documentation for IDs alerts from the Meraki MX device and the ids descriptions are not very good.  For example the description for one alert is:

 

1377448470.246576346 MX84 ids-alerts signature=119:15:1 priority=2 timestamp=1377448470.238064 direction=egress protocol=tcp/ip src=

 

I am sure there is a document which gives a better description of the alert but I can't find it.  Would someone be able to point me in the correct direction?

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal

The rules are Snort IDs.  You can search for them here:

https://www.snort.org/ 

 

However, I tried searching for this one already ... and it was missing.

PhilipDAth
Kind of a big deal
Kind of a big deal

You might be able to find more info in the Snort GitHub.

https://github.com/Cisco-Talos/snort-faq/ 

Thomas99
New here

Thanks I forgot to post the full post which is below and can be found at https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_... the description just says "ids signature matched".  Just trying to get a better description as opposed to just guessing the actual meaning.

 

event                       description                             sample

ids-alert                   ids signature matched           1377448470.246576346 MX84 ids-alerts signature=119:15:1                               

 

security_event ids_alertedids signature matchedsignature=1:28423:1 priority=1 timestamp=1468531589.810079
dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80
dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit
exe detection
Thomas99
New here

Did some more checking and I am beginning to guess that the snort id is 119:15:1 or perhaps just 119:15.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels