Packet Capture for IDS matches - Inspect Packet not available

sec_eng_owl
Conversationalist

Packet Capture for IDS matches - Inspect Packet not available

Related to this thread - https://community.meraki.com/t5/Security-SD-WAN/Packet-Capture-for-IDS-matches/m-p/141960

 

When I am looking at Security Center -> MX Events and choosing an event from today, I do not get an Inspect Packet option. I thought this was previously available. Was that option removed?

 

Example options from MX Events tab:

sec_eng_owl_0-1657865831490.png

 

3 REPLIES 3
UCcert
Kind of a big deal

Hi @sec_eng_owl 

 

Thanks for bringing this one up.  Just checked my Lab Mx which is on Fw 16:16. I get the same results as you in that I can’t see the inspect packet element.

 

Just checked a customers network, same firmware, I can see the inspect packet element.

 

What MX do you have and what license are you running?  Ie Enterprise Sec, Advanced Sec or Secure SS-WAN plus?

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

We are on 16.16, not sure about the license.

 

I checked all our devices and tried a few different snort signatures on each, and I found an egress suspicious TLD query signature that let me inspect it. Other signatures on the same device did not have the option. Why does it vary per signature?

 

Also the Source column in the MX Events table shows a tiny "Meraki Network OS" under the hostname for signatures that I can inspect too, if that is of any help.

UCcert
Kind of a big deal

Just went to the customers dashboard where I could see the inspect packet report. Even seems hit and miss there also. Out of multiple events I could only see one which gave me the inspect packet option

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels