Meraki

Community

Packet Capture for IDS matches

Solved
sec_eng_owl
Conversationalist
‎Mar 7 2022 9:18 PM
‎Mar 7 2022 9:18 PM

Packet Capture for IDS matches

We have a few Meraki MX devices on 16.16 firmware, have configured IDS in Detection mode, sending them out via syslog. This works.

 

When we get an event, we want to determine whether it is accurate or false positive. This is best done with a packet capture that contains the packet that matched the snort signature. What is the best way to do see that matching packet or few?

 

Thank you,

D

0 Kudos
1 Accepted Solution
In response to sec_eng_owl
BrandonS
Kind of a big deal
‎Mar 8 2022 11:56 AM
‎Mar 8 2022 11:56 AM

I think you may only see it under the MX Events tab and not the MX Summary tab.  Which makes sense because you would be interested in the specific event, not the summary of events in this case of seeing the packet.

 

- Ex community all-star (⌐⊙_⊙)

View solution in original post

7 Replies 7
Inderdeep
Kind of a big deal
Kind of a big deal
‎Mar 7 2022 10:09 PM
‎Mar 7 2022 10:09 PM

@sec_eng_owl : check this out

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Packet_Capture_Overvi... 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
0 Kudos
In response to Inderdeep
sec_eng_owl
Conversationalist
‎Mar 8 2022 8:41 AM
‎Mar 8 2022 8:41 AM

That does not seem like the correct solution since the captured packets are not limited to IDS signature matches. We don't want all packets. We just want packets that match an IDS signature, so we can evaluate the packet content against the signature itself to see if the match is a false positive.

 

Can Meraki capture only packets for IDS signature matches?

0 Kudos
In response to Inderdeep
sec_eng_owl
Conversationalist
‎Mar 8 2022 8:53 AM
‎Mar 8 2022 8:53 AM

A related function in Cisco FTD is described here: Firepower Management Center Configuration Guide, Version 6.2

 

From link:

"When the system identifies a possible intrusion, it generates an intrusion event, which is a record of the date, time, the type of exploit, and contextual information about the source of the attack and its target. For packet-based events, a copy of the packet or packets that triggered the event is also recorded."

 

This what we need in Meraki MX too - the last part about a copy of matching packets.

0 Kudos
BrandonS
Kind of a big deal
‎Mar 8 2022 10:35 AM
‎Mar 8 2022 10:35 AM

In Security Center if you click through to the event you can see the packet and download the pcap of just that event.  Here is an example I found:

 

Screen Shot 2022-03-08 at 10.34.50 AM.png

 

skitch-4.png

- Ex community all-star (⌐⊙_⊙)
In response to BrandonS
sec_eng_owl
Conversationalist
‎Mar 8 2022 11:52 AM
‎Mar 8 2022 11:52 AM

BrandonS, that is exactly what I was looking for, but we don't have the Inspect Packet option. My signature match options are shown below:

sec_eng_owl_1-1646769102525.png

 

How do I enable the Inspect Packet option? Encouraging feedback so far.

 

Thanks,

D

 

0 Kudos
In response to sec_eng_owl
BrandonS
Kind of a big deal
‎Mar 8 2022 11:56 AM
‎Mar 8 2022 11:56 AM

I think you may only see it under the MX Events tab and not the MX Summary tab.  Which makes sense because you would be interested in the specific event, not the summary of events in this case of seeing the packet.

 

- Ex community all-star (⌐⊙_⊙)
In response to BrandonS
sec_eng_owl
Conversationalist
‎Mar 8 2022 11:58 AM
‎Mar 8 2022 11:58 AM

Bingo. That's it! Thanks for your help tracking that down!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.