Meraki

Duijv023 · ‎Feb 8 2024

On multiple sites I see IDS alerts :

Feb 8 13:06:36 IDS Alert
ftg-hdn-mr009-f89e28da6552
Meraki Network OS
whatsapp-chatd-edge-shv-01-ams4.facebook.com
157.240.201.61:80
Blocked SERVER-APACHEBEA WebLogic Apache Oracle connector Transfer-Encoding buffer overflow attempt
Feb 8 13:01:16 IDS Alert
ftg-hdn-mr009-f89e28da6552
Meraki Network OS
whatsapp-chatd-edge-shv-01-ams4.facebook.com
157.240.201.61:80
Blocked SERVER-APACHEBEA WebLogic Apache Oracle connector Transfer-Encoding buffer overflow attempt
Feb 8 12:57:48 IDS Alert
ftg-hdn-mr002-f89e28da76f8
Meraki Network OS
ac9293e5fb5d2d1d2.awsglobalaccelerator.com
3.33.252.61:80
Blocked SERVER-APACHEBEA WebLogic Apache Oracle connector Transfer-Encoding buffer overflow attempt
Feb 8 12:53:12 IDS Alert
ftg-hdn-mr002-f89e28da76f8
Meraki Network OS
whatsapp-chatd-edge-shv-01-ams4.facebook.com
157.240.201.61:80
Blocked SERVER-APACHEBEA WebLogic Apache Oracle connector Transfer-Encoding buffer overflow attempt
Feb 8 12:49:01 IDS Alert
ftg-hdn-mr003-f89e28da6649
Meraki Network OS
whatsapp-chatd-edge-shv-01-ams4.facebook.com
157.240.201.61:80
Blocked SERVER-APACHEBEA WebLogic Apache Oracle connector Transfer-Encoding buffer overflow attempt
Feb 8 12:45:06 IDS Alert
ftg-hdn-mr009-f89e28da6552
Meraki Network OS
whatsapp-chatd-edge-shv-02-fra3.facebook.com
157.240.0.61:80
Blocked SERVER-APACHEBEA WebLogic Apache Oracle connector Transfer-Encoding buffer overflow attempt
Feb 8 12:11:41 IDS Alert
ftg-hdn-mr002-f89e28da76f8
Meraki Network OS
whatsapp-chatd-edge-shv-01-lax3.facebook.com
31.13.70.50:80
Blocked SERVER-APACHEBEA WebLogic Apache Oracle connector Transfer-Encoding buffer overflow attempt
Feb 8 12:11:16 IDS Alert
ftg-hdn-mr002-f89e28da76f8
Meraki Network OS
whatsapp-chatd-edge-shv-01-ams4.facebook.com
157.240.201.61:80
Blocked SERVER-APACHEBEA WebLogic Apache Oracle connector Transfer-Encoding buffer overflow attempt

Is it possible we see are seeing a False Positive?

Greetings from Holland

Duijv023 · ‎Feb 8 2024

no actual events anymore.

no one is complaining.
Seems to be OK again

View solution in original post

alemabrahao · ‎Feb 8 2024

Maybe, but you'd better investigate.

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection#Dealin...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Duijv023 · ‎Feb 8 2024

Of course, working on that.

Seeing it on all location throughout our organization.
All kind of devices, Windows, IOS, Android.

Duijv023 · ‎Feb 8 2024

no actual events anymore.

no one is complaining.
Seems to be OK again

txhomer · ‎Feb 8 2024

I'm also seeing this in our organization across many networks. There were a few starting on 2/5 and then spiking the last 2 days.

GOEIT · ‎Feb 9 2024

Still seeing these events on 2/9. Strongly suspect false positive. Still, would like better analysis that I can perform quickly.

DonG · ‎Feb 14 2024

We've been getting this almost daily for the last week or so - should we be worried or is this a FP?

Duijv023 · ‎Feb 15 2024

I couldn't find an issue. To me, it seems like a FP indeed.
After a little while of rest, the events returned again.
Multiple sites, multiple devices with multiple platforms/OS's.

Sourkeys · ‎Feb 15 2024

Seeing it lots since early Feb too

JS65_ARM · ‎Feb 15 2024

We have also this issue, in our case since 2/5 .

Meraki

Community

Possible FP on MX / IDS ??

Possible FP on MX / IDS ??