Meraki

Community

Security Center on MX-84 showing SSH_Event_RESPOVERFLOW threat as false positive

mattwilli18
New here
‎Jul 14 2020 5:57 AM
‎Jul 14 2020 5:57 AM

Security Center on MX-84 showing SSH_Event_RESPOVERFLOW threat as false positive

Hello all,

 

Our MX-84 is showing a SSH_Event_Respoverflow threat for an address that our backup appliance uses to send data offsite, causing the offsite backups to not replicate (cant make an SSH Connection essentially as the Meraki appears to be blocking it). I have the IP address and hostname that is being blocked as a threat.

 

I reached out to support to see how to whitelist this essentially- to which I was told the only thing that can be whitelisted is a URL under AMP (Advanced Malware Protection)- which I don't believe is related to what i'm working with here.

 

What is my best way to basically mark this as a false positive to allow this traffic to pass? I see that I can whitelist the threat, but is that whitelisting any SSH_Event_RESPOVERFLOW instance that comes across or just this specific instance?

 

Hopefully I'm just missing something here/confused- thanks in advance here for any info.

0 Kudos
6 Replies 6
Coesione_srl
Here to help
‎Jul 14 2020 6:10 AM
‎Jul 14 2020 6:10 AM

Hi @mattwilli18 

Which license do you have, enterprise or advanced?

Do you have some rule in firewall layer 3 or 7?

0 Kudos
In response to Coesione_srl
mattwilli18
New here
‎Jul 14 2020 6:32 AM
‎Jul 14 2020 6:32 AM

Thanks! We have the advanced security license.

 

There are rules in both layer3 and layer7 but nothing pertaining to this specifically to either allow SSH from that address (or using that address overall).

0 Kudos
Coesione_srl
Here to help
‎Jul 14 2020 6:15 AM
‎Jul 14 2020 6:15 AM

Hi @mattwilli18 

Try this https://community.meraki.com/t5/Security-SD-WAN/SFTP-session-disconnecting/td-p/49244

0 Kudos
In response to Coesione_srl
mattwilli18
New here
‎Jul 14 2020 6:37 AM
‎Jul 14 2020 6:37 AM

Thanks for this as well. Wouldn't whitelisting an IDS rule apply across the board though? I feel like thats whitelisting that entire rule- I really just want to whitelist this one host/ip address. They reference a solution there, but then it just stops working as well.

0 Kudos
In response to mattwilli18
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Jul 15 2020 5:22 AM
‎Jul 15 2020 5:22 AM

The only option for whitelisting is by Snort rule, so this would disable this one completely. 

0 Kudos
TCwork
Here to help
‎Mar 11 2024 11:35 AM
‎Mar 11 2024 11:35 AM

Just wanted to note that in MX 18.205, the following is now a feature: 

Trusted Traffic Exclusions - IP addresses and objects, as well as applications can now be “allow listed” and bypass IDS/IPS inspection

 

So now at least you get the choice of allow listing an entire snort rule, or an entire host.... Meraki back at it again with their only partially useful new "features".

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.