Security Center on MX-84 showing SSH_Event_RESPOVERFLOW threat as false positive

mattwilli18
New here

Security Center on MX-84 showing SSH_Event_RESPOVERFLOW threat as false positive

Hello all,

 

Our MX-84 is showing a SSH_Event_Respoverflow threat for an address that our backup appliance uses to send data offsite, causing the offsite backups to not replicate (cant make an SSH Connection essentially as the Meraki appears to be blocking it). I have the IP address and hostname that is being blocked as a threat.

 

I reached out to support to see how to whitelist this essentially- to which I was told the only thing that can be whitelisted is a URL under AMP (Advanced Malware Protection)- which I don't believe is related to what i'm working with here.

 

What is my best way to basically mark this as a false positive to allow this traffic to pass? I see that I can whitelist the threat, but is that whitelisting any SSH_Event_RESPOVERFLOW instance that comes across or just this specific instance?

 

Hopefully I'm just missing something here/confused- thanks in advance here for any info.

6 Replies 6
Coesione_srl
Here to help

Hi @mattwilli18 

Which license do you have, enterprise or advanced?

Do you have some rule in firewall layer 3 or 7?

Thanks! We have the advanced security license.

 

There are rules in both layer3 and layer7 but nothing pertaining to this specifically to either allow SSH from that address (or using that address overall).

Coesione_srl
Here to help

Thanks for this as well. Wouldn't whitelisting an IDS rule apply across the board though? I feel like thats whitelisting that entire rule- I really just want to whitelist this one host/ip address. They reference a solution there, but then it just stops working as well.

The only option for whitelisting is by Snort rule, so this would disable this one completely. 

TCwork
Here to help

Just wanted to note that in MX 18.205, the following is now a feature: 

Trusted Traffic Exclusions - IP addresses and objects, as well as applications can now be “allow listed” and bypass IDS/IPS inspection

 

So now at least you get the choice of allow listing an entire snort rule, or an entire host.... Meraki back at it again with their only partially useful new "features".

Get notified when there are additional replies to this discussion.