Snort version and details via API (CVE-2020-1350)

Solved
achowsy
Comes here often

Snort version and details via API (CVE-2020-1350)

Hi 

 

We have MXs with Advanced Security Licenses.  

 

Recently there was a DNS vuln https://blog.talosintelligence.com/2020/07/microsoft-patch-tuesday-for-july-2020.html.

 

Just want to find out if we can use API to see whether the snort rules is updated in the MXs or anyway to know how we know if we are protected.  (like how we can find out the snort rules installed).

 

Thanks.

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

I'm not aware of where you would find should a mapping.

 

Just the info below of when the signatures have been updated.

View solution in original post

7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal

I think you could do this by scanning the event log.

https://dashboard.meraki.com/api_docs/v0#list-the-events-for-the-network 

achowsy
Comes here often

Sorry but is there any specifics you can share?

PhilipDAth
Kind of a big deal
Kind of a big deal

Search for events containing "snort".

achowsy
Comes here often

I don't see snort as part of the event type.

 

At least when I run the below i don't see Snort.

https://api.meraki.com/api/v0/networks/:networkId/events/eventTypes

PhilipDAth
Kind of a big deal
Kind of a big deal

How about this type?

 

PhilipDAth_0-1595465745260.png

 

achowsy
Comes here often

From the GUI i can get it and below is an example

 

snort_rules_version: 2.9.8.3, source: ids-vrt-security, rules: b3e3f2e7a2e5b7b509a7dd15e5ef9e679d225a20

 

I managed to get the commands to get it via API.

 

Can you shed some light on where can you map the rules b3e3f2e7a2e5b7b509a7dd15e5ef9e679d225a20 to what is defined in that rule? eg the CVE-2020-1350..

 

Thanks a lot

PhilipDAth
Kind of a big deal
Kind of a big deal

I'm not aware of where you would find should a mapping.

 

Just the info below of when the signatures have been updated.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels