Meraki

Frank-NL · ‎Jul 24 2024

Hi,

Lately we have been seeing a lot of snort blocks of traffic which seems to be 'reversed'. With no specific NAT rules configured it seems that internet hosts are able to reach internal clients on specific ports. For example:

Source: 84.54.51.37:49716 Destination: 192.168.x.222:80 TP-Link Archer Router command injection attempt

How is this possible? Is the reporting wrong maybe?

Thanks,

Frank

Frank-NL · ‎Jul 25 2024

Closing the topic, as this was a pure mistake in observation/perception as the client name and OS were wrongly classified. The client IP was actually configured in NAT rule for forwarding.

Thanks

View solution in original post

ww · ‎Jul 24 2024

Have you enabled early access: NAT Exceptions with Manual Inbound Firewall?

Frank-NL · ‎Jul 24 2024

Nope

Frank-NL · ‎Jul 24 2024

<>

Brash · ‎Jul 24 2024

Not a definitive answer, but if you don't have any DNAT rules configured, and manual inbound firewall is disabled, I'd be concerned that the device (192.168.x.222) may already be compromised.

Frank-NL · ‎Jul 25 2024

Closing the topic, as this was a pure mistake in observation/perception as the client name and OS were wrongly classified. The client IP was actually configured in NAT rule for forwarding.

Thanks

Meraki

Community

Strange security center "reverse" attacks?

Strange security center "reverse" attacks?