Testing IDS/IPS on Meraki MX

Johnfnadez
Building a reputation

Testing IDS/IPS on Meraki MX

Hello Friends!

 

Few months ago I saw a topic on this forum about "How to test IDS/IPS on Meraki Firewall?"

 

I really got this question and tried to answered for my self and now I want to share with you all a way to test the inspection on HTTP traffic that can be done by Meraki MX using IDS/IPS and AMP.

 

Its probably somebody else discovered this way before but I want to share it and documented with you on this forum to help other Meraki People to test their enviroment safely.

 

The only 3rd party software we need it "Postman" which is a well known program for people handling Automation APIs.

In summary with this program we can generate HTTP/HTTPS traffic and use methods such as GET/POST against HTTP comunications. With that concept I realized we can use it to generate traffic passing thru Meraki MX and check if it works as expected at least the Instrusion system with a well-known false positive signature registered only for testing reasons.

 

Well, for make this test straightforward I am using this page with HTTP service enabled which can be used as our target: http://www.testingmcafeesites.com/index.html

 

And then the well known threat copying the text inside the file that can be found on this link: https://www.eicar.org/download-anti-malware-testfile/

 

NOTE: Accesing the link above could trigger your antivirus/security enforcements on your computer and organization because it is used for downloading well known malicious files to test different security features.

 

Once we have the txt file downloaded from the page above, we can use the postman to send an HTTP POST with the text contained on the downloaded file in the following way:

 

Captura de Pantalla 2022-06-17 a la(s) 16.45.25.png

Finally just press "Send" and your computer will open the TCP connection against the site and then send the HTTP POST as we can see on this PCAP:

 

Captura de Pantalla 2022-06-17 a la(s) 16.51.09.png

Finally We can go to our Meraki Dashboard on: Security & SD-WAN => Security Center and We should be able to see the trigger we have activated:

 

Captura de Pantalla 2022-06-17 a la(s) 16.54.36.png

 

If you have any suggestions please let me know, also if you have any doubt,

 

 

 

Johnny Fernández | Network & Security Engineer

 

 

Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA
0 REPLIES 0
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels