Meraki

Community

What edition of Snort ruleset is Meraki IPS using?

Solved
Kamome
Building a reputation
‎Feb 9 2022 11:04 PM
‎Feb 9 2022 11:04 PM

What edition of Snort ruleset is Meraki IPS using?

As far as I know, Meraki IDS/IPS uses Snort VRT rulesets, but there are absolutely no information about ruleset itself.

 

All I can find is Meraki uses Snort 2.9 rulesets, but I;m not sure it's bases on community or registered ruleset.

If it's based on registerd ruleset, that means I cannot access full signature list until I buy or subscribe Snort.

 

Does anybody know what edition of ruleset Meraki uses?

0 Kudos
1 Accepted Solution
Kamome
Building a reputation
‎Feb 9 2022 11:30 PM
‎Feb 9 2022 11:30 PM

Oh, silly me.

 

I just found that Meraki IDS/IPS is basesd on Snort VRT ruleset, and Snort VRT ruleset is alias for Subscriber Ruleset, which is paid one.

 

Welp, that means I cannot see every signature list in Meraki IPS ruleset. But I think that Registerd ruleset can give me general idea of current Snort signature database.

View solution in original post

0 Kudos
6 Replies 6
DarrenOC
Kind of a big deal
Kind of a big deal
‎Feb 9 2022 11:07 PM
‎Feb 9 2022 11:07 PM

Are you sure it’s version 2.9?  I thought we were at V3

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
Kamome
Building a reputation
‎Feb 9 2022 11:11 PM
‎Feb 9 2022 11:11 PM

Yeah. I looked up Event logs, and it says that "snort_rules_version : 2.9.15.1"

 

Kamome_0-1644477101326.png

 

0 Kudos
In response to DarrenOC
AlexP
Meraki Employee
Meraki Employee
‎Feb 10 2022 9:30 AM
‎Feb 10 2022 9:30 AM

We're in the process of transitioning models from 2.9 to 3 as of MX16 firmware

0 Kudos
Kamome
Building a reputation
‎Feb 9 2022 11:30 PM
‎Feb 9 2022 11:30 PM

Oh, silly me.

 

I just found that Meraki IDS/IPS is basesd on Snort VRT ruleset, and Snort VRT ruleset is alias for Subscriber Ruleset, which is paid one.

 

Welp, that means I cannot see every signature list in Meraki IPS ruleset. But I think that Registerd ruleset can give me general idea of current Snort signature database.

0 Kudos
In response to Kamome
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Feb 9 2022 11:56 PM
‎Feb 9 2022 11:56 PM

As you can only choosse between the standard "Connectivity", "Balanced" and "Security Connectivity" this could be looked up (at least if there's an FTD device standing around somewhere).

0 Kudos
In response to Kamome
KarstenI
Kind of a big deal
Kind of a big deal
‎Feb 10 2022 1:27 AM
‎Feb 10 2022 1:27 AM

The meaning of the base rulesets are also explained in the Snort-FAQ:

https://www.snort.org/faq/why-are-rules-commented-out-by-default

I remember a discussion here that also the MX implementation is mostly (but not completely) aligned with this definition. But I don't find that at the moment.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.