As far as I know, Meraki IDS/IPS uses Snort VRT rulesets, but there are absolutely no information about ruleset itself.
All I can find is Meraki uses Snort 2.9 rulesets, but I;m not sure it's bases on community or registered ruleset.
If it's based on registerd ruleset, that means I cannot access full signature list until I buy or subscribe Snort.
Does anybody know what edition of ruleset Meraki uses?
Solved! Go to solution.
Oh, silly me.
I just found that Meraki IDS/IPS is basesd on Snort VRT ruleset, and Snort VRT ruleset is alias for Subscriber Ruleset, which is paid one.
Welp, that means I cannot see every signature list in Meraki IPS ruleset. But I think that Registerd ruleset can give me general idea of current Snort signature database.
Are you sure it’s version 2.9? I thought we were at V3
Yeah. I looked up Event logs, and it says that "snort_rules_version : 2.9.15.1"
We're in the process of transitioning models from 2.9 to 3 as of MX16 firmware
Oh, silly me.
I just found that Meraki IDS/IPS is basesd on Snort VRT ruleset, and Snort VRT ruleset is alias for Subscriber Ruleset, which is paid one.
Welp, that means I cannot see every signature list in Meraki IPS ruleset. But I think that Registerd ruleset can give me general idea of current Snort signature database.
As you can only choosse between the standard "Connectivity", "Balanced" and "Security Connectivity" this could be looked up (at least if there's an FTD device standing around somewhere).
The meaning of the base rulesets are also explained in the Snort-FAQ:
https://www.snort.org/faq/why-are-rules-commented-out-by-default
I remember a discussion here that also the MX implementation is mostly (but not completely) aligned with this definition. But I don't find that at the moment.