What edition of Snort ruleset is Meraki IPS using?

Solved
Kamome
Building a reputation

What edition of Snort ruleset is Meraki IPS using?

As far as I know, Meraki IDS/IPS uses Snort VRT rulesets, but there are absolutely no information about ruleset itself.

 

All I can find is Meraki uses Snort 2.9 rulesets, but I;m not sure it's bases on community or registered ruleset.

If it's based on registerd ruleset, that means I cannot access full signature list until I buy or subscribe Snort.

 

Does anybody know what edition of ruleset Meraki uses?

1 Accepted Solution
Kamome
Building a reputation

Oh, silly me.

 

I just found that Meraki IDS/IPS is basesd on Snort VRT ruleset, and Snort VRT ruleset is alias for Subscriber Ruleset, which is paid one.

 

Welp, that means I cannot see every signature list in Meraki IPS ruleset. But I think that Registerd ruleset can give me general idea of current Snort signature database.

View solution in original post

6 Replies 6
DarrenOC
Kind of a big deal
Kind of a big deal

Are you sure it’s version 2.9?  I thought we were at V3

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Kamome
Building a reputation

Yeah. I looked up Event logs, and it says that "snort_rules_version : 2.9.15.1"

 

Kamome_0-1644477101326.png

 

AlexP
Meraki Employee
Meraki Employee

We're in the process of transitioning models from 2.9 to 3 as of MX16 firmware

Kamome
Building a reputation

Oh, silly me.

 

I just found that Meraki IDS/IPS is basesd on Snort VRT ruleset, and Snort VRT ruleset is alias for Subscriber Ruleset, which is paid one.

 

Welp, that means I cannot see every signature list in Meraki IPS ruleset. But I think that Registerd ruleset can give me general idea of current Snort signature database.

CptnCrnch
Kind of a big deal
Kind of a big deal

As you can only choosse between the standard "Connectivity", "Balanced" and "Security Connectivity" this could be looked up (at least if there's an FTD device standing around somewhere).

KarstenI
Kind of a big deal
Kind of a big deal

The meaning of the base rulesets are also explained in the Snort-FAQ:

https://www.snort.org/faq/why-are-rules-commented-out-by-default

I remember a discussion here that also the MX implementation is mostly (but not completely) aligned with this definition. But I don't find that at the moment.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels