Meraki

Einstein · ‎Dec 8 2020

Received this IDS twice yesterday at 11:22pm. At 12:55am every piece of Meraki gear we have went offline (over 150 items) for almost an hour.

This IDS was allowed, when I try to look it up it says no SNORT rules are available for this event. Everything came back up, but its all very suspicious. I am combing through logs. We have redundant internet connections, Neither are showing as going down.

I had no upgrades scheduled. Anyone else experience major outage last night right after midnight, and does anyone know what "BO_CLIENT_TRAFFIC_DETECT" is?

Thank you everyone in advance.

KarstenI · ‎Dec 8 2020

I would not expect that these two events (the Snort alert and the devices going offline) have anything to do with each other.

The alert BO_CLIENT_TRAFFIC_DETECT is based on a preprocessor (basically, these are also kind of IDS/IPS rules) that detects traffic from the tool Back Orrifice: https://en.wikipedia.org/wiki/Back_Orifice

I have not see this for years so I would expect a false posive but to be sure you should inspect the corrsponding PCs.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Einstein · ‎Dec 11 2020

Just had same thing happen again. Every single piece of Meraki gear we have is reporting to have gone offline for 1 (one) second this morning. Again, no internet issues, no power events. I have submitted a ticket to Meraki as this is the second time in a week we have had every single piece of Meraki equipment report as going offline. No IDS events. No updates scheduled. I am thinking it is a false positive, maybe a glitch in The Matrix.

Darryl · ‎Feb 5 2021

I can tell you that a "comprehensive scan" from a port scanner such as zenmap, can trigger this alert message.