Meraki

Einstein · ‎Dec 8 2020

Received this IDS twice yesterday at 11:22pm. At 12:55am every piece of Meraki gear we have went offline (over 150 items) for almost an hour.

This IDS was allowed, when I try to look it up it says no SNORT rules are available for this event. Everything came back up, but its all very suspicious. I am combing through logs. We have redundant internet connections, Neither are showing as going down.

I had no upgrades scheduled. Anyone else experience major outage last night right after midnight, and does anyone know what "BO_CLIENT_TRAFFIC_DETECT" is?

Thank you everyone in advance.

KarstenI · ‎Dec 8 2020

I would not expect that these two events (the Snort alert and the devices going offline) have anything to do with each other.

The alert BO_CLIENT_TRAFFIC_DETECT is based on a preprocessor (basically, these are also kind of IDS/IPS rules) that detects traffic from the tool Back Orrifice: https://en.wikipedia.org/wiki/Back_Orifice

I have not see this for years so I would expect a false posive but to be sure you should inspect the corrsponding PCs.

Einstein · ‎Dec 11 2020

Just had same thing happen again. Every single piece of Meraki gear we have is reporting to have gone offline for 1 (one) second this morning. Again, no internet issues, no power events. I have submitted a ticket to Meraki as this is the second time in a week we have had every single piece of Meraki equipment report as going offline. No IDS events. No updates scheduled. I am thinking it is a false positive, maybe a glitch in The Matrix.

Darryl · ‎Feb 5 2021

I can tell you that a "comprehensive scan" from a port scanner such as zenmap, can trigger this alert message.