BO_CLIENT_TRAFFIC_DETECT

Einstein
Getting noticed

BO_CLIENT_TRAFFIC_DETECT

Received this IDS twice yesterday at 11:22pm. At 12:55am every piece of Meraki gear we have went offline (over 150 items) for almost an hour. 

This IDS was allowed, when I try to look it up it says no SNORT rules are available for this event. Everything came back up, but its all very suspicious. I am combing through logs. We have redundant internet connections, Neither are showing as going down. 

I had no upgrades scheduled. Anyone else experience major outage last night right after midnight, and does anyone know what "BO_CLIENT_TRAFFIC_DETECT" is?

Thank you everyone in advance.

 

3 REPLIES 3
KarstenI
Kind of a big deal

I would not expect that these two events (the Snort alert and the devices going offline) have anything to do with each other.

The alert BO_CLIENT_TRAFFIC_DETECT is based on a preprocessor (basically, these are also kind of IDS/IPS rules) that detects traffic from the tool Back Orrifice: https://en.wikipedia.org/wiki/Back_Orifice

I have not see this for years so I would expect a false posive but to be sure you should inspect the corrsponding PCs.

Just had same thing happen again. Every single piece of Meraki gear we have is reporting to have gone offline for 1 (one) second this morning. Again, no internet issues, no power events. I have submitted a ticket to Meraki as this is the second time in a week we have had every single piece of Meraki equipment report as going offline. No IDS events. No updates scheduled. I am thinking it is a false positive, maybe a glitch in The Matrix. 

Darryl
New here

I can tell you that a "comprehensive scan" from a port scanner such as zenmap, can trigger this alert message. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels