I guess they are admitting marking a threat as allowed is Standard Operating Procedure if the threat contains packets that were dropped before they were dropped onto network LANS..again we as customers are not privy to how the back end works with Meraki IDS, we just know malicious IP's are attempting to hit our MX WAN's and their IDS is showing action as allowed, so as IT folks when do we know when it's an actual threat or a false positive..that should not be on us. ... View more

Yes, received that one as well. At this point we are over 6 months since I started this thread for these allowed attacks. There has been several explanations from Meraki support stating these attacks are not actually getting through to the LAN. I just think the allowed action is going to continue the concern for customers that have not seen this thread yet.   Zyxel unauthenticated IKEv2 command injection attempt Zyxel unauthenticated IKEv2 overflow attempt ... View more

New IP that hit one of our MX's with (2) WANS 185.16.39.29:500 ... View more

Thanks for the heads up on this one, I don’t get my alerts of what was blocked or allowed until the morning so I logged in and added this IP to my layer 3 & 7 deny rules. ... View more

I agree, wasn't until a recent response from someone in this thread that their Zyxel IP hits showed blocked as opposed to allowed like all of mine that I don't completely think these rogue IP's are truly being blocked. I just keep adding the IP's to our layer 3 & 7 rules as deny and hope for the best..too many other security vectors to focus on, Meraki needs to address this ASAP, it's out of my control as to how IDS works. ... View more

We had same IP's hit one of our MX 193.177.182.40:500 149.50.116.115:500 185.224.128.74:500 ... View more

The only thing is, some customers are seeing the action on these IP’s as blocked and customers like me and quite a few others are getting an allowed action, how can that be explained? ... View more

This matches my list. Since these IP's are affecting numerous customers, is there not a way Meraki can add these IP's to their own block list, since the bad actors seem to be targeting Meraki MX devices..? ... View more

We run all 4 of our MX's in prevention mode and security ruleset as well. 3 of our 4 MX's are running MX 18.107.10, the 4th one is running 18.211.2 as it is a newer MX. I have ordered MX replacements for our MX84, MX64, MX64W due to them not being able to update to firmware 18.200 and above. ... View more

Latest IP addresses that show destination to our public WAN IP's as action of Allowed for Zyxel IKEv2 overflow attempt and command injection attempt..I know in the past Meraki support has stated these attempts aren't actually being allowed to pass onto our LAN, but still concerning. I've added blocks on layer 7 and outbound layer 3 ... View more

Go back into - Threat Protection / Intrusion Detection & Prevention / click X under Actions for the rule / save changes ... View more

Response I got:   Thank you for contacting Cisco Meraki support. There is an issue with the new SNORT update and as a workaround for now, please whitelist the rule. We are working to get this fixed as soon as possible. Thank you for your patience and co-operation. ... View more

I may have to allow for now too, Remote site needs access to our mapped drive. ... View more

Ok. Meaning you are running in Prevention mode like we are where these actions are being blocked? Like I said in my previous reply to someone, this is still causing issues for us I just don’t want to whitelist until I know for sure it’s safe to do so. Thanks  ... View more

OK, thank you for confirming that. I do have a ticket open with Meraki support, I don’t want to whitelist these blocked alerts until I hear back from them but sounds like it’s a false positive..? ... View more

Both source servers in the alerts are running Microsoft Windows Server 2022 Standard, so not sure if the snort explanation applies...   The SMB client in Microsoft Windows Server 2008 R2 and Windows 7 does not properly handle (1) SMBv1 and (2) SMBv2 response packets, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code via a crafted packet that causes the client to read the entirety of the response, and then improperly interact with the Winsock Kernel (WSK), aka "SMB Client Message Size Vulnerability." ... View more

The Meraki logging the alerts is a MX67W running - 18.211.2 ... View more

ok, yes i did open a case with support. I just know in the past some alerts were false positives, just wanted to see if anyone else is getting same alert.  thanks ... View more

Latest hit that was allowed on one of our external WAN IP's.   Snort shows this -  Missing documentation for 3-46125 There is currently no documentation for a rule with the id 3-46125 ... View more

Got allowed actions on my (2) WAN's over past 2 days - 98.27.28.56:500 - same Server-WebApp  Zyxel unauthenticated IKEv2 command injection attempt Zyxel unauthenticated IKEv2 overflow attempt Since numerous customers are getting exact same hits, is there nothing Meraki backend can do to once and for all block these attempts? ... View more

Yes doing that now, thanks  ... View more

I guess at this point, does adding layer 7 and layer 3 outbound deny rules for this IP 98.27.28.56 and others do anything, I would sure hope so. Or does the Meraki IDS action of allowed supersede my deny rules? I’m still shocked that months since I started this thread Meraki support still hasn’t addressed this security issue. ... View more

Yep, same here, see my growing list. Sometimes it goes a few days with nothing and then bam my (2) external WAN's get the allowed action. Meraki has to know that even though they claim the connections are not actually penetrating customers networks that continued false positives create doubt of what is actually being blocked and allowed. I could realistically take the jump to even though it shows blocked, maybe it was actually allowed..   ... View more

Ok, which Source / Destination / Details are you referring to? The ones I've seen have various IP addresses as the Source and Zyxel IKEv2 command injection or overflow attempt.  thanks ... View more