cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • About El-Bandito

Re: Meraki IDS Alerts across multiple MX's

by in Security / SD-WAN
‎06-21-2023 09:16 AM
‎06-21-2023 09:16 AM
I looked into this exploit a bit more, and it specifically looks for .cab files.   https://snort.org/rule_docs/1-16295 Heap-based buffer overflow in Kaspersky Antivirus (KAV) 5.0 and Kaspersky Personal Security Suite 1.1 allows remote attackers to execute arbitrary code via a CAB file with large records after the header. Windows Update sends out .cab files through it's updates, and it can be common sometimes for antivirus / firewalls to trigger .cab files as false-positives. ... View more

Re: Meraki IDS Alerts across multiple MX's

by in Security / SD-WAN
‎06-21-2023 09:05 AM
1 Kudo
‎06-21-2023 09:05 AM
1 Kudo
I can confirm one of these IP's is a windows update server.  So there's no way Meraki can tell us that this isn't a false positive.. because well there's no way microsoft's windows update server is sending us KasperSky Exploits.  "vip0x008.map2ssl.hwcdn.net" - 209.197.3.8 =  ctldl.windowsupdate.com"        ... View more

Re: Meraki IDS Alerts across multiple MX's

by in Security / SD-WAN
‎06-19-2023 12:02 PM
‎06-19-2023 12:02 PM
I mean, I highly doubt any of us are using Russian anti-virus software in our organizations, so it probably is safe to whitelist.  But it is annoying that you can't create any exemptions for specific hosts, that you either whitelist the entire signature or nothing at all..   So if it was a signature for something that could sometimes be a false positive and sometimes not, the only choice you have is to keep it.. or risk an actual attack. Meraki is good for switches, good for WiFi.  But as a Firewall, meh.  ... View more

Re: Meraki IDS Alerts across multiple MX's

by in Security / SD-WAN
‎06-16-2023 08:07 AM
1 Kudo
‎06-16-2023 08:07 AM
1 Kudo
Can confirm our organization is getting this as well.  Got a bunch of alerts for that buffer overflow relating to AKAMAI Technologies.  Also getting these other ones that look like this, but not as many:  vip0x008.map2.ssl.hwcdn.net  ... View more

Re: AnyConnect SAML Group Policy assignment

by in Security / SD-WAN
‎04-06-2023 08:00 AM
1 Kudo
‎04-06-2023 08:00 AM
1 Kudo
We're now headed in a different direction.  Going with Fortigate for SSLVPN w/ SAML Authentication to O365.  Without rules for vpn traffic, we can't continue to use Meraki. ... View more

Re: AnyConnect SAML Group Policy assignment

by in Security / SD-WAN
‎03-30-2023 11:32 AM
‎03-30-2023 11:32 AM
@PhilipDAth   Hey Philip,  you seemed pretty helpful wanted to ask you about this topic.   I am trying to do Cisco AnyConnect w/ SAML authentication with Microsoft Azure..  do you know if this is still a limitation where group policy cannot be applied if SAML is being used?  And if it's not possible, is there any workaround for it?  I was looking at Azure, and their conditional access policies don't support time-based restrictions.. which is what I'm trying to implement in group policy.  Our company has a requirement where VPN access has to be restricted from 8am-5pm.   ... View more
© 2023 Meraki