File: cisco-meraki.rules

package info (click to toggle)
sagan-rules 1:20170725-1
  • links: PTS
  • area: main
  • in suites: buster, sid
  • size: 3,460 kB
  • sloc: makefile: 5
file content (88 lines) | stat: -rw-r--r-- 5,295 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# Sagan cisco-meraki.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.



## MERAKI MX Security Appliance Rules ##

# "Casey Pennington" <cpennington@quadrantsec.com>
# 2017/03/07

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MERAKI] SSID Spoofing Detected"; content: "type=ssid_spoofing_detected"; classtype: suspicious-traffic; reference: url,meraki.cisco.com/lib/pdf/meraki_whitepaper_air_marshal.pdf; sid:5003026; rev:3;)

# VPN connectivity change

# alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MERAKI] VPN connectivity change"; content: "type=vpn_connectivity_change"; classtype: suspicious-traffic; sid:5003042; rev:2;)

# Uplink connectivity down

# alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MERAKI] Uplink connectivity change"; content: "MX84 events"; content: "down"; classtype: system-event; sid:5003043; rev:2;)

# Uplink conectivity failover

# alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MERAKI] Uplink connectivity change"; content: "MX84 events"; content: "failover"; classtype: system-event; sid:5003044; rev:2;)

# Security_event

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] Malicious file blocked by amp"; content: "malicious action=block"; classtype: suspicious-traffic; reference: url,documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/; sid:5003045; rev:2;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] File issued retrospective malicious disposition"; content: "malicious action=allow"; classtype: suspicious-traffic; reference: url,documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/; sid:5003046; rev:2;)

## MERAKI MR Access Points Rules ##

# WPA failed authentication attempt

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] WPA failed authentication attempt"; content: "auth_neg_failed='1'"; content: "type=disassociation"; classtype: attempted-user; sid:5003047; rev:2;)

# 802.1x failed authentication attempt

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] 802.1x failed authentication attempt"; content: "type=8021x_eap_failure radio='0'"; content: "type=disassociation"; classtype: attempted-user; sid:5003048; rev:2;)

# Wireless packet flood detected

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] WPA failed authentication attempt"; content: "type=device_packet_flood"; content: "packet='deauth'"; classtype: attempted-user; reference: url,meraki.cisco.com/lib/pdf/meraki_whitepaper_air_marshal.pdf; sid:5003049; rev:2;)

# Flow denied by Layer 3 firewall

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] Flow denied by Layer 3 firewall"; content: "MR18 flows deny"; classtype: suspicious-traffic; sid:5003050; rev:2;)

#* MERAKI MS Switches Rules ##

# Port status changed

# alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] Port status changed"; content: "MS220_8P events port"; content: "status"; classtype: system-event; sid:5003051; rev:2;)

# Virtual router collision

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] Virtual router collision"; content: "VRRP packet"; classtype: system-event; sid:5003052; rev:3;)

# VRRP transition

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] VRRP transition"; content: "VRRP"; content: "changed"; classtype: system-event; sid:5003053; rev:2;)

# Blocked DHCP server response

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] Blocked DHCP server response"; content: "Blocked DHCP"; classtype: system-event; sid:5003054; rev:2;)