-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathcisco-meraki.rules
133 lines (79 loc) · 10.3 KB
/
cisco-meraki.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
# Sagan cisco-meraki.rules
# Copyright (c) 2009-2023. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
## MERAKI MX Security Appliance Rules ##
# "Casey Pennington" <[email protected]>
# 2017/03/07
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MERAKI] SSID Spoofing Detected"; content: "type=ssid_spoofing_detected"; classtype: suspicious-traffic; reference: url,meraki.cisco.com/lib/pdf/meraki_whitepaper_air_marshal.pdf; sid:5003026; rev:3;)
# VPN connectivity change
# alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MERAKI] VPN connectivity change"; content: "type=vpn_connectivity_change"; classtype: suspicious-traffic; sid:5003042; rev:2;)
# Uplink connectivity down
# alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MERAKI] Uplink connectivity change"; content: "MX84 events"; content: "down"; classtype: system-event; sid:5003043; rev:2;)
# Uplink conectivity failover
# alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MERAKI] Uplink connectivity change"; content: "MX84 events"; content: "failover"; classtype: system-event; sid:5003044; rev:2;)
# Security_event
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] Malicious file blocked by amp"; content: "malicious action=block"; parse_src_ip: 1; parse_dst_ip: 2; classtype: suspicious-traffic; reference: url,documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/; sid:5003045; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] File issued retrospective malicious disposition"; content: "malicious action=allow"; classtype: suspicious-traffic; reference: url,documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/; sid:5003046; rev:2;)
## MERAKI MR Access Points Rules ##
# WPA failed authentication attempt
#Not tracking failed auth. Any disconnect would trigger the rule.
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] WPA failed authentication attempt"; content: "auth_neg_failed='1'"; content: "type=disassociation"; classtype: attempted-user; sid:5003047; metadata: disabled_on 2023_08_02; rev:2;)
# 802.1x failed authentication attempt
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-MERAKI] 802.1x EAP(RADIUS) failed authentication attempt [10/1]"; content:"type=8021x_eap_failure"; after:track by_username, count 10, seconds 300; threshold: type suppress, track by_string, count 1, seconds 86400; normalize; classtype: attempted-user; sid:5003048; metadata: updated_on 2023_08_02; rev:3;)
# Wireless packet flood detected
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] WPA failed authentication attempt"; content: "type=device_packet_flood"; content: "packet='deauth'"; classtype: attempted-user; reference: url,meraki.cisco.com/lib/pdf/meraki_whitepaper_air_marshal.pdf; sid:5003049; rev:2;)
# Flow denied by Layer 3 firewall
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] Flow denied by Layer 3 firewall"; content: "MR18 flows deny"; classtype: suspicious-traffic; sid:5003050; rev:2;)
#* MERAKI MS Switches Rules ##
# Port status changed
# alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] Port status changed"; content: "MS220_8P events port"; content: "status"; classtype: system-event; sid:5003051; rev:2;)
# Virtual router collision
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] Virtual router collision"; content: "VRRP packet"; classtype: system-event; sid:5003052; rev:3;)
# VRRP transition
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] VRRP transition"; content: "VRRP transition"; content: "changed"; classtype: system-event; sid:5003053; rev:3;)
# Blocked DHCP server response
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] Blocked DHCP server response"; content: "Blocked DHCP"; classtype: system-event; sid:5003054; rev:2;)
#Added by BSmith on 10/10/2024 - Mostly the same as above but there was a change to the log structure, so the rules needed to be adujusted a bit. Keeping the old rule above for backward compatability.
#Reference: https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples
#Many rules have been duplicated and adjusted for the json logs.
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MERAKI] SSID Spoofing Detected"; content: "type|22 3a 20 22|ssid_spoofing_detected"; classtype: suspicious-traffic; reference: url,meraki.cisco.com/lib/pdf/meraki_whitepaper_air_marshal.pdf; sid:5015127; rev:1;)
# VPN connectivity change
# alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MERAKI] VPN connectivity change"; content: "type|22 3a 20 22|vpn_connectivity_change"; classtype: suspicious-traffic; sid:5015128; rev:1;)
# Security_event
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] IDS Alert Detected"; program:meraki_dashboard_api_data; content:"eventType|22 3a 20 22|IDS Alert"; content:!"|22|blocked|22 3a 20|true"; parse_src_ip: 1; parse_dst_ip: 2; classtype: suspicious-traffic; reference: url,documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/; sid:5015129; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] VPN Auth Failed Brute Force [25/1]"; program:meraki_dashboard_api_data; content:"type|22 3a 20 22|anyconnect_vpn_auth_failure"; parse_src_ip: 1; after:track by_src, count 25, seconds 120; threshold: type suppress, track by_string, count 1, seconds 86400; normalize; classtype: suspicious-traffic; reference: url,documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/; sid:5015130; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] Malicious file blocked by amp"; content: "malicious"; content:"action|22 3a 20 22|block"; parse_src_ip: 1; parse_dst_ip: 2; classtype: suspicious-traffic; reference: url,documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/; sid:5015131; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] File issued retrospective malicious disposition"; content: "malicious"; content:"action=|22 3a 20 22|allow"; classtype: suspicious-traffic; reference: url,documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/; sid:5015132; rev:1;)
## MERAKI MR Access Points Rules ##
# WPA failed authentication attempt
#Not tracking failed auth. Any disconnect would trigger the rule.
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] WPA failed authentication attempt"; content: "auth_neg_failed|22 3a 20 22|1|22|; content: "type|22 3a 20 22|disassociation"; classtype: attempted-user; sid:5015133; metadata: disabled_on 2023_08_02; rev:1;)
# 802.1x failed authentication attempt
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-MERAKI] 802.1x EAP(RADIUS) failed authentication attempt [10/1]"; content:"type|22 3a 20 22|8021x_eap_failure"; after:track by_src, count 10, seconds 300; threshold: type suppress, track by_string, count 1, seconds 86400; parse_src_ip:1; normalize; classtype: attempted-user; sid:5015134; metadata: updated_on 2023_08_02; rev:1;)
# Wireless packet flood detected
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] WPA failed authentication attempt"; content: "type|22 3a 20 22|device_packet_flood"; content: "packet|22 3a 20 22|deauth22"; classtype: attempted-user; reference: url,meraki.cisco.com/lib/pdf/meraki_whitepaper_air_marshal.pdf; sid:5015135; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] WIPS Mac Spoofing Attack Detected"; content: "type|22 3a 20 22|mac_spoofing_attack"; classtype:attempted-user; reference:url,https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples; sid:5015136; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] IP Conflicts - Martian SRC Detected"; content: "type|22 3a 20 22|mac_spoofing_attack"; content:"|22|Client|22 3a|"; content:!"169.254."; classtype:attempted-user; reference:url,https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples; sid:5015137; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-AIRMARSHAL] Rogue SSID Detected"; content:"airmarshal_events"; content:"rogue_ssid_detected"; reference:url,https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples; classtype:suspicious-activity; sid:5015339; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-AIRMARSHAL] SSID Spoofing Detected"; content:"airmarshal_events"; content:"ssid_spoofing_detected"; reference:url,https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples; classtype:suspicious-activity; sid:5015340; rev:1;)