iBeacons <3 Cisco Meraki

What I have noticed is that when companies buys network devices like firewalls, switches and access points they won’t use all the features what is implemented inside those devices.

I don’t know if the problem is sales or technical peoples, but what I think that companies don’t know how to use their hardware and take all out what they are already bought.

Situation is like this. You buy new car and then you don’t use lights, because you don’t know how to use lights or nobody hasn’t told you that there is lights in your car.

Because of this, I decided to write this little program and give it out for PoC purposes, so companies which have Cisco Meraki APs with bluetooth can get some ideas what they can do it.

First of all, if you don’t know what iBeacon is go to https://en.wikipedia.org/wiki/IBeacon and check it out. For the short, it is protocol developed by Apple and it’s based on bluetooth low energy (BLE) technology.

What is also great that if you don’t have Meraki APs, then you can use Linux hcitool or MAC mbeacon to test it. Do some googling (when I was “young” altavista was search engine back then) and check it out.

Now let’s stop talking and let’s go to the technical stuff.

Note: You need to have xcode installed in your MAC and you also know how to use it. You also need to have iPhone. I tested this code in IOS 14.0.1 and xcode 12.0.1 (12A7300).

First you need to enable iBeacons in your AP.

Go to Wireless > Configure and IoT radio settings.

Then go down to Beaconing and choose Advertising On.

Advertising > On.

Now you need to generate UUID for your BLE iBeacon advertising. This is the UUID what your APP try to find.

Click Generate new UUID.

After this you need to choose are you using unique Major and Minor for whole network or should all AP share same Major and Minor numbers. This depends in your use case.

Unique or Non-unique Major and Minor numbers.

If you have larger area and you want to get different impulse when Major or Minor changes then you can use Unique. If you only need one Major and Minor then you can choose Non-unique.

If you have multiple AP in your test bench, then you can set individual using API or using defaults.

Different Major and Minor numbers based on AP.

I suggest that you copy your UUID in file and upload it in your phone notes.

After this you need install My iBeacons app in your phone, you can download source code here: https://github.com/hrleinonen/iBeacon

After xcode has finished the installation, your phone will ask questions.

Chooce Allow While Using App.
Choose Allow.

After this click Configuration.

Choose Configuration.

Now you need to insert your UUID, Major and Minor number. Name field is not yet implemented.

Give UUID, Major and Minor numbers. After those click Save and Back.

Now you should see your distance to your AP.

iBeacon fully functional.

If you want use MAC and mbeacon application you should check this site https://github.com/watr/mbeacon

And if you want to use your RPI for iBeacon sender, then go here http://www.wadewegner.com/2014/05/create-an-ibeacon-transmitter-with-the-raspberry-pi/

Happy iBeaconing.

Regards,

Ville

Cisco Meraki MX and Graylog3 Part 4

This parser/content pack are used to log Meraki MX security-events.

First download content pack from my github https://github.com/hrleinonen/graylog-meraki

File called “Cisco_Meraki_MX_Appliance_Security.json” is for MX appliance security events. It brings couple new search fields in Graylog3.

New fields are:

  • DISPOSITION = Disposition (eg. malicious)
  • ACTION = Action (eg. block)
  • SHA256 = SHA256 about file (eg. 2546dcffc5ad854d4d…)
  • NAME = Malware name (eg. Win.Ransomware.Eicar::95.sbx.tg)
  • SRCIP = Source IP-address (eg. 10.10.101.101)
  • SRCPORT = Source port (eg. 23434)
  • DSTIP = Destination IP-address (eg. 193.166.3.7)
  • DSTPORT = Destination port (eg. 443)

Upload file to Graylog3 using instruction from my blog https://www.hacknetwork.org/?p=167

Action report example.

Malware name example.

Now open Meraki dashboard and choose correct network.

Choose Network-wide > Configure > General.

Find part called reporting.

Cisco Meraki Syslog-server configuration.

Add your Graylog-server IP-address, port 5556 and choose Appliance event log role. Click save after this. Now your should see traffic in your graylog input.

Cisco Meraki MX and Graylog3 Part 3

This parser/content pack are used to log Meraki MX URL-events.

First download content pack from my github https://github.com/hrleinonen/graylog-meraki

File called “Cisco_Meraki_MX_Appliance_URLs.json” is for MX appliance events. It brings couple new search fields in Graylog3.

New fields are:

  • AGENT = Browser agent (eg. Mozilla Firefox)
  • REQUEST = Http request (eg. POST)
  • SRCIP = Source IP-address (eg. 10.10.101.101)
  • SRCPORT = Source port (eg. 23434)
  • DSTIP = Destination IP-address (eg. 193.166.3.7)
  • DSTPORT = Destination port (eg. 443)
Map based on destination IP-addresses.
Example fields.

Upload file to Graylog3 using instruction from my blog https://www.hacknetwork.org/?p=167

Now open Meraki dashboard and choose correct network.

Choose Network-wide > Configure > General.

Find part called reporting.

Cisco Meraki Syslog-server configuration.

Add your Graylog-server IP-address, port 5555 and choose Appliance event log role. Click save after this. Now your should see traffic in your graylog input.

Cisco Meraki MX and Graylog3 Part 2

First download content pack from my github https://github.com/hrleinonen/graylog-meraki

File called “Cisco_Meraki_MX_Appliance_Events.json” is for MX appliance events. It brings couple new search fields in Graylog3.

New fields are:

  • EVENT_TYPE = Event type (eg. IDS, content_filtering_block or dhcp)
  • SPI = Security Parameter Index  (eg. 53afbb30231007)
  • URL_CATEGORY = Category where blocked site belongs (eg. Malware)
Top 10 values for event type.
Top 5 blocked URL categories

Upload file to Graylog3 using instruction from my blog https://www.hacknetwork.org/?p=167

Now open Meraki dashboard and choose correct network.

Choose Network-wide > Configure > General.

Find part called reporting.

Cisco Meraki Syslog-server configuration.

Add your Graylog-server IP-address, port 5557 and choose Appliance event log role. Click save after this. Now your should see traffic in your graylog input.

Cisco Meraki MX and Graylog3

I really like Meraki cloud concept. It includes complete network stack Firewalls/SD-WAN, WLAN, Switches and Security Cameras (also MDM). Only problem (if we don’t count missing AnyConnect) is logs and query. Now, because I use Graylog for my other projects, I decide to use Graylog3 to my logstorage. There is no ready parsers or dashboards in Graylog marketplace, so I start to make my own.

Here comes parser (GROK based) for MX flow records, enjoy.

First download content pack from my github https://github.com/hrleinonen/graylog-meraki

There is couple roles in Meraki MX which you use to send syslog. I choose to send every role to different port, so I can choose what extractol to use.

File called “Cisco_Meraki_Flow_Content_Pack.json” is for MX flow events. It brings couple new search fields in Graylog3.

New fields are:

  • DSTIP = Destination IP-address (eg. 208.67.222.222)
  • DSTPORT = Destination port (eg. 53)
  • FLOW_TYPE = Flow start or end (eg. ip_flow_end)
  • PROTOCOL = Protocol (eg. tcp)
  • SRCIP = Source IP-address (eg. 172.16.0.10)
  • SRCPORT = Source port (eg. 1007)
  • TRANSLATED_DST_IP = Translated destination IP-address (eg. 1.2.3.4)
  • TRANSLATED_PORT = Translated port (eg. 55)
  • TRANSLATED_SRC_IP = Translated source IP-address (eg. 81.3.4.1)

Example for new search fields (btw. this is demo generated data not my inside net).

Now, when you are downloaded json file you must to upload it to the Graylog3. Choose System > Content Packs, Content Packs site opens. Click Upload (green box) upper left corner. Choose content pack file and upload.

There is now new content pack called Cisco Meraki Flow, now click Install. After this you have new input and dashboard.

Go to the input site System > Inputs. There is input called MERAKI_LOGS_FLOWS. Input listens RAW/plaintext udp port 5558 (there is some problems in standard Syslog udp). If input is not started, you must start it.

Now open Meraki dashboard and choose correct network.

Choose Network-wide > Configure > General.

Find part called reporting.

Cisco Meraki Syslog-server configuration.

Add your Graylog-server IP-address, port 5558 and choose Flows role. Click save after this. Now your should see traffic in your graylog input.

Click System > Inputs find MERAKI_LOGS_FLOWS and choose Show Received Messages.

There is also new dashboard called “Meraki MX Flow Records”. Go Dashboards > Meraki MX Flows Records.

Example flow dashboard.