cancel
Showing results for 
Search instead for 
Did you mean: 
kenobe
Level 10
Report Inappropriate Content
Message 1 of 4

RSD Source

Greetings, today I see an entire new subnet of rogues in my ePO.  It's a commercial ISP who shouldn't be detected by my network so either someone connected a link they shouldn't have, or someone took a computer home and that RSD is seeing the subnet.

How can I tell what the detection SOURCE was?  When running queries I see a couple different SOURCE IDs (one is 666 and one is 484)?

Thanks

Ken

3 Replies
exbrit
Level 21
Report Inappropriate Content
Message 2 of 4

Re: RSD Source

I think you'll more likely get answers in ePO so have moved it there.

andrep1
Level 14
Report Inappropriate Content
Message 3 of 4

Re: RSD Source

Sadly, they were supposed to link the detected subnet to the sensor in the latest version but never did. Your best hint is to find the sensor(s) proving the coverage. But typically, those subnets are best ignored.

The detections could be dhcp or agent, neither of which will provide any insights.

In the past we have seen network provider equipement showing internal addresses intenally...

Re: RSD Source

Any update on this?  In some cases it is impossible to locate a detected rogue without knowing which detector found it.

-Vik Solem