cancel
Showing results for 
Search instead for 
Did you mean: 

Rogue detection - Policy - Interfaces settings

Hi guys,

I put a check on "Do not listen on interfaces whose IP addresses are included in the following networks:"

With the following IP: 192.168.1.1/27

Now why does the ePO report rogues with IPs like: 192.168.1.8, 192.168.1.12, etc?

Isn't it supposed to reject rogues whose IPs are between 192.168.1.1 and 192.168.1.30?

I configured the policy before I installed the sensors.

Do I need to do something else?

Thanks

6 Replies
andrep1
Level 14
Report Inappropriate Content
Message 2 of 7

Re: Rogue detection - Policy - Interfaces settings

The rogue sensor will identify devices that broadcast any addresses on one of your subnets on which a sensor is listening. It will enable you to identify those devices and potentially take actions.

If you've enabled scan system OS for details, it will be useful to identify the rogues devices except for devices in the subnets that you mention in your question. In that case, it will go directly to the default gateway since it is the only way IP knows how to handle that address.

Remember RSD will not do any type of blocking, it just logs.

Re: Rogue detection - Policy - Interfaces settings

I did not enable scan system OS for details because a lot of users have HIPS installed and when the sensors or ePO (not sure) scan the ports it is flagged and blocked by the IPS module..

The first 30 IPs of the subnet are reserved for network printers, switches, etc. I don't want them to be reported as rogue.

I thought that setting up the Interfaces with the range I want to avoid being reported would de the trick.

(I don't want these IPs to show up in detected system -> rogue)

andrep1
Level 14
Report Inappropriate Content
Message 4 of 7

Re: Rogue detection - Policy - Interfaces settings

What is the detection method for those devices. DHCP or broadcast ?

Re: Rogue detection - Policy - Interfaces settings

Both

I put one sensor on the DHCP server and now I want to roll out the sensors on every segment. So the DHCP monitoring in the Policy is enabled.

andrep1
Level 14
Report Inappropriate Content
Message 6 of 7

Re: Rogue detection - Policy - Interfaces settings

Took me  day to wake up

The setting is called "Do not listen on interfaces whose IP addresses are included in the following networks:" This refers to the sensor server's NICs. Basically, this setting says that if you had a NIC connected to 192.168.x.x, it could be safely ignored. But it won't exclude detections from those network coming in in RSD. What you can do is stop the OS dectection details with this setting: " "

What we do to keep it clean is that we have a few queries defined (Printers by naming convention, Printers by OUI, Network equipement by OUI) and we run those queries in a server task every few hours to classify the exceptions in their respective categories. Granted we could use automatic response, bu tin an environement our size it would be difficult.

So does this help a bit more?

Re: Rogue detection - Policy - Interfaces settings

Hi!

Thanks for the info and sorry for the delay.

Like I said I did not enable the OS detection because of issues with HIPS.

I think in order for the default automatic response "RSD: Query New Rogue Detection Printers, Routers, ..." to do its job, the OS detection must be on. So in my case it doesn't work.

I created a query that looks for new rogues with specfic IP range. Then I created an automatic response based on that query that flags these rogues as exception. It seems to be working flawlessly!

Thanks for your help