0 Replies Latest reply on Jun 4, 2015 9:22 AM by hotsauce3209

    Has anyone seen Rogue Sensor generate External UDP Traffic?

    hotsauce3209

      In our environment (managed by ePO 5.1.1 , I have noticed that occasionally there are Rogue Sensors trying to communicate with external IPs.  I noticed outbound UDP port 65534 traffic to 192.199.199.93 and 192.199.199.88 and similar IPs.  IP WHOIS shows this is Robson Communications in Canada.  The communication indeed started when I installed the sensor, and then halted after uninstalling for testing purposes. It only occurs rarely on a few machines.

       

      Example 1

       

      Windows 2008 R2 Server

      McAfee Agent 4.8.0.1938

      VirusScan Enterprise 8.8.0.1247

      Rogue System Detection 5.0.1.40

       

      I noticed that the balash.log shows errors:

       

      03-Jun-15 19:36:19.638 (notification (default[#337])) Infra.Database.DatabaseSubsystem: [Error] Cannot get DB session for C:\Program Files (x86)\McAfee\RSD Sensor\sensor.db: No thread available

      03-Jun-15 19:36:19.639 (notification (default[#351])) Infra.Database.DatabaseSubsystem: [Error] Cannot get DB session for C:\Program Files (x86)\McAfee\RSD Sensor\sensor.db: No thread available

      03-Jun-15 19:36:19.660 (notification (default[#337])) Infra.AsyncNotification.NotificationTask: [Error] Failed to post class Balash::Notifications::Detection::OpenedPortObservedNotification, error: No thread available

      03-Jun-15 19:36:19.662 (notification (default[#351])) Infra.AsyncNotification.NotificationTask: [Error] Failed to post class Balash::Notifications::Detection::AddressObservedNotification, error: No thread available

       

      And I see this error a lot with the rsdpp.log

       

      RSDPP.Control.ControlSubsystem: [Error] Cannot apply policy - waiting for database to be ready

       

       

      Example 2

       

      Windows Server 2012 R2

      McAfee Agent 4.8.0.1938

      VirusScan Enterprise 8.8.0.1247

      Rogue System Detection 5.0.1.40

       

      I detected 12 packets on 5/27/15 from this machine to the Canadian IP. On 5/26/15 I see a lot of the same

      "Cannot apply policy - waiting for database to be ready" errors in the rsdpp.log. And similar errors in the balash.log

       

      27-May-15 00:34:10.341 (notification (default[#20291])) Infra.Database.DatabaseSubsystem: [Error] Cannot get DB session for C:\Program Files (x86)\McAfee\RSD Sensor\sensor.db: No thread available

      27-May-15 00:34:10.341 (notification (default[#20320])) Infra.Database.DatabaseSubsystem: [Error] Cannot get DB session for C:\Program Files (x86)\McAfee\RSD Sensor\sensor.db: No thread available

      27-May-15 00:34:10.341 (notification (default[#20291])) Infra.AsyncNotification.NotificationTask: [Error] Failed to post class Balash::Notifications::Detection::AddressObservedNotification, error: No thread available

      27-May-15 00:34:10.341 (notification (default[#20320])) Infra.AsyncNotification.NotificationTask: [Error] Failed to post class Balash::Notifications::Detection::OpenedPortObservedNotification, error: No thread available

      27-May-15 00:34:35.357 ([#1]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 00:34:35.357 ([#2]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 00:34:48.170 ([#2]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 01:35:20.941 ([#2]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 01:35:27.285 ([#2]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 01:35:27.285 ([#1]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 01:35:28.659 ([#2]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 01:35:39.190 ([#1]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 01:35:39.190 ([#2]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 01:35:39.190 (notification (default[#20430])) Infra.Database.DatabaseSubsystem: [Error] Cannot get DB session for C:\Program Files (x86)\McAfee\RSD Sensor\sensor.db: No thread available

      27-May-15 01:35:39.190 (notification (default[#20430])) Infra.AsyncNotification.NotificationTask: [Error] Failed to post class Balash::Notifications::Detection::OSDataObservedNotification, error: No thread available

      27-May-15 01:35:53.016 ([#1]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 01:36:09.483 ([#2]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 01:36:09.483 ([#1]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 02:36:40.841 ([#2]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 02:36:55.200 ([#2]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 02:36:55.200 ([#1]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 02:36:55.200 (notification (default[#20524])) Infra.Database.DatabaseSubsystem: [Error] Cannot get DB session for C:\Program Files (x86)\McAfee\RSD Sensor\sensor.db: No thread available

      27-May-15 02:36:55.200 (notification (default[#20524])) Infra.AsyncNotification.NotificationTask: [Error] Failed to post class Balash::Notifications::Detection::OpenedPortObservedNotification, error: No thread available

      27-May-15 03:38:39.361 ([#2]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 04:39:24.062 ([#2]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 04:39:24.062 ([#1]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 04:39:51.171 ([#2]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 04:39:51.171 ([#1]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 04:39:58.077 ([#1]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 04:40:09.780 (notification (default[#20765])) Infra.Database.DatabaseSubsystem: [Error] Cannot get DB session for C:\Program Files (x86)\McAfee\RSD Sensor\sensor.db: No thread available

      27-May-15 04:40:09.780 (notification (default[#20765])) Infra.AsyncNotification.NotificationTask: [Error] Failed to post class Balash::Notifications::Detection::NBNameObservedNotification, error: No thread available

      27-May-15 05:40:44.349 ([#1]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 05:40:44.349 ([#2]) Sniffer.Sink.PacketSink: [Error] No thread available

      27-May-15 05:40:51.271 ([#1]) Sniffer.Sink.PacketSink: [Error] No thread available

       

       

      Any thoughts?


      Thanks!