cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
boschind
Level 10
Report Inappropriate Content
Message 1 of 4
‎05-30-2017 08:34 AM

ePO 5.3.2 - RSD 5.x - oui sensor scanning list ignored

Jump to solution

hello , i'm trying to instruct RSD sensors to not probe a list of OUIs

00000C,000048,00005E,000074,000085,000145,00016C,000187,0001E6,0001F0,000345,000349,00034A,000364,000400,00051E,000533,00074D,000830,000896,

00089B,0008A2,0008E3,0008EF,00090F,000A83,000A8A,000AB0,000AB8,000AF6,000BAB,000BBE,000C85,000D29,000D5A,000DBC,000DED,000E4B,000E7F,000F24,

000F90,000FB6,001018,001023,0010BE,0010F3,00113B,00115C,00115F,001185,001193,00127F,001280,0012AA,0012D9,0012DA,001319,001321,001348,00137F,0013C3,00

13FA,00146A,001570,001599,001708,001723,001759,00175A,001794,001795,001818,001873,001885,0018AE,0018B9,0018BA,0018FE,001906,00192F,001955,001956,

001970,0019AA,001A2F,001AD4,001B2A,001B82,001C0E,001C57,001C58,001DA2,001E13,001E37,001EBE,001EC0,001ECC,001F9E,00204A,00206B,0020BE,0020C2,

002156,00215A,0021A0,0021A1,0021D8,00220D,0022F3,002324,002333,002368,002413,002414,002477,002498,0024C4,002536,002546,0025B3,00260B,002652,

002655,002673,002698,002699,0026CA,0026CB,0027F8,00351A,00402C,00409D,0040AF,0040C1,0041D2,004268,005017,005027,005060,0050B6,0050C2,00562B,

0057D2,005F86,006003,006016,0060E9,0060EF,0062EC,006CBC,007686,008067,008087,008091,00809F,0080E5,008731,008CFA,008E73,00901E,0090C2,0090E8,

00A034,00A058,00A0B8,00A0F8,00A2EE,00AF1F,00C0EE,00CDFE,00D02D,00D089,00D0D9,00E04B,00E08A,00E0D8,00E16D,00EBD5,00FEC8,042AE2,044BED,

046C9D,04FE7F,08000E,0821EF,085B0E,0894EF,08D09F,08ECA9,08EE8B,08FD0E,0C5101,0CD746,1005CA,149A10,14B484,182666,18A6F7,18E3BC,18E728,18EF63,

1C1AC0,1C6A7A,1CE85D,204C9E,206274,242642,24B657,24DBED,285261,286336,288023,28A02B,2C3033,2C3F38,2C86D2,2CAE2B,300ED5,30E171,30F70D,34145F,

381C1A,382056,38256B,38CADA,38F23E,3CCE73,406C8F,4083DE,408805,40B395,442A60,44D3CA,481214,48137E,483C0C,484BAA,485073,48D705,4C11BF,4C4E35,

4C6641,50C8E5,549F13,54A274,5835D9,586D8F,587F57,5897BD,58F39C,5C0E8B,5CA86A,5CB901,60735C,649EF3,64A0E7,64BC0C,64E950,680571,684898,68B599,

68BC0C,6C9CED,6CFA89,705A0F,70700D,708105,70CA9B,741BB2,7467F7,74A2E6,784F43,78ACC0,78D75F,78DA6E,78F882,7C1EB3,804E81,80717A,80EA96,80EE73,

84248D,84B153,84B261,888322,88908D,88ADD2,88F031,8C1ABF,8C8EF2,901B0E,90A2DA,94E96A,98DED0,98E7F4,9C4E20,9CAFCA,9CE6E7,A08CFD,A0D795,A408EA,

A4BA76,A89FBA,A8B1D4,A8C83A,ACA016,B0C559,B0E892,B47443,B499BA,B4C799,B4E1C4,B857D8,B8621F,B8BEBF,BC5436,BC671C,BCC493,BCD1D3,BCF1F2,C01173,

C0626B,C067AF,C4143C,C4B301,C80084,C8D3FF,CC167E,CC46D6,CCC3EA,CCD8C1,D0A637,D0C282,D0D0FD,D40B1A,D81D72,D85B2A,D8CB8A,DC4A3E,DCD916,

E0F847,E4C722,EC107B,EC1F72,EC8EB5,EC9BF3,ECB1D7,ECE1A9,F025B7,F05B7B,F40F1B,F41FC2,F431C3,F84ABF,F84F57,FC0A81,FC15B4,FC3FDB,FCE998,

FCF528

in fact the sensors seems to ignore the list and still probe devices on subnets belonging to those OUIs

any suggestion ?

thanks

regards

0 Kudos
Reply
1 Solution

Accepted Solutions
boschind
Level 10
Report Inappropriate Content
Message 4 of 4
‎06-23-2017 03:17 AM

Re: ePO 5.3.2 - RSD 5.x - oui sensor scanning list ignored

Jump to solution

hello

by chance i think i fixed the problem by myself.

i was reviewing RSD policy again, and checking the prod guide.


as shown below , in the communication tab i changed from 5 to 10min the fist two fileds

then i selected "use local sensor election" and "All sensor active" as somehow suggested in the guide.

even if these changes seems not having anything in relation with the OUIs exclusion, the fact is that now the exclusion is working....

not sure if you have an explanation for this, but anyway...


thanks

regards

View solution in original post

0 Kudos
Reply
3 Replies
boschind
Level 10
Report Inappropriate Content
Message 2 of 4
‎06-14-2017 01:48 AM

Re: ePO 5.3.2 - RSD 5.x - oui sensor scanning list ignored

Jump to solution

hello is anyone successfully implementing RSD ?

we have epo 5.3.2 agents 5.0.5 and rsd sensors 5.0.5 - but as outlined above we are in trouble in excluding a long list of OUIs that we identified as non-PC devices (printers , routers , bar code readers and other IoT devices)

thanks in advance for cooperation

0 Kudos
Reply
boschind
Level 10
Report Inappropriate Content
Message 3 of 4
‎06-22-2017 01:12 AM

Re: ePO 5.3.2 - RSD 5.x - oui sensor scanning list ignored

Jump to solution

hello - i opened a case to mcafee support on 16 jun.

they requested as usual the MER reports from one system that is acting as RSD sensor - but unfortunately they say they are not able to understand where is the problem and are requesting more....

"I checked the MER and I can only see one single line in balash.log (that's the RSD log):

18-Jun-17 04:13:42.180 (2608 : 3 : Pcap Subsystem[#1]) Sniffer.Sink.PacketSink: [Error] No thread available

Not enough information to continue troubleshooting i'm afraid..

Can you please do the following to collect more information:

1. Enable Log Level 8 on the ePO server:

McAfee Corporate KB - How to enable Log Level 8 for ePolicy ...
https://kc.mcafee.com/corporate/index?page=content&id=KB56207

2. For RSD, enable Log All messages in the policy:
Log File Settings policy configuration under the General tab > select Log all messages

3. Remove from system tree the devices that should not have been detected (any of the excluded) and wait until the issue reproduces

4. Collect MER from ePO and MER from the RSD sensor system.

5. Send us a few example names of devices that were wrongly added

We will continue the investigation once we have the complete data and get back to you with an update."

has anyone else in the community has this RSD setting working as designed ?

thanks in advance for cooperation

0 Kudos
Reply
boschind
Level 10
Report Inappropriate Content
Message 4 of 4
‎06-23-2017 03:17 AM

Re: ePO 5.3.2 - RSD 5.x - oui sensor scanning list ignored

Jump to solution

hello

by chance i think i fixed the problem by myself.

i was reviewing RSD policy again, and checking the prod guide.


as shown below , in the communication tab i changed from 5 to 10min the fist two fileds

then i selected "use local sensor election" and "All sensor active" as somehow suggested in the guide.

even if these changes seems not having anything in relation with the OUIs exclusion, the fact is that now the exclusion is working....

not sure if you have an explanation for this, but anyway...


thanks

regards

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC