Rogue computers ratio - empty

[bbahes 29]

I've installed Rogue Detection Sensor on Ubuntu 14.04. server using 3.7 Component installation on Linux.

However there are no computers detected but ERA server itself.

 

Can someone from support suggest what should I do?

 

Thanks.

[bbahes 29]

Just a hint, maybe It won't show any "rogue" client since I haven't loaded license?

 

UPDATE: I've added license key, but still ERA does not detect any client on network. Could it be that I have to make changes to iptables?

Edited April 20, 2015 by bbahes

[chris375 0]

Exactly the same issue here! On the machine, where the ERA Rogue Detection Sensor is installed, there's the following line in the Agent Logfile:

 

2015-04-20 06:13:51 Error: CSystemConnectorModule [Thread 7f06377f6700]: Failed to get system update state
 

I've already reinstalled the agent.

[chris375 0]

Basically, the Detection seems to be working, at least the Detection Log is filled:

 

2015-04-20 06:26:01 Trace: PC Detection [Thread 7f217c3f9700]: Computer with IPv4: 192.168.1.70
2015-04-20 06:26:02 Debug: OSDetector: 192.168.1.93 [Thread 7f215b7fe700]: Time is up!
2015-04-20 06:26:02 Debug: OSDetector: 192.168.1.93 [Thread 7f215b7fe700]: 0 returned probes out of 12
2015-04-20 06:26:02 Warning: CInfoWorker [Thread 7f215b7fe700]: Info Worker warning: OS Detection on 192.168.1.93 failed: Not enough probes returned
 

[bbahes 29]

It would appear this is still BUG on Linux distributions.

 

There is KB Solution ID: SOLN3674 and on the bottom of page it says:

 

 

I have installed ESET Rogue Detection Sensor in my virtual environment, but rogue computers are not detected—how can I resolve this issue?
Early builds of ESET Rogue Detection Sensor (RD Sensor) had a known issue that prevented them from finding rogue computers when RD Sensor was installed on a virtual machine. This issue has been resolved in version 6.1.28 and later of RD Sensor, released Feb. 25th, 2015. Visit the ESET Rogue Detection Sensor download page to get the latest version of RD Sensor.

 

 

My Ubuntu 14.04. is virtual machine...any update from support?

[chris375 0]

I've just downloaded the Agent a few days ago, it's version 6.1.450.0. So this bug shouldn't appear anymore ... ?????

[bbahes 29]

I've just downloaded the Agent a few days ago, it's version 6.1.450.0. So this bug shouldn't appear anymore ... ?????

 

It's Rogue Detection Sensor 1.0.728.0 for Linux distributions that's in question, not Agent.

[chris375 0]

Of course, I've installed both. Agent and Detection Sensor in the same VM.

[bbahes 29]

Of course, I've installed both. Agent and Detection Sensor in the same VM.

 

Yes but only RD Sensor appears to be having problem. They've apparently only fixed Windows version. Not Linux.

[chris375 0]

Four hours ago I've asked ESET support, but I got no reply yet.

[bbahes 29]

Four hours ago I've asked ESET support, but I got no reply yet.

 

We can only wait for them to reply.

My luck is that I'm just testing v6 for now.

[Marcos 5,073]

Yes but only RD Sensor appears to be having problem. They've apparently only fixed Windows version. Not Linux.

 

The bug didn't affect Windows systems. Are those undetected computers in the same network with no firewall between computers and virtual appliance? Also just to make sure, SELinux is disabled, isn't it?

[bbahes 29]

 

Yes but only RD Sensor appears to be having problem. They've apparently only fixed Windows version. Not Linux.

 

The bug didn't affect Windows systems. Are those undetected computers in the same network with no firewall between computers and virtual appliance? Also just to make sure, SELinux is disabled, isn't it?

 

 

It's just Ubuntu server 14.4.2 LTS guest on Hyper-V 2012 host. Windows guest detected all Machines on network.

I can Access network and Internet from Ubuntu guest ping and ping any host on network.

SELinux was enabled. I disabled it. Restarted server and only era is in detected list. So far...

[chris375 0]

 

Yes but only RD Sensor appears to be having problem. They've apparently only fixed Windows version. Not Linux.

 

The bug didn't affect Windows systems. Are those undetected computers in the same network with no firewall between computers and virtual appliance? Also just to make sure, SELinux is disabled, isn't it?

 

They're in the same network. There's no firewall between. In /var/log/eset/RogueDetectionSensor/trace.log scans are logged.

 

SELinux isn't enabled. The VM is Debian Jessie.

[chris375 0]

 

Of course, I've installed both. Agent and Detection Sensor in the same VM.

 

Yes but only RD Sensor appears to be having problem. They've apparently only fixed Windows version. Not Linux.

 

 

I don't know if this is a RD Sensor or Linux-Agent problem. At least, there are some errors in the agent-logfile. Maybe they help to narrow down the issue:

 

2015-04-22 06:11:31 Error: CSystemConnectorModule [Thread 7f06377f6700]: Failed to get system update state

2015-04-22 07:01:26 Error: CRDSensorConnectorModule [Thread 7f06367f4700]: IPCClientConnector: Data received callback, errCat: Generic, errCode: 103, errMsg: Connection aborted, clientState: Disconnecting, receivedBytes: 0

2015-04-22 07:39:30 Error: CReplicationModule [Thread 7f0634de6700]: CReplicationManager: Failed to start replication, connection for replication link '00000000-0000-0000-7007-000000000001' (Automatic replication (OUT_OF_ORDER)) is already pending

 

[chris375 0]

I've already tried reinstalling the agent as suggested in Topic 4048 but this didn't change anything. The VM with rogue detection service is shown in the console with a green checkmark.

 

According to status.html Agent replication is working, so maybe it's a RD issue?

Edited April 22, 2015 by chris375

[bbahes 29]

I've already tried reinstalling the agent as suggested in Topic 4048 but this didn't change anything. The VM with rogue detection service is shown in the console with a green checkmark.

 

According to status.html Agent replication is working, so maybe it's a RD issue?

 

Same here.

[chris375 0]

@bbahes: I've turned the VM network interface into promiscuous mode. The KVM-Host Bridge also. The packages are shown in tcpdump, but the RD Sensors isn't working. I wonder what else the difference between a VM and a physical machine could be.

 

The German Support isn't answering anymore. They don't seem to have a solution.

[bbahes 29]

I have tried that too, but didn't look at tcpdump output. RD Sensor still didn't work.

I have feeling it has something to do with supported OS version, as you can see on attached image.

 

 

[bbahes 29]

Will someone from support comment this?

Is this a bug or are we doing something wrong?

[bbahes 29]

*bump*

[michalp 20]

From the RDSensor detection log that chris375 posted, it seems that OS detection probes are not returning. If OS can not be detected for a network device, then it won't be sent to ERA as a computer. Idea was that network devices (printers, routers) should be filtered out.

 

RDSensor was compiled with libpcap version 1.3.0, please verify that you have this version installed on your system. Second requirement is bridged network from virtual machine where RDSensor is installed. If all those requirements are met, you can try to run nmap with OS detection (hxxp://nmap.org/book/osdetect-usage.html) to see whether it can detect OS on some computer. If not then RDSensor will no be able to that too.