cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 8

Alert fails when 2 of 3 criteria are met

Jump to solution

I am using the default "Alert me whe a rogue MAC address appears on the network" alert.

My understanding is that it should go off when the MAC address of a device is not in our white list.  I have a device that  passes the DNS and IP address rules just fine and is not in any of our Whie Lists.  The device gets put in the Rogue Devices list, but the alert does not trigger.  When I go to the Manage White list and do the "Test a device against all inclusion rules" with the MAC address it says the MAC address passes because it has passed the DNS rule.  I'm completely confused on this.  Any idea where I should start?

Thank you

Tags (1)
0 Kudos
1 Solution

Ok, that's weird. Could you please open a support ticket so can be investigated properly by the dev team?

Peter

View solution in original post

0 Kudos
5 Replies

Hi Joe,

Did you disabled those rules provided by default which are excluding all IPs/MACs/Hostnames from being considered rogue? That, once you created your custom white-lists should be the first step. Then, if the new MAC alert wasn't created, couldn't it be that it wasn't actually new and already in the database of UDT?

Peter

0 Kudos

The default rules are disabled only my white lists are enabled.  This happens on a machine that we just took out of the shipping box and plugged into the network.  I've noticed one more thing.  I am getting alerts on devices whos IP is in my ignore list.

0 Kudos

So you did see the device connected in UDT and yet, didn't recieve any alert? The way the whitelist works is that each of the variables - MAC/IP/Hostname needs to be added manualy otherwise you get an alert. Couldn't it be that while the IP was on the ignore list, the respective MAC/Hostname wasn't?

0 Kudos

The device appeared in my Rogue Devices list, but did not generate an alert.  The IP that it received is not one of the ones on my ignored list.  The device passed the IP and hostname rules, but should be failing on the MAC rule.

0 Kudos

Ok, that's weird. Could you please open a support ticket so can be investigated properly by the dev team?

Peter

View solution in original post

0 Kudos