• State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 25 subscribers
  • Views 832 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Rogue Alerts Issues with UDT

dcokers

We have recently implemented Rogue alerts in UDT. This is notifying us of items showing up as Rogue devices, those that are not in our approved MAC address white list.

The only problem is it seems like we keep getting Rogue Alerts for devices that are already in our whitelist. For example, we've been installing new printers at several locations. This morning when I installed a new one a few hours later we got a rogue alert for that device (working as designed) but then we also got 5 additional alerts for printers that we had already installed. We had already acknowledged those printer's rogue alerts, and those printers were already in the white list. I thought for a few weeks this was just a fluke but that has occurred numerous time to the point where my staff is spending more time searching for invalid alerts than valid alerts.

Is anyone using Rogue alerts? Have you seen similar problems to this?

The potential for this feature in UDT, especially as far the the SANS controls go, is great. However barriers to getting this to work seem great as well.

  • 0

    I wanted to post some more information, maybe some can help me as to what our issue might be.

    Monday, August 6th, 10:49am CT four Rogue Alerts came into our Email:

    pastedImage_0.png

    Went to UDT at 10:57pm and observed there were four Active Alerts for the below MAC IDs:

    **:**:**:**:F2:A4
    **:**:**:**:75:4E
    **:**:**:**:91:27
    **:**:**:**:19:CA

    pastedImage_1.png

    Went to the MAC White list that we are using, I verified that three out of the four MAC Addresses were already in our whitelist. MAC ID **:**:**:**:19:CA was not in the White List, I added it.

    pastedImage_3.png

    I proceeded to acknowledge these all four alerts.

    Anybody seen anything similar to this?

    Actually is anyone using Rogue Alerts at all?

  • 0 in reply to dcokers

    Are these nodes that are causing the false positive alerts connecting to your network via a different method than your other nodes? e.g through WiFi?

  • 0 in reply to mad-stevo

    These are all on Cisco switches, we do not have any WiFi devices on our network. The devices in this example are a printer, a laptop, a security camera, and a VM.

  • 0

    I do believe you are in need up an update; per SolarWinds.

    Whitelisted items still show as Rogue devices - SolarWinds Worldwide, LLC. Help and Support

    If I am reading this correct, the issue should be resolved with UDT 3.3.  If you are running 3.3 or 3.3.1 then something may have happened with the installer. I would check to make sure all your key services are present and possibly run a repair on the install if 3.3 or later.

    If a repair (and Configuration Wizard run) with 3.3 does not fix the issue then a support case may be in order to determine what is the underlying cause.

    -CharlesH

    Loop1 Systems: SolarWinds Training and Professional Services

  • 0 in reply to cahunt

    I've seen this article, we've been on 3.3.1 since June, we were on 3.3 before that. The problem we are having is rogue alerts being created, the devices are not showing as a Rogue Device but an Alert is being generated as if they were a Rogue Device.

    Typical timeline:

    1 - we add a device to our network that has a unique MAC ID that is not in our Whitelist

    2 - a few hours later (depending on polling time) we get anywhere from 4 - 15 Rogue Alerts. (above example was 4)

    3 - we check UDT and only one device of the MAC addresses from the alerts is listed as a Rogue Device.

    4 - however, 4 - 15 Rogue alerts are listed. (above example is 4)

    5 - check whitelist and all but 1 of the alerts have a MAC that is not in our whitelist

    We've opened a ticket with support. So far we've just rebuilt the alert and are waiting to see if that fixes the issue.

  • 0 in reply to dcokers

    Interesting, So which Rogue alerts do you have enabled?  And which ones specifically are coming through in these instances?

    MAC, IP, DNS?

    In any of these events do the MAC's end up being from the same device?

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.