3 Replies Latest reply on May 6, 2015 2:42 PM by milstateit@mil.wa.gov

    UDT Safelist

    milstateit@mil.wa.gov

      Hello all,

       

      I am not quite sure how to go about getting an accurate depiction of my network through the use of UDT. Since not every device on the network is monitored as a node (1000+) not all of them have a hostname associated with them but rather a MAC and IP. In an effort to avoid whitelisting everything, I created a few additional rules to whitelist items that match up with our naming conventions. This still leaves the hostname-less devices out there and as far as I understand it, a device must pass a hostname, MAC, and IP rule to be automatically whitelisted.

       

      In addition to some devices not having a hostname, many of the MAC addresses that are popping up in the rogue device list are actually MAC addresses assigned to specific ports on different switches. This effectively is creating a false positive for us since that switch is already monitored but is still populating several "rogue" devices. Is there a way to clean this up? Or is there a way to whitelist everything that is seen at this moment and have that as sort of a "baseline" for the network?

       

      Thanks in advance!

        • Re: UDT Safelist
          michalB

          It is possible, but it requires you to have an access to your database. Keep the default rules on, and create a new Custom rule. Specify the Target as MAC Address, and fill the content with MAC Addresses you get by running this query:

           

          SELECT distinct MACAddress FROM [dbo].[UDT_Endpoint]

           

          You can use Database Manager to get the results, it is installed with UDT and you will find it in the Start menu in the SolarWinds Orion\Advanced Features folder.

           

          If you have a huge number of MAC Addresses, the website may throw some errors about page content length, so you actually may want to slice the list and create multiple such rules. I tested this with around 700 devices and it worked for me.

           

          Once the rules are created, delete or disable the "Any MAC Address" rule. Keep the "Any IP Address" and "Any Hostname" rules enabled.

           

          This will create the baseline. If a new MAC is detected and it doesn't fit the baseline, it will be marked as Rogue.