Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
626
Views
0
Helpful
4
Replies

Troubleshooting the Sensor

dbobeldyk
Level 1
Level 1

‎03-19-2002 01:34 PM - edited ‎03-08-2019 10:06 PM

Anyone have any good steps to troubleshoot that your sensor is picking up the signatures properly? I tried firing off a few things that I thought my sensor would alarm on, but no dice.

The CSPM software states that the connection is established. The alarms I'm seeing are route up, route down and postOffice Initial Notification messages, but no other ones.

I have a signature template it's looking at.

I did a snoop on the interface and see that the monitoring interface is indeed seeing network traffic.

I guess I'm basically looking for a list of things to run down to see if I can find what the problem is.

Any help would be appreciated.

-Denny

P.S. I'm trying to view my sensor events by clicking on 'View Sensor Events', then 'Database', then choosing the default start and stop times.

Labels:
0 Helpful
4 Replies 4

pbobby
Level 1
Level 1

‎03-19-2002 01:44 PM

I know exactly what your problem is. I bet it's a brand new sensor, or at least a brand new install right?

Type "nrstatus", is nr.packetd running? I suspect not.

After a new install, or 'out of the box' the packetd daemon (the one that captures based on the signatures) does not run by default.

You need to configure it using director or cspm and the configuration is updated for you so that the daemon gets started.

Or you can manually edit /usr/nr/etc/daemons and add nr.packetd in to the list of daemons that get started on your sensor.

0 Helpful

eric369
Level 1
Level 1

‎03-19-2002 05:05 PM

Make sure you are plug the monitoring interface of the sensor to either a hub or a switch with SPAN port enabled. I had this problem before when I just plug in to a catalyst switch without enableing SPAN port or turn on port-monitoring . Hope this will help.

0 Helpful

dbobeldyk
Level 1
Level 1
In response to eric369

‎03-20-2002 09:32 AM

packetd wasn't running, you were right on! The odd thing was I had the sensor installed earlier and it was running....

I wonder if sysconf-sensor or something else I did disabled it somehow... Odd...

I still haven't found a good troubleshooting document, I'll see if I can work up something and post it to get some good feedback on it.

Thanks for the help!

-Denny

0 Helpful

kleem
Cisco Employee
Cisco Employee
In response to dbobeldyk

‎03-20-2002 10:17 AM

Your problem was probably caused by running sysconfig-sensor. When sysconfig-sensor runs, it re-initializes all the configuration files (packetd is not run by default). Packetd is enabled when the management application pushes a configuration to the Sensor.

0 Helpful
Customers Also Viewed These Support Documents