Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Change Server IP or Domain Name Address (Single Node)

EDR: Change Server IP or Domain Name Address (Single Node)

Environment

  • EDR (Formerly CB Response) Server: 5.x and Higher

Objective

Change the IP address or Domain Name of a Single Node EDR Server.

Resolution

  1. Change the Sensor Group URL
    1. Open the WebUI, then navigate to Administration > Sensors and select Edit Settings
    2. Change the Server Address to the new Address while keeping the same port number
    3. Repeat Step b for each sensor group if they exist
    4. Allow at least 10 minutes for online sensors to pick up the URL change
  2. Update Server from the Command Line
    1. Begin after all online sensors have checked in
    2. Stop the Response services:
service cb-enterprise stop
  1. Change the server address using normal OS commands for configuring the network interface
  2. Start the Postgres service to update records to point to the new CB Response Server Address:
    1. In 7.4.0 and later product versions:
/usr/share/cb/cbservice cb-pgsql start
In product versions prior to 7.4.0:
service cb-pgsql start
  1.      In 7.5.0 and later product versions:
psql -d cb -p 5002 -c "UPDATE cluster_node_sensor_addresses SET address='<NEW ADDRESS>' WHERE id=0;"
     In product versions prior to 7.5.0:
psql -d cb -p 5002 -c "UPDATE cluster_node_sensor_addresses SET address='<NEW ADDRESS>' WHERE node_id=0;"
  1. In 7.4.0 and later product versions:
/usr/share/cb/cbservice cb-pgsql stop
In product versions prior to 7.4.0:
service cb-pgsql stop
  1. Update the iptables/firewalld settings to the correct IPs. Run the following command to update if using the CB managed firewall
    /usr/share/cb/cbcheck firewall -a
  2. Start Response services
service cb-enterprise start
  1. Check /etc/cb/cluster.conf to confirm the host= matches the new IP if it's not listed as localhost
  2. Update Remaining Sensors. Any clients that did not check-in before the server address is changed will need to modify the SensorBackendServer setting.
  3. For Windows this is located at HKLM\SOFTWARE\CarbonBlack\config\SensorBackendServer
  4. For MacOs and Linux, this value is stored in /var/lib/cb/sensorsettings.ini

Additional Notes

  • A 10 minute to 1 day delay after changing this setting in step one is recommended. All endpoints need to check in first to pull down the new server Address. Any offline endpoints that don't check in will either need to have sensor reinstalled or registry edited to point to the new server. 
  • Warning: Verify the chosen settings sensor checkin url and port. A sensor will check in with the old information that the server is currently on and update that information locally (in the registry for windows). The next time the sensor tries to check in, it will be to the new server url and port. No other attempts will be made to connect to the old address. This means that if you update this information incorrectly, this will need to be updated by changing the server to that address, or performing Step 3 for all sensors. Changing the group setting in the UI back will only work for sensors had not checked in yet, all others will not get that setting reverted back automatically.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
4322
Contributors