EDR: Watchlists not creating alerts with proxy
search cancel

EDR: Watchlists not creating alerts with proxy

book

Article ID: 290085

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Watchlists are not generating alerts despite possible hits
  • /var/log/cb/job-runner/job-runner.log shows 403s during watchlist_search
    • Request to http://localhost:8080/solr/cbfeeds/select failed with error <403 - MediaTypeBlocked>

       

Environment

  • EDR Server: 6.x (formerly CB Response)
  • Proxy configured

Cause

The proxy is not bypassing localhost/127.0.0.1, so internal communications are blocked

Resolution

Update the proxy settings to bypass localhost

Additional Information

  • Typically the proxy setting¬†will be stored in a script under /etc/profile.d, such as proxy.sh, which will set the environment each time. The bypass setting would look like
    • export no_proxy="127.0.0.1, localhost"