FAQ - Sensor Installation
  • 10 Jul 2023
  • 5 Minutes to read
  • Contributors
  • Dark
    Light

FAQ - Sensor Installation

  • Dark
    Light

Article Summary

How can I add LimaCharlie traffic to an allow list?

In the Install Sensors section of the web app you’ll see a list of hostnames and ports that the LimaCharlie agent will connect to.

image.png

How much data does the LimaCharlie sensor produce per day?

The amount of data that is produced by the sensor is dependent on how much, and what kind of activity is taking place on the endpoint. That being said, the average data produced per endpoint across thousands of deployments is approximately 1MB per day.

How much resources does the LimaCharlie sensor consume?

The total footprint of the sensor on disk combined with what is in memory is approximately 2MB. The sensor typically runs under 1% CPU.

Depending on what actions you may be performing it may increase (e.g. if you’re doing a full YARA scan it’s expected that the CPU usage will increase). When you use our YARA trickle scan, that also keeps CPU usage within reasonable bounds. You’ll only see YARA scans spike CPU when you do a full manual scan.

Why does my sensor initially connect successfully but then disappears?

Sometimes we see the agent connect to the LimaCharlie cloud, enrolls, then disconnects (which is normal the first time after enrollment) and never connects again, or it doesn't show that kernel has been acquired.

This behavior is typical with SSL interception. Sometimes it's a network device, but at other times some security products on the host can do that without being very obvious.

You can confirm if there is SSL interception by performing the following steps to check the SSL fingerprint of the LimaCharlie cloud from the host.

Confirm the region of your organization

If you already know where your organization's region is located, you can move to the next step. To verify the organization's region where the data is processed and stored, click Add Sensor from the Sensors view. You will then see the region listed under Sensor Connectivity.
Sensor - Region

Open the test URL
Via web browser, navigate to one of the below test URLs that corresponds to the correct region:

Test URL - US Region
Test URL - UK Region
Test URL - India Region
Test URL - Europe Region
Test URL - Canada Region

No website will open; you should get a "Your connection is not private" type of message instead.

Display the SSL Certificate

By clicking near the URL bar on the exclamation mark, you will open a small menu and you can click "Certificate status"/"Certificate validity"/"Certificate is not valid" which will display the certificate information.

certifricate

certificate-1

Confirm the SHA-1 and SHA-256 fingerprints

The SHA-1 and SHA-256 fingerprints should match the values below that correspond to the region your organization is in.

If the SHA-1 and SHA-256 fingerprints you are seeing do not match what's listed below, that's an indicator of the SSL interception.

RegionSHA-256 FingerprintSHA-1 Fingerprint
US14 44 8C B6 A1 19 A5 BE 18 AE 28 07 E3 D6 BD 55 B8 7A 5E 0C 3F 2D 78 03 6E 7C 6A 2A AA 45 8F 601A 72 67 08 D0 83 7D A9 62 85 39 55 A1 12 1B 10 B0 F4 56 1A
UK49 49 B0 41 D6 14 F3 3B 86 BF DF 14 24 F8 BD 2F E1 98 39 41 5A 99 E6 F1 C7 A2 C8 AB 34 0C FE 1D2E 49 00 DB F8 3A 2A 88 E0 15 76 D5 C5 4F 8F F3 7D 27 77 DD
India68 6F 08 3D 53 3F 08 E0 22 EB F6 67 0C 3C 41 08 75 D6 0E 67 03 88 D9 B6 E1 F8 19 6B DA 54 5A A337 57 DD 4E CF 2B 25 0B CA EA E2 E6 E3 B2 98 48 29 19 F3 6B
EuropeEF B3 FA A7 78 AB F0 B0 41 00 CF A3 5F 44 3F 9A 4D 16 28 B9 83 22 85 E3 36 44 D5 DC F9 5C 78 5B07 72 B3 31 1A 89 D6 54 1D 71 C3 07 AD B5 8A 26 FD 30 7E 5D
CanadaD3 40 8B 59 AE 5A 28 75 D1 65 71 50 52 2E 6F 45 26 EE E8 19 3A 9A 74 39 C1 64 60 B8 6A 92 15 47E3 EF AE 6A 0E 7F 18 83 15 FE F2 02 6C F3 2D 4E 59 95 4D 0A

What happens if a host is offline?

When the host is offline, the Sensor will keep collecting telemetry and store it locally in a "ring buffer" (which limits the total possible size). The buffer is ~60mb, so the amount of time it will cover will vary based on how much telemetry the individual endpoint generates. e.g. A domain controller will likely be generating many more events than a regular end user workstation.

When the host is back online, the content of this buffer will be flushed to the cloud where detection and response (D&R) rules will apply as usual.

The same ring buffer is used when the Sensor runs normally, even if data is not sent to the cloud in real-time. The cloud can then retroactively request the full or partial content of the ring buffer, bringing your telemetry current.

How can I tell which installation key was used to enroll a sensor?

On occasion you may need to check which installation key was used to enroll a sensor. You can do so by comparing the sensors Installer ID with the Installation Key's Adapter Key value.

  1. Go to the Sensors section and click into the sensor in question to view its details page. Take note of the Installer ID.
  2. Go to the Install Sensors section. Click the copy icon under the Adapter Key.
  3. Compare these two values; the Installer ID on a sensor should be the same as the Adapter Key of the installation key used.

If you need to check a large list of sensors, you can perform an export of all sensors from the main sensors list page, or use the LimaCharlie API.


Was this article helpful?