Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Managing the Rcores

The Rcore is a lightweight executable that runs on a host attached to a network segment you want to monitor or protect. It listens to network traffic, identifies endpoints, and can engage phantoms to disrupt unauthorized reconnaissance and active threats. Properly installing, running, and managing Rcores is essential for maximizing Ridgeback’s visibility and defensive capabilities.

How to Install and Uninstall an Rcore

Installation Steps:

  1. Prerequisites:

    • Ensure that the host meets system requirements (CPU, memory, and OS compatibility as outlined in Ridgeback’s documentation).
    • Install any necessary dependencies like the Npcap driver on Windows, or ensure that packet capture libraries (e.g., libpcap) are present on Linux systems.

  2. Download the Rcore Executable:

    • Obtain the correct Rcore binary for your platform (Windows, macOS, Linux, ARM, etc.) from the Ridgeback distribution source or vendor portal.
    • Place it in a secure, well-known directory (e.g., C:\Program Files\Ridgeback\ on Windows or ~/ridgeback/ on Linux).

  3. Initial Configuration:

    • Prepare any required command-line arguments. Rcores typically require specifying the network interface, manager server address, license credentials, and optional phantom or passive mode flags.
    • Create a script (run-rcore.sh or run-rcore.cmd) or a systemd unit file for more convenient startup.

Uninstallation Steps:

  1. Stop the Rcore (see below).
  2. Remove Executable and Scripts: Delete the Rcore binary and any related scripts from the system.
  3. Clean Up Configuration Files: Remove or redact any .env files, logs, or other data stored locally if they are no longer needed.
  4. Restore the Original Network Configuration: If you made changes to system services or firewall rules specifically for Rcore operation, revert them if you are no longer using Rcore on that host.

How to Start and Stop an Rcore

Starting the Rcore:

  1. Command Line:

    ./rcore-linux --license-name=YourOrg --license-key=XXXX-XXXX-XXXX \
  --manager-server=192.168.1.100 --core-id=core1 \
  --downlink=eth0 --phantom-arp --phantom-icmp

    Adjust arguments based on your environment. Options like --show-tcp or --track-dhcp enable detailed tracking.

  2. From a Script:
    Create a script (run-active.sh or run-passive.cmd) that contains all arguments. Running ./run-active.sh then starts the Rcore in active mode without retyping everything.

Stopping the Rcore:

  • Keyboard Interrupt: If started in a terminal, press Ctrl+C to stop.
  • Kill Command: If running in the background: 
    pkill rcore-linux
  • Windows: Use Task Manager or taskkill /IM rcore-win.exe /F to stop it if needed.

Automatic Restart:
For production deployments, consider a watchdog script or systemd service to restart the Rcore if it exits unexpectedly.

Review Rcores in the UI

Ridgeback’s UI provides a way to see which Rcores are currently active, their status, and which segments they cover:

  1. Log into the Ridgeback Web UI:
    Access https://<Ridgeback_Server> in your browser and log in with appropriate credentials.

  2. Navigate to the Rcore Status Page:
    There is typically a section like "Rcores" or "Cores" in the administrative or monitoring area of the UI.

    • Each Rcore is listed by CoreId.
    • Status indicators (green/red) show if Ridgeback’s manager service can communicate with the Rcore.

  3. Inspect Rcore Details:
    The UI may show the network interface, the mode (active/passive), last heartbeat time, and any errors reported. You can use this to confirm that your Rcore is properly connected and recognized by the Ridgeback manager.

Running the Rcore as a Service

For stable, long-term deployments, running the Rcore as a persistent service ensures it restarts automatically after host reboots or unexpected crashes.

On Linux (systemd example):

  1. Create a unit file /etc/systemd/system/rcore.service:

    [Unit]
Description=Ridgeback Rcore Service
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/rcore-linux --license-name=YourOrg --license-key=XXXX-XXXX \
  --manager-server=<manager_ip> --core-id=core1 --downlink=eth0 --phantom-arp --phantom-icmp
Restart=on-failure

[Install]
WantedBy=multi-user.target

  2. Enable and Start the Service:

    sudo systemctl enable rcore
sudo systemctl start rcore

    Check status with systemctl status rcore.

On Windows (Scheduled Task or NSSM):

  • Use NSSM (Non-Sucking Service Manager) to wrap rcore-win.exe as a service: 
    nssm install Rcore "C:\Program Files\Ridgeback\rcore-win.exe" --arguments ...
nssm start Rcore
  • Ensure the service is set to auto-restart on failure and configured to run with the correct privileges.

Benefits:

  • Automatic startup on reboot.
  • Monitoring and restarts if it fails.
  • Centralized log management via journalctl (Linux) or Windows Event Logs if integrated.

Troubleshooting Rcore Issues

Common issues can arise during initial setup or after network changes. Here are some tips:

  1. Rcore Not Appearing in UI:

    • Check if the Rcore’s manager-server address is correct and reachable.
    • Review Rcore logs for messages about failing to connect to the manager.
    • Ensure firewalls or security groups allow communication on the required port (often TCP 19444).

  2. No Network Events Being Recorded:

    • Verify that the Rcore downlink or uplink interface is correct and that it sees actual traffic. Use tcpdump or wireshark on the host to confirm packets are flowing.
    • Check if run parameters like --track-ipv4-private or --track-ipv4-global are set correctly to track the addresses you expect.
    • Confirm that phantoms or passive mode settings don’t prevent normal tracking.

  3. Phantoms Not Activating:

    • Ensure you started the Rcore with --phantom-arp, --phantom-icmp, or --phantom-tcp flags if needed.
    • Check if time thresholds for phantoms are too long or ARP thresholds are not met.
    • Review logs to see if Rcore complains about missing conditions to trigger phantoms.

  4. Rcore Crashing or Exiting:

    • Check logs for segfaults or panic messages.
    • Update Rcore to the latest version if this is a known bug.
    • Run the Rcore in a debugger or contact Ridgeback support for assistance.

Proactive Measures:

  • Keep the Rcore updated with the latest version to benefit from performance improvements and bug fixes.
  • Test new configurations in a lab environment before deploying changes into production.
  • Regularly review logs and consider sending them to a centralized system to spot patterns in Rcore behavior.