IBM Support

Removing Server Sensor network modules from Solaris

Technote (FAQ)


How do you remove the Server Sensor network modules from Solaris?


This article documents the procedure for removing the Server Sensor network modules for Solaris in version 5.5 and higher.

Note: By removing these modules, you are disabling the networking monitoring fundamentals of the Server Sensor. The RealSecure Server Sensor uses two modules for monitoring network traffic as it comes to the host. These two modules are rsdrv (the low module that looks at individual packets) and rstcp (the high module that correlates multiple packets). Some modules, not all, are imported into kernel space by the file: /etc/ This is the import file that Server Sensor uses to place the rsdrv module within the kernel in order to be referenced.

The following steps are needed in order to remove the rsdrv (low) module.

  1. Edit (vi, emacs, etc.) the file /etc/ and find the below line:


  2. Change this line by adding the "#" at the beginning. This causes the module to be ignored during bootstrap.


  3. : Move the module file into another directory for reference later, for this example /root are used to store the kernel module. See the below command:

    mv /kernel/drv/rsdrv /root

The next steps are used to remove rstcp (high) module.

  1. Move the rstcp module file into a directory for reference later, for this example /root will be used to store the kernel module. See the below command:

    mv /kernel/strmod/rstcp /root

  2. Restart the host server. After a restart of the host, in order to verify that the modules are not present, use the following command:

    modinfo | grep rs

  3. Ensure that the rsdrv and rstcp are not in the list that appears. An error message results in the syslogs that can be safely ignored.

    Apr 26 09:40:10 rsagent[PID]: Error in opening Protocol Sensor. Protocol Sensor is DISABLED.

Once the uninstall is completed, the server sensor will not be able to monitor for network events. Therefore, all decodes that are listed under the network tab are rendered inactive. In order to reinstall the modules, use the reverse of the above steps. The host server needs to be restart to complete the install.

Historical Number


Document information

More support for: IBM Security Host Protection
RealSecure Server Sensor

Software version: 7.0 - SR 4.1, 7.0 - SR 4.2, 7.0 - SR 4.3, 7.0 - SR 4.4

Operating system(s): Solaris

Reference #: 1434279

Modified date: 16 February 2015