000038468 - How to fix timestamps showing 1970-01-01 00:00:00 when using the Web DOS Alert rule on the RSA NetWitness Platform's Event Stream Analysis

Document created by RSA Customer Support Employee on Feb 19, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038468
Applies ToRSA Product Set: RSA NetWitness Logs & Network
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.3.2.0
 
Issue
The RSA Live Event Stream Analysis rule, Web DOS Alert, produces events with timestamps of 1970-01-01 00:00:00. As seen on the screenshot below.

User-added image
ResolutionRSA NetWitness Respond shows the timestamp of 1970-01-01 00:00 AM if the event generated does not have time meta created.
The events do not have the time meta because the rule does not select time meta during event generation.

For example, this is the part of 'Web DOS Alert' Live Rule in question. It selects ip.src, ip.dst and tcp.dstport, but not time.

module Module_esa000095;

CREATE WINDOW WebEvents.win:time(60 seconds).std:unique(ip_src, ip_dst) (ip_src string, ip_dst string, tcp_dstport integer);
INSERT INTO WebEvents
SELECT ip_src, ip_dst, tcp_dstport FROM Event (
  medium = 1 AND
  tcp_dstport IN (80 , 443) AND
  ip_dst IS NOT NULL AND
  ip_src IS NOT NULL AND
  ip_src NOT IN ('1.1.1.1' , '2.2.2.2')
);

To resolve this issue, please add time meta to the select statement, as shown below.


module Module_esa000095;

CREATE WINDOW WebEvents.win:time(60 seconds).std:unique(ip_src, ip_dst, time) (ip_src string, ip_dst string, tcp_dstport integer, time long);

INSERT INTO WebEvents
SELECT ip_src, ip_dst, tcp_dstport, time FROM Event (
  medium = 1 AND
  tcp_dstport IN (80 , 443) AND
  ip_dst IS NOT NULL AND
  ip_src IS NOT NULL AND
  ip_src NOT IN ('1.1.1.1' , '2.2.2.2')
);



 
Notes'Web DOS Alert' Rule is modified soon by the RSA NetWitness Content team. Ensure that all rules are up to date.

Attachments

    Outcomes