Eight Event Stream Analysis (ESA) Rules Temporarily Removed

Document created by RSA Admin Employee on Jan 14, 2015
Version 1Show Document
  • View in full screen mode

RSA Security Analytics Customers,




We have temporarily removed 8 ESA (Event Streaming Analysis) rules from our RSA Live repository in order to re-examine the rule logic and perform additional stress testing. It was observed that enabling these rules could exhaust memory resources on the ESA device under certain network conditions, negatively impacting the performance of the platform. In the interest of bettering our threat detection offering the following rules have been temporarily removed from Live:






esa000105.esaa    Consecutive Login without Logout


esa000037.esaa    Port knocking packet


esa000015.esaa    Port knocking log


esa000013.esaa    DNS Amplificiation


esa000072.esaa    Multiple Unique Logs from MsgID Set with Same SourceIP and DestinationIP


esa000042.esaa    Single source, Same IDS / IPS message type, Different destination IP


esa000033.esaa    Port scan horizontal packet


esa000034.esaa    Port scan vertical packet




If you are utilizing these rules in their out-of-box state there should be no impact. RSA suggests updating the rules with the revised versions when they become available. If you are experiencing an ESA performance impact while running these rules, RSA suggests that you disable the rules for now and apply the updated versions when they become available.



These rules will be posted back to Live as soon as analysis of the rule logic and additional testing have occurred.  When that happens we will be sure to send out an update and post it on our Community. If you have a question please feel to post in the Community thread about this topic (found here: https://community.emc.com/thread/204429).


  <!-- EndFragment -->