RSA Security Analytics Customers,
We have temporarily removed 8 ESA (Event Streaming Analysis) rules from our RSA Live repository in order to re-examine the rule logic and perform additional stress testing. It was observed that enabling these rules could exhaust memory resources on the ESA device under certain network conditions, negatively impacting the performance of the platform. In the interest of bettering our threat detection offering the following rules have been temporarily removed from Live:
esa000105.esaa Consecutive Login without Logout
esa000037.esaa Port knocking packet
esa000015.esaa Port knocking log
esa000013.esaa DNS Amplificiation
esa000072.esaa Multiple Unique Logs from MsgID Set with Same SourceIP and DestinationIP
esa000042.esaa Single source, Same IDS / IPS message type, Different destination IP
esa000033.esaa Port scan horizontal packet
esa000034.esaa Port scan vertical packet
If you are utilizing these rules in their out-of-box state there should be no impact. RSA suggests updating the rules with the revised versions when they become available. If you are experiencing an ESA performance impact while running these rules, RSA suggests that you disable the rules for now and apply the updated versions when they become available.
These rules will be posted back to Live as soon as analysis of the rule logic and additional testing have occurred. When that happens we will be sure to send out an update and post it on our Community. If you have a question please feel to post in the Community thread about this topic (found here: https://community.emc.com/thread/204429).