Eight Event Stream Analysis (ESA) Rules Temporarily Removed

Document created by RSA Admin Employee on Jan 14, 2015
Version 1Show Document
  • View in full screen mode

RSA Security Analytics Customers,

 

 

 

We have temporarily removed 8 ESA (Event Streaming Analysis) rules from our RSA Live repository in order to re-examine the rule logic and perform additional stress testing. It was observed that enabling these rules could exhaust memory resources on the ESA device under certain network conditions, negatively impacting the performance of the platform. In the interest of bettering our threat detection offering the following rules have been temporarily removed from Live:

 

 

 

 

 

esa000105.esaa    Consecutive Login without Logout

 

esa000037.esaa    Port knocking packet

 

esa000015.esaa    Port knocking log

 

esa000013.esaa    DNS Amplificiation

 

esa000072.esaa    Multiple Unique Logs from MsgID Set with Same SourceIP and DestinationIP

 

esa000042.esaa    Single source, Same IDS / IPS message type, Different destination IP

 

esa000033.esaa    Port scan horizontal packet

 

esa000034.esaa    Port scan vertical packet

 

 

 

If you are utilizing these rules in their out-of-box state there should be no impact. RSA suggests updating the rules with the revised versions when they become available. If you are experiencing an ESA performance impact while running these rules, RSA suggests that you disable the rules for now and apply the updated versions when they become available.

 

 

These rules will be posted back to Live as soon as analysis of the rule logic and additional testing have occurred.  When that happens we will be sure to send out an update and post it on our Community. If you have a question please feel to post in the Community thread about this topic (found here: https://community.emc.com/thread/204429).

 

  <!-- EndFragment -->

Attachments

    Outcomes