000017484 - The file_fingerprints.flex and botnet.flex parsers are failing to load on an RSA Security Analytics decoder

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017484
Applies ToRSA Security Analytics
RSA Security Analytics Decoder
RSA NetWitness NextGen
RSA NetWitness Live
IssueThe file_fingerprints.flex and botnet.flex parsers are failing to load on an RSA Security Analytics decoder.

The following 2 messages in /var/log/messages indicates these parsers are not loading in SA/NetWitness packet decoders:



May 27 16:06:56 decoder nw[4782]: [Parse] [warning] The parser file 'file_fingerprints.flex' failed to load because: The root parser node was not found in the parser definition file
May 27 16:06:56 decoder nw[4782]: [Parse] [warning] The parser file 'botnet.flex' failed to load because: The root parser node was not found in the parser definition file


CauseToe following parsers have been deprecated in CMS (latest version of the parsers in CMS are empty):
File Fingerprints [file_fingerprints.flex]
Botnet Traffic Patterns [botnet.flex]
Replacement Content:
file_fingerprints.flex:
The monolithic parser file_fingerprints.flex has been deprecated by individual fingerprint_* parsers
Can either use individual flex parsers or the equivalent Lua parsers
e.g.
Flex: fingerprint_access_db.flex
or
Lua: fingerprint_access_db.luax
botnet.flex:
The botnets previously detected by botnet.flex are now defunct. Intelligence on new botnets are mostly provided via the RSA FirstWatch feeds (which requires Live Enhanced or higher subscription).
Resolution

To resolve the issue, follow one of the recommendations below.


  • Remove subscriptions in Security Analytics Live
    In Live \ Manage, if on the Deployments tab either "File Fingerprints" or "Botnet Traffic Patterns" has been assigned as a Subscription to a Device Group this will need to be removed.
    The subscription can then be deleted under Live \ Manage on the Subscriptions tab.
  • On decoders remove the following files:
    /etc/netwitness/ng/parsers/file_fingerprints.flex*
    /etc/netwitness/ng/parsers/botnet.flex*

 


If you are unsure of how to implement the recommendations above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Legacy Article IDa66290

Attachments

    Outcomes