Article Content
Article Number | 000017484 |
Applies To | RSA Security Analytics RSA Security Analytics Decoder RSA NetWitness NextGen RSA NetWitness Live |
Issue | The file_fingerprints.flex and botnet.flex parsers are failing to load on an RSA Security Analytics decoder. The following 2 messages in /var/log/messages indicates these parsers are not loading in SA/NetWitness packet decoders:
|
Cause | Toe following parsers have been deprecated in CMS (latest version of the parsers in CMS are empty): File Fingerprints [file_fingerprints.flex] Botnet Traffic Patterns [botnet.flex] Replacement Content: file_fingerprints.flex: The monolithic parser file_fingerprints.flex has been deprecated by individual fingerprint_* parsers Can either use individual flex parsers or the equivalent Lua parsers e.g. Flex: fingerprint_access_db.flex or Lua: fingerprint_access_db.luax botnet.flex: The botnets previously detected by botnet.flex are now defunct. Intelligence on new botnets are mostly provided via the RSA FirstWatch feeds (which requires Live Enhanced or higher subscription). |
Resolution | To resolve the issue, follow one of the recommendations below.
If you are unsure of how to implement the recommendations above or experience any issues, contact RSA Support and quote this article ID for further assistance. |
Legacy Article ID | a66290 |