Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000017484 - The file_fingerprints.flex and botnet.flex parsers are failing to load on an RSA Security Analytics decoder

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 2Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000017484
Applies To	RSA Security Analytics RSA Security Analytics Decoder RSA NetWitness NextGen RSA NetWitness Live
Issue	The file_fingerprints.flex and botnet.flex parsers are failing to load on an RSA Security Analytics decoder. The following 2 messages in /var/log/messages indicates these parsers are not loading in SA/NetWitness packet decoders: May 27 16:06:56 decoder nw[4782]: [Parse] [warning] The parser file 'file_fingerprints.flex' failed to load because: The root parser node was not found in the parser definition file May 27 16:06:56 decoder nw[4782]: [Parse] [warning] The parser file 'botnet.flex' failed to load because: The root parser node was not found in the parser definition file
Cause	Toe following parsers have been deprecated in CMS (latest version of the parsers in CMS are empty): File Fingerprints [file_fingerprints.flex] Botnet Traffic Patterns [botnet.flex] Replacement Content: file_fingerprints.flex: The monolithic parser file_fingerprints.flex has been deprecated by individual fingerprint_* parsers Can either use individual flex parsers or the equivalent Lua parsers e.g. Flex: fingerprint_access_db.flex or Lua: fingerprint_access_db.luax botnet.flex: The botnets previously detected by botnet.flex are now defunct. Intelligence on new botnets are mostly provided via the RSA FirstWatch feeds (which requires Live Enhanced or higher subscription).
Resolution	To resolve the issue, follow one of the recommendations below. Remove subscriptions in Security Analytics Live In Live \ Manage, if on the Deployments tab either "File Fingerprints" or "Botnet Traffic Patterns" has been assigned as a Subscription to a Device Group this will need to be removed. The subscription can then be deleted under Live \ Manage on the Subscriptions tab. On decoders remove the following files: /etc/netwitness/ng/parsers/file_fingerprints.flex* /etc/netwitness/ng/parsers/botnet.flex* If you are unsure of how to implement the recommendations above or experience any issues, contact RSA Support and quote this article ID for further assistance.
Legacy Article ID	a66290

Attachments

Outcomes

0 Comments

Recommended Content