000034234 - Parse Errors When Doing Searches in the Forensics User Interface(FUI) in RSA Web Threat Detection

Document created by RSA Customer Support Employee on Jan 11, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034234
Applies ToRSA Product Set: Web Threat Detection
RSA Product/Service Type: Forensics
RSA Version/Condition: 4.6, 5.x, 6.x
 
Issue

Customer is getting a parser error in the FUI on certain hours when looking at IP details.  


Seems to be the clickstream.cgi that fails on Customer.    Error seen:


{"ipaddr":"90.195.89.75"{"error":
{"message":"In LineInputStream::GetLine(), bufSize=1048576, line len=1105912", "display": "Query Exception" }
}

 
CauseFUI searches which return results larger than the character buffer created to display the results. 
The user or ipScores.gz can be examined for the hours that this error occurs.  Here is an example:  

zcat ipScores.gz | perl -nle 'if (length($_) > 1048576) { print length($_); print substr ($_,0,30) }
5155405
188.163.68.52,84928,0,0,0,5,10

 

So 1 line is 5Mb long.  This causes the parse error.

ResolutionThis issue is being examined by Engineering as of October 2016, and is committed to fix this in a future version, not specifically determined at this time. 
WorkaroundPossible workarounds if this error is seen:
  1. Searches can be limited in scope for smaller results.  
  2. Data should be normalized(which means adding a regex statement to a Page definition that will match parts of URLs that are random values.)
  3. IP aggregators should be identified and use true-ip to get the source IPs in the headers. 
  4. Internal traffic or other sources like internal monitoring should be ignored. 
Please Note: The stated workarounds may require the assistance of an RSA WTD Threat Analyst or Customer Support Engineer. 

Attachments

    Outcomes