AnsweredAssumed Answered

ESA Rule Tuning

Question asked by RSA Admin Employee on Jan 12, 2015
Latest reply on Apr 14, 2016 by 3OhNFF3OK8R7e9RBPyrUgH7yTMkrRJFOxI8Zi8P03L0=

Good afternoon,


To avoid the risk of unnecessarily triggering a high volume of alerts in large enterprise deployments, we have removed the following ESA rules from Live. The logic for these rules will be analyzed, further tuned, and submitted to more testing prior to being re-released on Live.


The affected rules are:



esa000105.esaa    Consecutive Login without Logout

esa000037.esaa    port knocking packet

esa000015.esaa    port knocking log



esa000013.esaa    dns amplification 

esa000072.esaa    Multiple Unique Logs from MsgID Set with Same SourceIP and DestinationIP

esa000042.esaa    Single source, Same IDS / IPS message type, different destination IP

esa000034.esaa    port scan vertical packet

esa000033.esaa    port scan horizontal packet



Thank you