Guest

Preview Tool

Cisco Bug: CSCvs37289 - Unable to view Snort Preprocessor Statistics on Firepower 8120

Last Modified

Dec 09, 2019

Products (1)

  • Cisco Firepower Management Center

Known Affected Releases

6.2.3 6.2.3.10

Description (partial)

Symptom:
In the Firepower 8120 we are unable to see the snort preprocessor statistics unless we kill the snort process ad then view the statistics within messages.  You have to kill the snort process with kill -USR1 `pidof snort` then within the Snort Exit stats you will see:

Sep 25 15:57:18 ciscoasa snort[3645]: ===============================================================================
Sep 25 15:57:18 ciscoasa snort[3640]:               Finished: 0
Sep 25 15:57:18 ciscoasa snort[3642]:     Size: 0 internal (0 max), 0 external, 229376 overhead
Sep 25 15:57:18 ciscoasa snort[3645]: SSL Preprocessor:
Sep 25 15:57:18 ciscoasa snort[3640]:     Client Application: 156959
Sep 25 15:57:18 ciscoasa snort[3642]: ===============================================================================
Sep 25 15:57:18 ciscoasa snort[3645]:    SSL packets decoded: 1003949
Sep 25 15:57:18 ciscoasa snort[3640]:     Server Application: 78616
Sep 25 15:57:18 ciscoasa snort[3645]:           Client Hello: 138804
Sep 25 15:57:18 ciscoasa snort[3640]:                  Alert: 11393
Sep 25 15:57:18 ciscoasa snort[3645]:           Server Hello: 138307
Sep 25 15:57:18 ciscoasa snort[3645]:            Certificate: 159548
Sep 25 15:57:18 ciscoasa snort[3640]:   Unrecognized records: 314014
Sep 25 15:57:18 ciscoasa snort[3645]:            Server Done: 357543
Sep 25 15:57:18 ciscoasa snort[3645]:    Client Key Exchange: 117015
Sep 25 15:57:18 ciscoasa snort[3645]:    Server Key Exchange: 98003
Sep 25 15:57:18 ciscoasa snort[3640]:   Completed handshakes: 0
Sep 25 15:57:18 ciscoasa snort[3645]:          Change Cipher: 272783
Sep 25 15:57:18 ciscoasa snort[3645]:               Finished: 0
Sep 25 15:57:18 ciscoasa snort[3645]:     Client Application: 156034
Sep 25 15:57:18 ciscoasa snort[3640]:         Bad handshakes: 0
Sep 25 15:57:18 ciscoasa snort[3645]:     Server Application: 78362
Sep 25 15:57:18 ciscoasa snort[3645]:                  Alert: 11292
Sep 25 15:57:18 ciscoasa snort[3645]:   Unrecognized records: 305457
Sep 25 15:57:18 ciscoasa snort[3640]:       Sessions ignored: 68909
Sep 25 15:57:18 ciscoasa snort[3645]:   Completed handshakes: 0
Sep 25 15:57:18 ciscoasa snort[3640]:     Detection disabled: 41163
Sep 25 15:57:18 ciscoasa snort[3645]:         Bad handshakes: 0
Sep 25 15:57:18 ciscoasa snort[3640]:   High Availability
Sep 25 15:57:18 ciscoasa snort[3645]:       Sessions ignored: 68570
Sep 25 15:57:18 ciscoasa snort[3640]:           Updates Received: 0
Sep 25 15:57:18 ciscoasa snort[3645]:     Detection disabled: 41128
Sep 25 15:57:18 ciscoasa snort[3640]:         Deletions Received: 0
Sep 25 15:57:18 ciscoasa snort[3640]:         Updates Sent: 0
Sep 25 15:57:18 ciscoasa snort[3640]:             Deletions Sent: 0

This is a difficult way for the customer to view if their preprocessor is working as expected.

In the FTD the same statistics are visible with the command >show snort statistics

> show snort statistics

Packet Counters:
  Passed Packets                                                   1303
  Blocked Packets                                                     0
  Injected Packets                                                    0
  Packets bypassed (Snort Down)                                      13
  Packets bypassed (Snort Busy)                                       0

Flow Counters:
  Fast-Forwarded Flows                                               14
  Blacklisted Flows                                                   0

Miscellaneous Counters:
  Start-of-Flow events                                                0
  End-of-Flow events                                                  4
  Denied flow events                                                  0
  Frames forwarded to Snort before drop                               0
  Inject packets dropped                                              0

This is much more user friendly and accessible to the customers and for troubleshooting.

Conditions:
SSL Preprocessor engaged with 'stop inspecting encrypted traffic' enabled.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.