Guest

Preview Tool

Cisco Bug: CSCvu16826 - FTD snort instances down due to corrupted snort rule after upgrade to release 6.6

Last Modified

Jul 16, 2020

Products (1)

  • Cisco Firepower Management Center

Known Affected Releases

6.6.0

Description (partial)

Symptom:
Snort instances on FTD device may remain on down state after the upgrade to release 6.6

On ngfw/var/log/messages the following error can be seen:

May  7 15:51:00 firepower SF-IMS[3010]: [3010] pm:log [INFO] Process 'd01' closed output.
May  7 15:51:00 firepower SF-IMS[3010]: [3010] pm:process [INFO] Process 3d0a91e6-17a6-11ea-a1bd-ad4f698ec66d-d01 (26680) exited cleanly
May  7 15:51:00 firepower snort[26682]: FATAL ERROR: /ngfw/var/sf/detection_engines/3d0a91e6-17a6-11ea-a1bd-ad4f698ec66d/intrusion/95d43ca4-1b85-11ea-b2dd-a9fd72bd9fbf/server-oracle.rules(127) Unknown rule option: 'no<FD><F5><93>A<E8>^D<A8>
<FD><D8>^YX_<92><8A>4<BD>content'.
May  7 15:51:00 firepower SF-IMS[3010]: [3010] pm:log [INFO] Process 'd03' closed output.
May  7 15:51:00 firepower SF-IMS[3010]: [3010] pm:process [INFO] Process 3d0a91e6-17a6-11ea-a1bd-ad4f698ec66d-d03 (26682) exited cleanly
May  7 15:51:00 firepower snort[26681]: FATAL ERROR: /ngfw/var/sf/detection_engines/3d0a91e6-17a6-11ea-a1bd-ad4f698ec66d/intrusion/95d43ca4-1b85-11ea-b2dd-a9fd72bd9fbf/server-oracle.rules(127) Unknown rule option: 'no<FD><F5><93>A<E8>^D<A8><FD><D8>^YX_<92><8A>4<BD>content'.

Bad rule under:
"/ngfw/var/sf/detection_engines/<UUID>/intrusion/<intrusion-policy-uuid>/server-oracle.rules/". As seen from the message above the error is coming from "server-oracle.rules" on line 127

drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-ORACLE Oracle Secure Backup Administration objectname variable command injection attempt"; flow:to_server,established; content:"/property_box.php?"; nocase; http_uri; content:"input
data=input"; distance:0; nocase; http_uri; content:"type=Transcript"; no<FD><F5><93>A<E8>^D<A8><FD><D8>^YX_<92><8A>4<BD>content:"objectname|5B|0|5D 3D|"; nocase; http_uri; pcre:"/objectname\x5b0\x5d\x3d[^\x26]*(\x2526|\x257c|\x7c)/iI"; metadata:po
licy max-detect-ips drop, service http; reference:bugtraq,41597; reference:cve,2010-0906; classtype:web-application-attack; sid:18929; rev:10; gid:1; )


Some irrelevant data is observed in that rule (no<FD><F5><93>A<E8>^D<A8><FD><D8>^YX_<92><8A>4<BD>)

Conditions:
ASA5516 with FTD in HA
When pushing 6.6 upgrade to HA from version 6.5, the standby unit completes the upgrade and snort goes down and enter's failed state.
Since the standby unit has entered failed state the upgrade on the active device fails and remains on version 6.5
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.