Symptom
Issue: When VDB 355 or higher is installed on 7.0, 7.1 or 7.2 snort3, some SSL payloads like facebook.com, pubg.com, earthcam.com, tencent.com (mainly the modified or newly added patterns after 355) do not detect. Everything’s back to normal if snort is restarted at this point. Or a full snort reload is issued with either an LSP deploy or issuing snort reload socket command.
Conditions
Device is baselined to 7.0 and above running snort3 and VDB 355 or higher is installed. No VDB under 356 can reproduce the issue.
Workaround
1. Snort restart OR
2. install a new LSP and deploy OR
3. Issue snort reload from the FTD backend. ssh to the FTD, cd /ngfw/var/sf/detection_engines//
nc -U snort3.sock
reload_config("/ngfw/var/sf/detection_engines//snort3.lua")
Further Problem Description
The missing detection seems to be for patterns from modified VDB lua files WITHOUT third party NAVL support.
Troubleshooting done: This cannot be reproduced in reg test with a pcap. We then analyzed each commit that went in VDB and had to back out every modification to an SSL or payload lua file to fix this issue. We may have hit some sort of memory cap with the size of lua files. We are going to be blocked on adding any more lua file updates in future VDBs till we solve this issue.
RC: hyperscan is not returning a match for the patterns. There is not enough scratch space after reload. This should work fine if a full reload_config is done, but we appear to have a problem when SearchTool users reload separately from IPS.
