topic Re: SNORT3 benefits? in Network Security

SNORT3 benefits?

tiwang — Thu, 11 Jan 2024 11:38:41 GMT

hi out there - we are just upgrading our FTD's from 6.6.x to .7.0.0 to 7.2.5 - and there we get the option to also upgrade the SNORT engine from SNORT2 to SNORT3 - but besides of the commercial crab stating we get the most powerfull engine then - what benefits do we get - besides of getting rid of that annoying error from a upgraded ftd of "snort engine waiting for data".

Has anyone noticed some benefits or better inspection - less cpu consumption or what?

Re: SNORT3 benefits?

Mark Elsen — Thu, 11 Jan 2024 13:01:53 GMT

- FYI : https://www.snort.org/snort3

Re: SNORT3 benefits?

tiwang — Thu, 11 Jan 2024 13:24:30 GMT

yes i also noticed that - just that table there - https://blog.snort.org/2020/08/snort-3-2-differences.html - looks like it has been some desperately looking for some positive difference to write there - like:
default config - snort2: complex, needs tuning snort3: simplified, effective

how do you measure "effective" ?

stream TCP: snort2: complex implementation snort3: new and improved implementation

and so - you know - lots of statements which are hard to measure on - like a lot of sales crab...

so therefor my question - has some in real life production env seen some benefits which can be measured?

Re: SNORT3 benefits?

tvotna — Thu, 11 Jan 2024 13:59:47 GMT

There are few features which require Snort3, e.g.:

- TLS 1.3 decryption
- EVE
- Elephant flow detection/remediation
- Port scan detection/prevention
- Rule Groups

Among them Rule Groups can really be helpful to tune Intrusion Policy.

HTTP/2 probably requires Snort3 too, but I'm not sure. If QUIC will ever be supported, it will be supported in Snort3 only. So, Cisco doesn't really give us a choice, long-term. On the other hand, Snort3 stability can still be a problem. Hopefully other members who use it will comment.