I upgraded to Snort 3 but still getting drops on Snort 2 rules

DannyDulin · ‎07-26-2023

Hi everyone.

We upgraded our Firepower to Snort 3. The devices are Snort 3 only. The intrusion policy does still have a Snort 2 version.

After the upgrade, we are still receiving drops for Snort 2 rules. ***This is a correction. I initially wrote that we were receiving Snort 3 drops when I meant to say Snort 2.

Is this because we need to create a new Intrusion policy that doesn't include Snort 2?

See attached pics for reference.

rhingel · ‎07-29-2023

Hello Danny,

When you upgrade to Snort 3, you should still see "Snort 2 Version" and "Snort 3 Version" when you browse to Policies > Intrustion Policies.

Can you confirm you converted all Snort 2 custom rules to Snort 3? See this link if you are unsure: https://www.cisco.com/c/en/us/td/docs/security/firepower/70/snort3/config-guide/snort3-configuration-guide-v70/migrating.html#Cisco_Task.dita_9cea427d-5d46-4a47-8d71-11fad52fbd46_snort3

DannyDulin · ‎07-31-2023

Hi Rhingel,

Thank you for your input.

Yes I can confirm that I converted all Snort 2 custom rules to Snort 3. The Snort 2 rules that are firing are not custom rules.

MHM Cisco World · ‎07-30-2023

You select convert import

Or

Convert download

?

DannyDulin · ‎07-31-2023

I can't remember 100% for sure, but it is highly likely that I selected convert download.