09-29-2022 04:35 AM
Hello,
We're thinking about switching from snort version 2 to version 3 on our FTD's but I want to know if there are any issues/known bug or other disadvantages? Looking at this Cisco page, comparing both versions, it seems to be only advantages
Thanks
/Chess
09-29-2022 05:43 AM
I would personally recommend moving to Snort 3 due to is huge improvement in terms of performance and intelligence unless you require a feature that is not yet supported in Snort 3. One thing you won't have with Snort 3 is the Firepower Recommendations, so if you want to rely on Cisco recommendations of how the IPS signatures should be tuned, then you would need to stick with Snort 2 until that feature is added to Snort 3 which I believe will be in version 7.3. Also, please keep in mind that you can still revert to Snort 2 if you don't want to stick with Snort 3.
09-29-2022 05:44 AM
There were a few bugs in the initial 7.0.x releases but 7.0.4 seems to have mostly cleared them up.
09-29-2022 06:00 AM
In FMC 7.0.x, you can generate Firepower recommendations for Snort 2 and then convert them to Snort 3 rules as described here:
FMC 7.1 added Recommendation for Snort 3 natively back in:
However, I'd go with 7.2 over 7.1 since 7.1 is a short term release.
09-29-2022 06:19 AM
Interesting, as I remember it was mentioned in the last CLUS that the next release to support the recommendations would have been 7.3.
I assume generating the recommendations from Snort 2 would require a manual synch every time we generate them right?
09-29-2022 07:32 AM
@Aref Alsouqi yes, the 7.0.x sync process is a manual one.
I can confirm (screenshot below) that 7.2 has the Recommendations section for a Snort 3 IPS policy. You can create a scheduled job to generate those rules.
09-29-2022 06:25 AM
Thanks for the answers. I understand that Snort 3 now are active by default with FTD version 7.2 and we're planning to upgrade to this version anyway. We don’t use the Cisco IPS recommendations, so that shouldn’t be any problem.
/Chess
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide