cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3883
Views
24
Helpful
6
Replies

Snort version 2 vs version 3 - is it worth to upgrade?

Chess Norris
Level 4
Level 4

Hello,

We're thinking about switching from snort version 2 to version 3 on our FTD's but I want to know if there are any issues/known bug or other disadvantages? Looking at this Cisco page, comparing both versions, it seems to be only advantages

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/217617-comparing-snort-2-and-snort-3-on-firepow.html 

Thanks

/Chess

6 Replies 6

I would personally recommend moving to Snort 3 due to is huge improvement in terms of performance and intelligence unless you require a feature that is not yet supported in Snort 3. One thing you won't have with Snort 3 is the Firepower Recommendations, so if you want to rely on Cisco recommendations of how the IPS signatures should be tuned, then you would need to stick with Snort 2 until that feature is added to Snort 3 which I believe will be in version 7.3. Also, please keep in mind that you can still revert to Snort 2 if you don't want to stick with Snort 3.

Marvin Rhoads
Hall of Fame
Hall of Fame

There were a few bugs in the initial 7.0.x releases but 7.0.4 seems to have mostly cleared them up.

Marvin Rhoads
Hall of Fame
Hall of Fame

@Aref Alsouqi 

In FMC 7.0.x, you can generate Firepower recommendations for Snort 2 and then convert them to Snort 3 rules as described here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/snort3/config-guide/snort3-configuration-guide-v70/tailoring-intrusion-protection.html#ID-2213-000000e4_snort3

FMC 7.1 added Recommendation for Snort 3 natively back in:

https://www.cisco.com/c/en/us/td/docs/security/firepower/710/relnotes/firepower-release-notes-710/features.html

However, I'd go with 7.2 over 7.1 since 7.1 is a short term release.

Interesting, as I remember it was mentioned in the last CLUS that the next release to support the recommendations would have been 7.3.

I assume generating the recommendations from Snort 2 would require a manual synch every time we generate them right?

@Aref Alsouqi yes, the 7.0.x sync process is a manual one.

I can confirm (screenshot below) that 7.2 has the Recommendations section for a Snort 3 IPS policy. You can create a scheduled job to generate those rules.

Snort 3 Rule RecommendationsSnort 3 Rule Recommendations

Chess Norris
Level 4
Level 4

Thanks for the answers. I understand that Snort 3 now are active by default with FTD version 7.2 and we're planning to upgrade to this version anyway. We don’t use the Cisco IPS recommendations, so that shouldn’t be any problem.

/Chess

Review Cisco Networking for a $25 gift card