Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
334
Views
2
Helpful
3
Replies

SNORT3 benefits?

tiwang
Level 3
Level 3

‎01-11-2024 03:37 AM - edited ‎01-11-2024 03:38 AM

hi out there - we are just upgrading our FTD's from 6.6.x to .7.0.0 to 7.2.5 - and there we get the option to also upgrade the SNORT engine from SNORT2 to SNORT3 - but besides of the commercial crab stating we get the most powerfull engine then - what benefits do we get - besides of getting rid of that annoying error from a upgraded ftd of "snort engine waiting for data".

Has anyone noticed some benefits or better inspection - less cpu consumption or what?

1 person had this problem
0 Helpful
3 Replies 3

marce1000
VIP
VIP

‎01-11-2024 05:01 AM

 

                - FYI : https://www.snort.org/snort3

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

tiwang
Level 3
Level 3
In response to marce1000

‎01-11-2024 05:21 AM - edited ‎01-11-2024 05:24 AM

yes i also noticed that - just that table there - https://blog.snort.org/2020/08/snort-3-2-differences.html - looks like it has been some desperately looking for some positive difference to write there - like:
default config - snort2: complex, needs tuning snort3: simplified, effective

how do you measure "effective" ?

or 

stream TCP: snort2: complex implementation snort3: new and improved implementation

and so - you know - lots of statements which are hard to measure on - like a lot of sales crab...

so therefor my question - has some in real life production env seen some benefits which can be measured?

0 Helpful

tvotna
Spotlight
Spotlight
In response to tiwang

‎01-11-2024 05:59 AM

There are few features which require Snort3, e.g.:

- TLS 1.3 decryption
- EVE
- Elephant flow detection/remediation
- Port scan detection/prevention
- Rule Groups

Among them Rule Groups can really be helpful to tune Intrusion Policy.

HTTP/2 probably requires Snort3 too, but I'm not sure. If QUIC will ever be supported, it will be supported in Snort3 only. So, Cisco doesn't really give us a choice, long-term. On the other hand, Snort3 stability can still be a problem. Hopefully other members who use it will comment.

 

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card