01-11-2024 03:37 AM - edited 01-11-2024 03:38 AM
hi out there - we are just upgrading our FTD's from 6.6.x to .7.0.0 to 7.2.5 - and there we get the option to also upgrade the SNORT engine from SNORT2 to SNORT3 - but besides of the commercial crab stating we get the most powerfull engine then - what benefits do we get - besides of getting rid of that annoying error from a upgraded ftd of "snort engine waiting for data".
Has anyone noticed some benefits or better inspection - less cpu consumption or what?
01-11-2024 05:01 AM
- FYI : https://www.snort.org/snort3
M.
01-11-2024 05:21 AM - edited 01-11-2024 05:24 AM
yes i also noticed that - just that table there - https://blog.snort.org/2020/08/snort-3-2-differences.html - looks like it has been some desperately looking for some positive difference to write there - like:
default config - snort2: complex, needs tuning snort3: simplified, effective
how do you measure "effective" ?
or
stream TCP: snort2: complex implementation snort3: new and improved implementation
and so - you know - lots of statements which are hard to measure on - like a lot of sales crab...
so therefor my question - has some in real life production env seen some benefits which can be measured?
01-11-2024 05:59 AM
There are few features which require Snort3, e.g.:
- TLS 1.3 decryption
- EVE
- Elephant flow detection/remediation
- Port scan detection/prevention
- Rule Groups
Among them Rule Groups can really be helpful to tune Intrusion Policy.
HTTP/2 probably requires Snort3 too, but I'm not sure. If QUIC will ever be supported, it will be supported in Snort3 only. So, Cisco doesn't really give us a choice, long-term. On the other hand, Snort3 stability can still be a problem. Hopefully other members who use it will comment.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide