We are testing version 4 but so far it doesn't feel all that different (or better).  We have 6 different 3.3.1 CSM servers right now.  I'm sure the next version will totally solve all outstanding issues...  .

You are lucky, we have > 1500 Cisco sensors around the world right now and lose ~100 on each signature pack (due to crashing).  The last dozen signature packs have also had numerous issues which has made life especially difficult (nothing really new ...

No, nothing has changed.  This post might get deleted but there are far superior alternatives if you wish to run Snort based signatures without the management, licensing, stability, expense, and lack of IPv6 management that is a Cisco sensor.

Have you tried 'deny attacker inline' as the action on the signature?What does 'sh stat denied-attackers' provide for details?

This is a Cisco forum BTW, not one for Snort products. That said, an IPS will be more useful behind the firewall (less noisy and you'll be able to monitor the private addresses).