Snort 3

Snort 3 is the latest version of the Snort inspection engine, which has vast improvements compared to the earlier version of Snort. The older version of Snort is Snort 2. Snort 3 is more efficient, and it provides better performance and scalability.

Note	Snort 2 is not supported on threat defense Version 7.7. For information on Snort 2 features that are supported in versions earlier than 7.7, refer to the management center guide that matches your threat defense version.

Snort 3 is architecturally redesigned to inspect more traffic with equivalent resources when compared to Snort 2. Snort 3 provides simplified and flexible insertion of traffic parsers. Snort 3 also provides new rule syntax that makes rule writing easier and shared object rule equivalents visible.

The other significant changes with Snort 3 are:

• Unlike Snort 2, which uses multiple Snort instances, Snort 3 associates multiple threads with a single Snort instance. This uses less memory, improves Snort reload times, and supports more intrusion rules and a larger network map. The number of Snort threads varies by platform and is the same as the number of Snort 2 instances for each platform. Usage is virtually transparent.

• Snort version per threat defense—The Snort inspection engine is threat defense specific and not Secure Firewall Management Center (formerly Firepower Management Center) specific. Management Center can manage several threat defenses, each with either versions of Snort (Snort 2 and Snort 3). Although the management center's intrusion policies are unique, the system applies Snort 2 or Snort 3 version of an intrusion policy for intrusion protection depending on the device's selected inspection engine.

• Decoder rules—Packet decoder rules fire only in the default intrusion policy. The system ignores decoder rules that you enable in other policies.

• Shared object rules—Snort 3 supports some but not all shared object (SO) intrusion rules (rules with a generator ID (GID) of 3). Enabled shared object rules that are not supported do not trigger.

• Multi-layer inspection for Security Intelligence—Snort 3 detects the innermost IP address regardless of the layer.

• Platform support—Snort 3 requires threat defense 7.0 or later. It is not supported with ASA FirePOWER or NGIPSv.

• Managed Devices—An management center with version 7.0 can simultaneously support version 6.4, 6.5, 6.6, 6.7, and 7.0 Snort 2 threat defenses, and version 7.0 Snort 3 threat defenses.

• Traffic interruption when switching Snort versions—Switching Snort versions interrupts traffic inspection and a few packets might drop during deployment.

• Unified policies—Irrespective of the underlying Snort engine version that is enabled in the managed threat defenses, the access control policies, intrusion policies, and network analysis policies configured in the management center work seamlessly in applying the policies. All intrusion policies in management center version 7.0 and above have two versions available, Snort 2 version and Snort 3 version. The intrusion policy is unified, which means that it has a common name, base policy, and inspection mode, although there are two versions of the policy (Snort 2 version and Snort 3 version). The Snort 2 and the Snort 3 versions of the intrusion policy can be different in terms of the rule settings. However, when the intrusion policy is applied on a device, the system automatically identifies the Snort version enabled on the device and applies the rule settings configured for that version.

• Lightweight Security Package (LSP)—Replaces the Snort Rule Updates (SRU) for Snort 3 next-generation intrusion rule and configuration updates. Downloading updates downloads both the Snort 3 LSP and the Snort 2 SRU.

  LSP updates provide new and updated intrusion rules and inspector rules, modified states for existing rules, and modified default intrusion policy settings for management center and threat defense versions 7.0 or above. When you upgrade an management center from version 6.7 or lower to 7.0, it supports both LSPs and SRUs. LSP updates may also delete system-provided rules, provide new rule categories and default variables, and modify default variable values. For more information on LSP updates, see the Update Intrusion Rules topic in the latest version of the Firepower Management Center Configuration Guide.

• Mapping of Snort 2 and Snort 3 rules and presets—Snort 2 and Snort 3 rules are mapped and the mapping is system-provided. However, it is not a one-to-one mapping. The system-provided intrusion base policies are pre-configured for both Snort 2 and Snort 3, and they provide the same intrusion prevention although with different rule sets. The system-provided base policies for Snort 2 and Snort 3 are mapped with each other for the same intrusion prevention settings. For more information, see View Snort 2 and Snort 3 Base Policy Mapping.

• Synchronizing Snort 2 and Snort 3 rule override—When a threat defense is upgraded to 7.0, you can upgrade the inspection engine of the threat defense to the Snort 3 version. Management Center maps all the overrides in the existing rules of the Snort 2 version of the intrusion policies to the corresponding Snort 3 rules using the mapping provided by Talos. However, if there are additional overrides performed after the upgrade or if you have installed a new threat defense of version 7.0, they have to be manually synchronized. For more information, see Synchronize Snort 2 Rules with Snort 3.

• Custom intrusion rules—You can create custom intrusion rules in Snort 3. You can also import the custom intrusion rules that exist for Snort 2 to Snort 3. For more information, see Custom Rules in Snort 3.

• Rule groups—The management center groups all Snort 3 rules into rule groups. Rule groups are logical groups of rules which provide an easy management interface to enhance rule accessibility, rule navigation, and a better control over the rule group security level.

  From management center 7.3.0, rule navigation for several levels of rule groups is supported that provides more flexibility and logical grouping of rules. The MITRE framework is added that enables you to navigate through rules using the MITRE framework. MITRE is just another category of rule groups and are a part of Talos rule groups.

  Note	See https://attack.mitre.org for information about MITRE.

  A rule can be part of multiple rule groups, such as multiple MITRE ATT&CK rule groups, a rule category rule group, multiple "asset type" rule groups, a malware campaign, and others. The available rule groups are listed in the intrusion policy editor and can be selected to enhance policies.

  With this multi-level hierarchical structure, you can traverse down to the last element, which is the “leaf rule group.” These rule groups contain sets of rules that are related to each other, such as a specific type of vulnerability, a similar target system, or a similar threat category. Rule groups have four security levels associated with them. You can change the security level, add or remove rule groups, and you can change the rule action for rules that match traffic seen on the network. This is done to bring a satisfactory balance between security, performance, and false positive resistance.

  To edit a Snort 3 intrusion policy, see Edit Snort 3 Intrusion Policies.

  For rule group reporting in intrusion events, see Rule Group Reporting.

• Switching between Snort 2 and Snort 3 engines—threat defenses that support Snort 3 can also support Snort 2. Switching from Snort 3 to Snort 2 is not recommended from the efficacy perspective.

  Important

  Although you can switch Snort versions freely, intrusion rule changes in one version of Snort will not be updated in the other version automatically. If you change the rule action for a rule in one version of Snort, ensure you replicate the change in the other version before switching the Snort version. System provided synchronization option only synchronizes the changes in the Snort 2 version of the intrusion policy to the Snort 3 version, and not the other way around.