Guidelines and Limitations for Network Analysis and Intrusion Policies

  • A high percentage of traffic with small packets causes Snort performance to decrease. This behaviour is observed even when all the preprocessors are disabled.

  • When you attempt to deploy a configuration change on a threat defense device with low memory, snort deployment is also triggered. This results in high consumption of RSS memory. Snort memory usage is also impacted if you deploy large configurations on the device, such as multiple IPS policies containing a large number of snort IPS rules, network objects, and access-control lists. You can mitigate such memory issues by optimizing the configuration. For best practices on how to configure access control rules to optimize the configuration, see Best Practices for Access Control Rules.

Feature Limitations of Snort 3 for Management Center-Managed Threat Defense

The following table lists the features that are supported on Snort 2 but not supported on Snort 3 for management center-managed threat defense devices.

Feature Limitations of Snort 3

Policy/Area

Features not supported

Access Control Policy

The following application settings:

  • Safe Search

  • YouTube EDU

Intrusion Policy

  • Global rule thresholding

  • Logging configuration:

    • SNMP

  • SRU rule updates as Snort 3 supports only LSP rule updates

Other features

Event logging with FQDN names