Upgrade to Snort 3.0

Snort 3 is the latest snort engine, or a powerful preprocessor that uses Open Source Intrusion Prevention System (IPS), available for Firepower Version 6.7 and later. The snort engine uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users and is ideally used as a packet sniffer, a packet logger, or, more traditionally, as a a standalone network IPS.

With Snort 3, you can now create custom intrusion policies; every FDM-managed device running Snort 3 has a set of intrusion policies that are pre-defined from Cisco's Talos Intelligence Group (Talos). Snort 3 makes it possible to change these default policies, although we strongly recommend building on top of the base for a more robust policy.

You cannot create custom policies with Snort 2.

Switching from Snort 2 to Snort 3

You can switch Snort versions freely, though some intrusion rules in Snort 2.0 might not exist in Snort 3.0, and vice versa. If you changed the rule action for an existing rule, that change is not preserved if you switch to Snort 3 and then back to Snort 2, or back again to Snort 3. Your changes to rule actions for rules that exist in both versions are preserved. Note that the mapping between rules in Snort 3 and Snort 2 can be one-to-one or one-to-many, so preservation of changes is done on a best-effort basis.

If you choose to upgrade from Snort 2 to Snort 3, please note that upgrading the snort engines is comparable to a system upgrade. We strongly recommend upgrading during a maintenance window to minimize the interruption in traffic monitoring for your network. See Managing Intrusion Policies (Snort3) in the Firepower Device Manager Configuration Guide as to how switching snort versions will affect how rules process traffic.

Tip

You can filter by Snort version on the Inventory page, and the Details window of a selected device displays the current version running on the device.

Snort 3 Limitations

License Requirements

To allow the snort engine to process traffic for intrusion and malware analysis, you must have the license enabled for the FDM-managed device. To enable this license through Firewall device manager, log into the Firewall device manager UI and navigate to Device > View Configuration > Enable/Disable and enable the license.

Hardware Support

The following devices support Snort 3:

  • FTD 1000 series

  • FTD 2100 series

  • FTD 4100 series

  • FTD virutal with AWS

  • FTD virtual with Azure

  • ASA 5500-X Series with FTD

Software Support

Devices must be running at least Firewall device manager Version 6.7. Cisco Defense Orchestrator supports Snort 3 functionality for devices running Version 6.7 and later.

For FTD 1000 and 2000 series, see FXOS bundled support for more information on FXOS patch support.

Configuration Limitations

CDO does not support upgrading to Snort 3 if your device has the following configurations:

  • Device is not running at least Version 6.7.

  • If a device has pending changes. Deploy any changes prior to upgrading.

  • If a device is currently upgrading. Do not attempt to upgrade or deploy to the device until the device is synced.

  • If a device is configured with a virtual router.

Note

If you upgrade or revert the Snort version, the system automatically deploys to implement the changes between Snort 2 intrusion policies and Snort 3 intrusion policies.

Rulesets and Snort 3

Note that Snort 3 does not have full feature support at this time. CDO rulesets are not supported on Snort 3 devices. If you simultaneously upgrade a device to Firewall device manager 6.7 or higher, and from Snort 2 to Snort 3, any rulesets configured prior to the upgrade are broken up and the rules in them are saved as individual rules.

For a full list of ruleset support in regards to devices configured for Snort 3, see Rulesets.