Over the past 20+ years, Snort has become the de facto standard by which all network intrusion detection systems are measured. The release of Snort 3 in January 2021 represents a significant upgrade to the tried and tested network security tool. Snort 3 includes important updates going so far as to change the entire code base from C to C++. It consists of some entirely new code, some rewritten code, and some code ported to the latest version. This update required an enormous effort and investment on the part of Cisco and the open-source community, and has been underway for several years. Snort 3 will also be a key feature in the upcoming release 7.0 of the Cisco Secure Firewall (formerly Firepower).
The Snort 3 User Guide and other documentation, including the source code itself, are available to anyone who wants a deep dive into the philosophy and internals of the new Snort. My purpose in this post is not to rehash this technical information but give you an idea of what you can expect as you move to Snort 3.
You may be asking, “why spend so much effort changing the code, isn’t Snort 2 working?” To answer this, we need to look back at some Snort history. When Martin (Marty) Roesch was creating Snort at the end of the 1990’s, 100 megabit speed was considered a fast network. At that time, gigabit networks were in their infancy. Snort was able to keep up with the packet flow rate because of its lightweight, packet-based architecture.
Snort has seen numerous improvements over the years as network speed, complexity, and the number of network protocols have increased. These include better multi-pattern search engines (MPSE), the fast pattern matcher, rule trees, and other tweaks to improve deep packet inspection efficiency. Multiple preprocessors have been added to ensure proper packet reassembly and to counter evasion techniques used by attackers to sneak past the Intrusion Prevention System (IPS). Some of the most recent additions include carving files out of the network stream for malware inspection and the ability to identify thousands of applications.
While the original Snort design has repeatedly proven itself, improvements were needed to maintain and even accelerate the pace of innovation as network speeds and complexity continue to increase. Snort 3 provides a new, flow-based and modular platform to address some of the challenges inherent to the previous packet-based architecture. Think of Snort 3 as “deep flow inspection” as opposed to deep packet inspection.
I like to think of Snort 3 as adding a new engine to my hot rod. I don’t want to learn to drive a new way; I just want my favorite ride to go faster. Snort 3 does virtually everything faster and better than Snort 2 without making users re-learn what they already know about network detection. The rules language will look very familiar but be more powerful and easier to use. Preprocessors are now called inspectors but provide the same benefits in a better, more efficient manner. The LUA configuration has consistent syntax and can include dynamic parameters loaded at run-time. Snort 3 does all of this while also using fewer system resources.
If you are a current Snort user, don’t be intimidated by the new terminology or capabilities. We’ve tried to make moving to Snort 3 as painless as possible with excellent default inspector configurations and the ability to easily convert your Snort 2 configuration/rules. Start using Snort 3 and test it for yourself!
For more details, attend our monthly webinar series, Snort 3 and me, designed to help Snort users and Cisco Firepower customers take advantage of the new enhancements. Visit our Cisco.com Firewall and IPS product pages to watch the webinar replay and register for the next one in the series.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels