What’s New In Snort Engine 3?

This blog post will give you a brief introduction to what Snort Engine is and most importantly enable you to understand what new features and changes you can expect in Snort Engine 3.0. This blog will not detail each new technical aspect of Snort Engine 3.0 as the team at Snort does it best.

After reading this blog you will be able to understand what features you can look forward to in Snort Engine 3.0 which will make your network scalable and efficient.

Snort Engine

Being in network security we all have heard of the Snort Engine at some point or the other. It was developed by Sourcefire which was later acquired by Cisco in 2013 and has been awarded the greatest piece of open-source software of all time as it helps perform network-based intrusion prevention (IPS) and intrusion detection (IDS) services along with traffic analysis based in real-time and packet logging on networks; Snort engine also performs policy matching, content filtering, and protocol analysis. We can configure Snort Engine to run in the following modes:

1. Sniffer Mode: Where the engine will open the network packets, read the content and show it on the console log.
2. Packet Logger: In this mode, the Snort Engine will not display the contents of the packet rather store/log them onto the disk of the device.
3. IDS Mode: In this mode, a copy of the traffic is sent to the Snort Engine where it is analyzed for malicious content. If any detections are found, they are displayed to the SOC team.
4. IPS Mode: Here the Snort Engine is an in-line device with the traffic passing through the device which scans for malicious data. If found, the Snort Engine not only alerts the SOC team but also actively stops/prevents the attack or malicious traffic.

Snort Engine 3.0

Snort Engine had become an unofficial benchmark for all IPS and IDS systems to be measured against and to some extent is still held in high regard. So, for Snort Engine 3.0 (which has been made available in January 2021) Cisco and the open-source community has put in a tremendous amount of effort to make a perfect piece of software even more efficient. This has been achieved by shifting the entire code base from C to C++ which in itself is a mammoth task. Along with the base language change, there is a lot of new code added, some have been changed from the previous version, and some imported directly from the previous version. Needless to say, this is a huge effort and had been in the works for over 3 years. Snort Engine 3 will be a large part of version 7 of Cisco Firepower software.

For a complete deep dive into the new features of Snort Engine 3, it would be best to refer to the documentation shared by the Snort team themselves as the objective of this blog is to give you a brief overview of what’s new in Snort Engine 3 and what can you expect during its implementation.

Features

To answer the question that you might still have, yes you should absolutely upgrade to the new Snort Engine 3.0. As to the why, that’s because it literally does everything faster and is more efficient.

Names of a few of the features which have been added to Snort Engine 3.0 are:

1. New rule parser and rule syntax.
2. Support for multiple packet-processing threads, which frees up more memory for packet processing.
3. Use of a shared configuration and attribute table.
4. Access to more than 200 plugins.
5. Rewritten TCP handling.
6. Improved shared object rules, including the ability to add rules for zero-day vulnerabilities.
7. New performance monitor.
8. New rule remarks and comments are inside of the rule itself.

What To Expect When Implementing Snort Engine 3.0

1. Adaptability: As mentioned earlier, the entire code base of Snort Engine 3.0 has been re-written to C++ which makes it more modular and better able to adapt to the needs of your dynamic network.
2. Efficiency: We all have networks that are getting more demanding by the day. With working remotely becoming the new norm it is now more necessary than ever to have not only a secure but also a fast network which will be aided by the multi-threading and memory sharing features of Snort Engine 3.0 as this will provide the device to have more efficient use of its hardware leaving more room for packet processing making Snort Engine 3.0 the cornerstone for the scalability your network requires which is what Docker has done for applications.
3. Customization: Each network has its own nuances and requirements so with Snort Engine 3.0 you will be able to create your own plugins which have been made easier than before allowing you to create and insert your custom Snort Rules, deep dive into file processing, and more which is like taking FlexConfig to the next level.
4. Simplicity: which will eventually lead to a faster, leaner detection engine. The new rule syntax will be more concise which means it will have fewer parts to be configured thus leading to quicker rule matching and processing.

With this blog, we have a better understanding of what Snort Engine 3.0 has to offer and how those new features will benefit your network with scalability and efficiency as I personally cannot wait to see the new and improved Cisco Firepower 7 with Snort Engine 3.0.

While it is great to keep tabs on the latest and greatest of the tech industry, it can be daunting to implement the same. That is where the services of Zindagi Technologies help decide which implementation is best for your network keeping scalability in mind as we have a team of highly experienced network solutions architects and engineers. For any queries, we can meet at our office, or you can reach out to us at +919773973971.

Author
Anant Seth
Network Consultant Engineer