Skip to main content

 

 

Cisco Defense Orchestrator

Upgrade to Snort 3.0

About Snort 3

Snort 3 is the latest snort engine that is available with Firepower Version 6.7 and later. You can now create custom intrusion policies; every Firepower Threat Defense (FTD) running Snort 3 has a set of intrusion policies that are pre-defined from Cisco's Talos Intelligence Group (Talos). Snort 3 allows Admins to modify the system-provided default policies, although we strongly recommend creating a new, custom IPS policy based on one of the default templates for a more robust policy.

You cannot create custom policies with Snort 2. 

Switching from Snort 2 to Snort 3

You can switch Snort versions freely, though some intrusion rules in Snort 2.0 might not exist in Snort 3.0, and vice versa. If you changed the rule action for an existing rule, that change is not preserved if you switch to Snort 3 and then back to Snort 2, or back again to Snort 3. Your changes to rule actions for rules that exist in both versions are preserved. Note that the mapping between rules in Snort 3 and Snort 2 can be one-to-one or one-to-many, so preservation of changes is done on a best-effort basis.

If you choose to upgrade from Snort 2 to Snort 3, please note that upgrading the snort engines is comparable to a system upgrade. We strongly recommend upgrading during a maintenance window to minimize the interruption in traffic monitoring for your network. See Managing Intrusion Policies (Snort3) in the Firepower Device Manager Configuration Guide as to how switching snort versions will affect how rules process traffic.

Tip: You can filter by snort version on the Devices & Services page, and the Details window of a selected device displays the current version running on the device.

Snort 3 Limitations

License Requirements

To allow the snort engine to process traffic for intrusion and malware analysis, you must have the Threat license enabled for the FTD. To enable this license through FDM, log into the FDM UI and navigate to Device >  View Configuration > Enable/Disable and enable the threat license. 

Hardware Support

The following devices support Snort 3:

  • FTD 1000 series
  • FTD 2100 series
  • FTD virutal with AWS
  • FTD virtual with Azure
  • ASA 5500-X Series with FTD
Software Support

Devices must be running at least FTD Version 6.7. CDO supports Snort 3 functionality for devices running Version 6.7 and later. 

For FTD 1000 and 2000 series, see FXOS bundled support for more information on FXOS patch support. 

Configuration Limitations

CDO does not support upgrading to Snort 3 if your device has the following configurations:

  • If a device has pending changes. Deploy any changes prior to upgrading. 
  • If a device is currently upgrading. Do not attempt to upgrade or deploy to the device until the device is synced. 
  • If a device is configured with a virtual router.

Note: If you upgrade or revert the Snort version, the system automatically deploys to implement the changes between Snort 2 intrusion policies and Snort 3 intrusion policies.

Rulesets and Snort 3

Snort 3 does not have full feature support at this time. CDO rulesets are not supported on Snort 3 devices. If you simultaneously upgrade a device to FTD 6.7 or higher, and from Snort 2 to Snort 3, any rulesets configured prior to the upgrade are broken up and the rules in them are saved as individual rules.

For a full list of ruleset support in regards to devices configured for Snort 3, see FTD Rulesets.  

 

Upgrade the Device and the Intrusion Prevention Engine Simultaneously

CDO allows you to upgrade the device to Version 6.7 (or later) and Snort 3.

Note: CDO automatically deploys after the upgrade to activate the new rules introduced with Snort 3, and also the rules that may have been preserved from Snort 2. 

Use the following procedure to upgrade the whole FTD system:

  1. Log in to CDO.
  2. In the navigation pane, click Devices & Services and select the device or devices you want to upgrade. 
  3. In the action pane located to the right, click Upgrade.  
  4. Set the upgrade toggle to FTD System Upgrade.
    upgrade_6.7 and snort3.png
  5. (Optional) If you want CDO to perform the upgrade later, check the Schedule Upgrade check box. Select the field to select a date and time in the future.
  6. In step 1, select your upgrade method. Either use the CDO Image Repository or an image from your own repository:
    • Use CDO Image Repository: Click this option to select the software image you want to upgrade to, and click Continue. You are only presented with choices that are compatible with the device you can upgrade.
    • Specify Image URL: Click this option to select the software image that is currently stored in your own repository, and click Continue. You are only presented with choices that are compatible with the device you can upgrade.
  7. In step 2, confirm your choices and decide whether you only want to download the images to your device or copy the images, install them, and reboot the device.
  8. Check Upgrade to Snort 3 Engine.
  9. Click Perform Upgrade when you are ready. From the Device & Services page, devices that are upgrading have a "Upgrade in Progress" configuration status.

Warning: If you decide to cancel the upgrade while it is in progress, click Abort Upgrade from the Upgrade page. If you cancel the upgrade after it has started, CDO does not deploy or check for changes from the device and the device does not roll back to the previous configuration. This may cause the device to enter an unhealthy state. If you experience any issues during the upgrade process, contact Cisco TAC. 

Upgrade the Intrusion Prevention Engine

For devices that are already running Version 6.7 or later running Snort 2, you can opt to update just to Snort 3. 

Note: CDO automatically deploys after the upgrade to activate the new rules introduced with Snort 3, and also the rules that may have been preserved from Snort 2. 

Use the following procedure to upgrade to Snort 3:

  1. Log in to CDO.
  2. In the navigation pane, click Devices & Services and Select the device or devices you want to upgrade. 
  3. In the action pane located to the right, click Upgrade.  
  4. Set the upgrade toggle to Intrusion Prevention Engine.
    upgrade_snort3 only.png
  5. Click Upgrade to Snort Engine 3.0
    upgrade_snort3 only_2.png
  6. From the Device & Services page, devices that are upgrading have a "Upgrade in Progress" configuration status.

 

Monitor the Upgrade Process 

Warning: If you decide to cancel the upgrade while it is in progress, click Abort Upgrade from the Upgrade page. If you cancel the upgrade after it has started, CDO does not deploy or check for changes from the device and the device does not roll back to the previous configuration. This may cause the device to enter an unhealthy state. If you experience any issues during the upgrade process, contact Cisco TAC.

You can view the progress of your single device by selecting that device on the Devices & Services page and clicking the upgrade button. CDO takes you to the Device Upgrade page for that device.

If the upgrade fails at any point, CDO does not automatically restart the upgrade process. 

Warning: Upgrading devices that have self-signed certificates may experience issues; see New Certificate Detected for more information

 

Related Articles:

  • Was this article helpful?