Snort 2 versus Snort 3
Snort 3 is architecturally redesigned to inspect more traffic with equivalent resources when compared to Snort 2. Snort 3 provides simplified and flexible insertion of traffic parsers. Snort 3 also provides new rule syntax that makes rule writing easier and shared object rule equivalents visible.
The table below lists the differences between the Snort 2 and the Snort 3 versions in terms of the inspection engine capabilities.
|
Feature |
Snort 2 |
Snort 3 |
|---|---|---|
|
Packet threads |
One per process |
Any number per process |
|
Configuration memory use |
Number of processes * x GB |
x GB in total; more memory available for packets |
|
Configuration reload |
Slower |
Faster; one thread can be pinned to separate cores |
|
Rule syntax |
Inconsistent and requires line escapes |
Uniform system with arbitrary whitespace |
|
Rule comments |
Comments only |
#, #begin and #end marks; C language style |
Additional reference: Differences between Snort 2 and Snort 3 in Firepower.