Upgrade from Snort 2 to Snort 3 via FMC

Available Languages

Download Options

  • PDF     (482.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (581.0 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (436.2 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:May 2, 2024
Document ID:221966

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to upgrade from Snort 2 and Snort 3 version in Firepower Manager Center (FMC).

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Firepower Threat Defense
    • Firepower Management Center
    • Snort

    Components Used

    The information in this document is based on these software and hardware versions:

    • FMC 7.0
    • FTD 7.0

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    The Snort 3 feature was added in the 6.7 release for Firepower Device Manager (FDM) and Cisco Defense Orchestrator (CDO); in the 7.0 release for the Firepower Management Center (FMC).

    Snort 3.0 was designed to address these challenges:

    1. Reduce memory and CPU usage.
    2. Improve HTTP inspection efficacy.
    3. Faster configuration loading and Snort restart.
    4. Better programmability for faster feature addition.

    Configure

    Upgrade the Snort Version

    Method 1

    1. Log into Firepower Management Center.

    Log into Firepower Management Center Method 1

    2. On the Device tab navigate to Devices > Device Manager.

    Navigate to the Device Menu

    3. Select the device that you want to change the Snort version. 

    Select the Device

    4. Click the Device tab and click the Upgrade button on the Inspection Engine Section.

    Click Upgrade to Snort 3

    5. Confirm your selection.

    Confirm your Selection

    Method 2

    1. Log into Firepower Management Center.

    Log into Firepower Management Center Method 1

    2. On the Device tab navigate to Devices > Device Manager.

    Navigate to the Device Menu

    3. Select the device that you want to change the Snort version. 

    Select the Device

    4. Click on the Select Action button and select Upgrade to Snort 3.

    Select Action

    Upgrade of Intrusion Rules

    Additionally, you need to convert your Snort 2 rules into Snort 3 rules.

    1. Select from the menu Objects > Intrusion Rules.

    Convert Intrusion Rules

    2.Select from the menu Snort 2 All Rules tab > Group Rules By > Local Rules.

    Select Local Rules

    3. Click Snort 3 All Rules tab and make sure that All Rules is selected.

    Click Snort 3 Rules

    4.On the Task drop down menu, select Convert and import.

    Select Convert and Import

    5. Click OK on the warning message.

    Click OK

    Verify

    The Inspection Engine section shows that the current version of Snort is Snort 3. 

    Verify Snort 3 Conversion

    The rule conversion was successful once you see this message:

    Verify Rule Conversion

    Finally, you must find on the Local Rules group the All Snort 2 Converted Global section, which contains all your Snort 2 to Snort 3 converted rules.

    Verify Local Rules

    Troubleshooting

    In case the migration fails or crashes, rollback to Snort 2 and try again.

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    02-May-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Mario Arturo Salinas Rodriguez
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products