Why Snort 3?
SNORT® Intrusion Prevention System, the world's foremost open source IPS, has officially launched Snort 3, a sweeping upgrade featuring improvements and new features resulting in enhanced performance, faster processing, improved scalability for your network and a range of 200+ plugins so users can create a custom set-up for their network.
This version of Snort was developed in close collaboration with the Snort community. The benefits of upgrading are readily apparent:
Snort 3 is redesigned in C++ which makes the code base more modular and easier to maintain on your network.
Threading and shared memory allow you to scale Snort 3 to your network and create a much faster start-up. This allows multiple packet processing to free up more memory for more packet processing power.
Plugins with Luajit allows users to write their own plugins much easier than before to do things like add your own Snort Rule options, in-depth file processing, and more.
Snort Rule Syntax has been updated to make it easier to write and to understand, especially for new users. The rule syntax is more concise with fewer rule parts which will allow rules to run quicker.
Full Feature List
|Feature||Snort 2||Snort 3|
|Packet threads||One per process||Any number per process|
|Config memory use||N processes * M GB||M GB total, more for packets|
|Config reload||N processes, slower||One thread that can be pinned to separate cores|
|Startup||Single-threaded, slower||Multithreaded, faster|
|Plugins||Limited to preprocs and outputs||Full plugin system with more than 200 plugins|
|DAQ||2.X, run to completion||3.X, vector input, multiple outstanding packets|
|DAQ modules||Only legacy modules||Stacked modules, IOCTLs, file, socket and text modules|
|PCAP readback speed||X Mbits/sec for Max-Detect||2X with AC, 4X with hyperscan|
|IP layers||Two max||Arbitrary and configurable limits|
|IP reputation||Complex with shared memory||Simplified process memory|
|Stream TCP||Complex implementation||New and improved implementation|
|Service detection||AppID only, port configs required||Autodetection, most port configs optional|
|HTTP inspector||Partly stateful||Fully stateful|
|Port scan detection||High, medium and low thresholds only||Fully configurable detection thresholds|
|Config parsing||Report one error and quit||Report all errors|
|Command line||Some overlapping with config file||Set to override any config file from the command line|
|Default config||Complex, needs tuning||Simplified, effective|
|Policy examples||None||Tweaks to fit all standard Talos policies|
|Policy binding||One level||Nested|
|Rule syntax||Inconsistent and requires line escapes||Uniform system with arbitrary whitespace|
|Rule parsing||Buggy with limited warnings||Robust with numerous optional warnings|
|Rule comments||Comments only||#, #begin/#end marks, C-style and rem options|
|Alert file rules||No||Yes|
|Alert service rules||No||Yes|
|Fast-pattern buffers||6 available||14 available|
|SO rule features||Restricted functionality||True superset of text rules|
|Simple SO rules||No||Yes|
|Dump built-in stubs||No (SO stubs only)||Yes|
|Runtime tracing||No (debug tracing and misc logs only)||Yes|
|Documentation||LaTeX-based PDF, READMEs||ASCII docs, text, HTML and PDFs|
|Source code||470,000 lines of C, with an average of 400 lines per file||389,000 lines of C++, with an average of 200 lines per file|
|Distribution||Snort.org tarballs, with updates coming every six months||GitHub repo, with updates coming every two weeks|