FeatReq: Snort 3 as NIDS option

[petiepooo]

Since all the previous Snort 3 issues have been closed because it was still in beta, I'm opening this new one for tracking and in hopes of getting it on the roadmap for some future version.

As of today, Snort v3 is up to minor version 3.1.5.0, indicating it is stable and well past beta. The new version has many of the same features and advantages that suricata has, and also has the ability to handle the Talos VRT ruleset (and its shared-object pre-compiled rules) better. Of course, it also works with AF_PACKET now, which is why it was not initially supported on SO2.

https://github.com/snort3/snort3/tags Prior issues: #181 #606 #621 Discussion: #2912 Blog post: https://blog.securityonion.net/2021/02/snort-3-and-security-onion-2.html

P.S. If anyone has seen a comprehensive feature comparison between the latest Suricata and Snort v3 apps, please add a link. All I've found are older comparisons between suricata and snort v2...

[csbflyer]

+1 for this. OpenAppID is another value add.

[petiepooo]

@dougburks I'm happy to see you've worked your way down the burn list and are now implementing nice-to-have features like the IDH node and others.

Snort3 would be very nice to have, and it appears I'm not the only one interested in the Talos ruleset but not able to fully utilize it because I have to disable shared object rules when run under suricata... #6475 #6409 #5137 #5737 #1727 #2912

Is there a timeline yet for a Snort3 option?

[dougburks]

This issue is in the Unscheduled Backlog project and so there is no timeline.

[petiepooo]

Understood; I'm hoping a few gentle bumps will get it moved to onto a schedule. :)