We are in the final stages of preparing an update to the IPS engine used by SG UTM. We are upgrading to version 2.9.17 of Snort and are offering early access to the new release for customers who would like to try it out immediately.
Updates to the Snort IPS Engine are delivered as part of your up2date pattern packages. This ensures that you get updates to IPS detection even if you are still running an older UTM firmware image. It means that we can continue to efficiently deliver a single set of signatures to all our customers.
We always perform extensive internal tests on new versions of the Snort engine before we roll them out. This version is no exception to that.
However, since version 2.9.17 of Snort introduces changes in more sensitive areas than with previous updates, we have decided to stage the rollout of the new engine. It will still be delivered via up2date, but it will be delivered alongside the old engine for a time. UTMs will be automatically switched over to the new engine in stages over the coming weeks, so that we can quickly respond to any unforeseen issues.
September 16, 2021: New engine included in up2date pattern packages, available for testing but not enabled by default
September 21, 2021: New engine enabled selectively for some UTMs
September 28 onward: Gradual increase in the number of UTMs using the new engine
We aim to complete the rollout for all devices in early October.
Customers running version 9.707 of the UTM firmware can choose to switch to the new engine immediately. If you would like to do this, please contact Sophos support.
And, why not just get to 3.0 instead of baby-stepping this?
So is 3.0 on the roadmap for UTM?
You should be able to see this in the IPS log.
To do this from WebAdmin, go to Logging & Reporting > View Log Files and select the Search Log Files tab.
Under "Select log file to search", choose "Intrusion Prevention System"
In search term, enter "Version"
Select a time frame that would include the last likely time that the IPS system updated or restarted - if you don't get a match with the default time period, try extending it back.
In the search results, find the most recent line that looks like this:
Hi, will it be possible to see if the new engine is activated in the GUI (or logs)?
This engine update, like all engine updates, is delivered in the pattern updates (I mistakenly referred to them as 'signature updates' in my original post).
The pattern updates will deliver the new engine alongside the current engine for a time. The pattern updates will also include logic to decide which engine to activate as we go through the staging process. Support are able to modify individual devices to force this logic to get early access to the new engine.