Snort 3 Inspection Engine
Snort 3 is the default inspection engine for newly registered Firepower Threat Defense devices of version 7.0 and later. However, for Firepower Threat Defense devices of lower versions, Snort 2 is the default inspection engine. When you upgrade a managed Firepower Threat Defense device to version 7.0 or later, the inspection engine remains on Snort 2. To use Snort 3 in upgraded Firepower Threat Defenses of version 7.0 and later, you must explicitly enable it. When Snort 3 is enabled as the inspection engine of the device, the Snort 3 version of the intrusion policy that is applied on the device (through the access control policies) is activated and applied to all the traffic passing through the device.
You can switch Snort versions when required. Snort 2 and Snort 3 intrusion rules are mapped and the mapping is system-provided. However, you may not find a one-to-one mapping of all the intrusion rules in Snort 2 and Snort 3. If you change the rule action for one rule in Snort 2, that change is not retained if you switch to Snort 3 without synchronizing Snort 2 with Snort 3. For more information on synchronization, see Synchronize Snort 2 Rules with Snort 3.