AlmaLinux9.7 : SNORT3

Contents

SNORT3

SNORT3

Snort is an open source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks。

It can perform “protocol analysis,” “content search,” and “matching,” and can be used to detect various attacks such as “buffer overflows,” “stealth port scans,” “CGI attacks,” “SMB probes,” “OS fingerprinting attempts,” “semantic URL attacks,” and “server message block probes. The system can be used to detect a variety of attacks, such as

1.advance preparation

1.1 advance preparation

1.Installing openssl-devel

# dnf install openssl-devel

1	# dnf install openssl-devel

2.Installing cmake

# dnf -y install cmake

1	# dnf -y install cmake

1.2 Install required packages

# dnf -y install libpcap-devel pcre-devel libdnet-devel hwloc-devel openssl-devel zlib-devel luajit-devel pkgconf libmnl-devel libunwind-devel

# dnf -y install libnfnetlink-devel libnetfilter_queue g++

# dnf -y install libpcap-devel pcre-devel libdnet-devel hwloc-devel openssl-devel zlib-devel luajit-devel pkgconf libmnl-devel libunwind-devel

# dnf -y install libnfnetlink-devel libnetfilter_queue g++

1.3 Installing LibDAQ

# cd
# dnf install git
# git clone https://github.com/snort3/libdaq.git

Cloning into 'libdaq'...
remote: Enumerating objects: 2617, done.
remote: Counting objects: 100% (239/239), done.
remote: Compressing objects: 100% (78/78), done.
remote: Total 2617 (delta 199), reused 169 (delta 161), pack-reused 2378 (from 2)
Receiving objects: 100% (2617/2617), 1.18 MiB | 12.75 MiB/s, done.
Resolving deltas: 100% (1891/1891), done.

# cd

# dnf install git

# git clone https://github.com/snort3/libdaq.git

Cloning into 'libdaq'...

remote: Enumerating objects: 2617, done.

remote: Counting objects: 100% (239/239), done.

remote: Compressing objects: 100% (78/78), done.

remote: Total 2617 (delta 199), reused 169 (delta 161), pack-reused 2378 (from 2)

Receiving objects: 100% (2617/2617), 1.18 MiB | 12.75 MiB/s, done.

Resolving deltas: 100% (1891/1891), done.

# cd libdaq/
# dnf install autoconf
# ./bootstrap

# cd libdaq/

# dnf install autoconf

# ./bootstrap

# ./configure
# make && make install

1 2	# ./configure # make && make install

# ln -s /usr/local/lib/libdaq.so.3 /lib/
Add Shared Library
# ldconfig
Check the library
# ldconfig -p|grep daq
        libdaq.so.3 (libc6,x86-64) => /lib/libdaq.so.3

# ln -s /usr/local/lib/libdaq.so.3 /lib/

Add Shared Library

# ldconfig

Check the library

# ldconfig -p|grep daq

libdaq.so.3 (libc6,x86-64) => /lib/libdaq.so.3

1.4 Installing Optional Packages

1.Installation of LZMA and UUID

# dnf -y install xz-devel libuuid-devel

1	# dnf -y install xz-devel libuuid-devel

2.Installing Hyperscan

# dnf -y install hyperscan hyperscan-devel

1	# dnf -y install hyperscan hyperscan-devel

3.Installing Tcmalloc

# dnf -y install gperftools-devel

1	# dnf -y install gperftools-devel

2. Installing Snort3

# git clone https://github.com/snort3/snort3.git
# cd snort3/
# export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH
# export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:$PKG_CONFIG_PATH
# export CFLAGS="-O3"
# export CXXFLAGS="-O3 -fno-rtti"

# git clone https://github.com/snort3/snort3.git

# cd snort3/

# export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH

# export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:$PKG_CONFIG_PATH

# export CFLAGS="-O3"

# export CXXFLAGS="-O3 -fno-rtti"

Running configure

Install missing packages

# dnf -y install pcre2-devel

1	# dnf -y install pcre2-devel

# dnf install flex
# ./configure_cmake.sh --prefix=/usr/local/snort --enable-tcmalloc
-------------------------------------------------------

-- Configuring done
-- Generating done
-- Build files have been written to: /root/snort3/build

# dnf install flex

# ./configure_cmake.sh --prefix=/usr/local/snort --enable-tcmalloc

-------------------------------------------------------

-- Configuring done

-- Generating done

-- Build files have been written to: /root/snort3/build

Build, compile, and install

# cd build/
# pwd
/root/snort3/build

# make -j$(nproc)
# make -j$(nproc) install

# cd build/

# pwd

/root/snort3/build

# make -j$(nproc)

# make -j$(nproc) install

Version Check

# /usr/local/snort/bin/snort -V

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.10.0.0
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2025 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.23
           Using Hyperscan version 5.4.1 2023-04-14
           Using libpcap version 1.10.0 (with TPACKET_V3)
           Using LuaJIT version 2.1.0-beta3
           Using LZMA version 5.2.5
           Using OpenSSL 3.5.1 1 Jul 2025
           Using PCRE2 version 10.40 2022-04-14
           Using ZLIB version 1.2.11

# /usr/local/snort/bin/snort -V

,,_ -*> Snort++ <*-

o" )~ Version 3.10.0.0

'''' By Martin Roesch & The Snort Team

http://snort.org/contact#team

Using DAQ version 3.0.23

Using Hyperscan version 5.4.1 2023-04-14

Using libpcap version 1.10.0 (with TPACKET_V3)

Using LuaJIT version 2.1.0-beta3

Using LZMA version 5.2.5

Using OpenSSL 3.5.1 1 Jul 2025

Using PCRE2 version 10.40 2022-04-14

Using ZLIB version 1.2.11

test run

# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua

--------------------------------------------------
search engine (ac_bnfa)
                instances: 2
                 patterns: 438
            pattern chars: 2602
               num states: 1832
         num match states: 392
             memory scale: KB
             total memory: 71.2812
           pattern memory: 19.6484
        match list memory: 28.4375
        transition memory: 22.9453
appid: MaxRss diff: 3840
appid: patterns loaded: 300
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua

--------------------------------------------------

search engine (ac_bnfa)

instances: 2

patterns: 438

pattern chars: 2602

num states: 1832

num match states: 392

memory scale: KB

total memory: 71.2812

pattern memory: 19.6484

match list memory: 28.4375

transition memory: 22.9453

appid: MaxRss diff: 3840

appid: patterns loaded: 300

--------------------------------------------------

pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).

o")~ Snort exiting

Network interface settings

Check network interface

# ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160
       valid_lft forever preferred_lft forever
    inet6 fexx::xxx:xxxx:xxxx:xxxx/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

# ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

valid_lft forever preferred_lft forever

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000

link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff

altname enp3s0

inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160

valid_lft forever preferred_lft forever

inet6 fexx::xxx:xxxx:xxxx:xxxx/64 scope link noprefixroute

valid_lft forever preferred_lft forever

The network interface name is ens160

Set the network interface to promiscuous mode. This way, the network device can capture and inspect all network packets.

# ip link set dev ens160 promisc on

1	# ip link set dev ens160 promisc on

Check settings

# ip a | grep ens160 | grep mtu

2: ens160: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000

# ip a | grep ens160 | grep mtu

2: ens160: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000

Check the offload status of the network interface.
If you need to monitor network traffic on an interface, you must disable offloading

# ethtool -k ens160 | grep receive-offload
generic-receive-offload: on
large-receive-offload: off

# ethtool -k ens160 | grep receive-offload

generic-receive-offload: on

large-receive-offload: off

Since it is enabled, disable GRO and LRO using the following command:

# ethtool -K ens160 gro off lro off

1	# ethtool -K ens160 gro off lro off

Re-evaluate the situation

# ethtool -k ens160 | grep receive-offload
generic-receive-offload: off
large-receive-offload: off

# ethtool -k ens160 | grep receive-offload

generic-receive-offload: off

large-receive-offload: off

Create systemd service for snort network interface

# vi /etc/systemd/system/snort3-nic.service

1	# vi /etc/systemd/system/snort3-nic.service

[snort3-nic.service] contents

[Unit]
Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev ens160 promisc on
ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off
TimeoutStartSec=0
RemainAfterExit=yes

[Install]
WantedBy=default.target

systemd daemon applies changes

# systemctl daemon-reload
# systemctl enable snort3-nic.service
Created symlink /etc/systemd/system/default.target.wants/snort3-nic.service → /etc/systemd/system/snort3-nic.service.
# systemctl start snort3-nic.service

# systemctl daemon-reload

# systemctl enable snort3-nic.service

Created symlink /etc/systemd/system/default.target.wants/snort3-nic.service → /etc/systemd/system/snort3-nic.service.

# systemctl start snort3-nic.service

Check Snort NIC Service Status

# systemctl status snort3-nic.service
● snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
     Loaded: loaded (/etc/systemd/system/snort3-nic.service; enabled; preset: disabled)
     Active: active (exited) since Fri 2026-01-02 16:37:58 JST; 17s ago
    Process: 122074 ExecStart=/usr/sbin/ip link set dev ens160 promisc on (code=exited, status=0/SUCCESS)
    Process: 122075 ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off (code=exited, status=0/SUCCESS)
   Main PID: 122075 (code=exited, status=0/SUCCESS)
        CPU: 4ms

Jan 02 16:37:58 Lepard systemd[1]: Starting Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot...
Jan 02 16:37:58 Lepard systemd[1]: Finished Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot.

# systemctl status snort3-nic.service

● snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot

Loaded: loaded (/etc/systemd/system/snort3-nic.service; enabled; preset: disabled)

Active: active (exited) since Fri 2026-01-02 16:37:58 JST; 17s ago

Process: 122074 ExecStart=/usr/sbin/ip link set dev ens160 promisc on (code=exited, status=0/SUCCESS)

Process: 122075 ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off (code=exited, status=0/SUCCESS)

Main PID: 122075 (code=exited, status=0/SUCCESS)

CPU: 4ms

Jan 02 16:37:58 Lepard systemd[1]: Starting Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot...

Jan 02 16:37:58 Lepard systemd[1]: Finished Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot.

Added Snort Community Ruleset

1.Create a folder for Snort rules, download the community ruleset from the Snort website, and place it in the designated rules directory

# mkdir /usr/local/snort/etc/snort/rules
# wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz | tar xz -C /usr/local/snort/etc/snort/rules/

1 2	# mkdir /usr/local/snort/etc/snort/rules # wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz \| tar xz -C /usr/local/snort/etc/snort/rules/

2.Edit Snort main configuration file

# vi /usr/local/snort/etc/snort/snort.lua

1	# vi /usr/local/snort/etc/snort/snort.lua

[snort.lua] Edited Content

●Line 24 : Change
HOME_NET = '192.168.11.0/24'
●Line 28 : Change
EXTERNAL_NET = '!$HOME_NET'
●Per Line 185 : Add at the end of the ips entry
ips =
{
-- use this to enable decoder and inspector alerts
-- enable_builtin_rules = true,

-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
-- (see also related path vars at the top of snort_defaults.lua)

variables = default_variables,
rules = [[
include /usr/local/snort/etc/snort/rules/snort3-community-rules/snort3-community.rules
]]

}

3.Test Snort's main configuration changes

# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua

If everything is normal, the following will be displayed at the end.
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua

If everything is normal, the following will be displayed at the end.

--------------------------------------------------

pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).

o")~ Snort exiting

Add custom rule

1.Create a file in the Snort rules directory

# vi /usr/local/snort/etc/snort/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:"Incoming ICMP"; sid:1000001; rev:1;)

1 2	# vi /usr/local/snort/etc/snort/rules/local.rules alert icmp any any -> $HOME_NET any (msg:"Incoming ICMP"; sid:1000001; rev:1;)

2.Edit Snort main configuration file
Edit Snort main configuration file to include custom rules file directory in main configuration

# vi /usr/local/snort/etc/snort/snort.lua

1	# vi /usr/local/snort/etc/snort/snort.lua

[snort.lua] Edited Content

●Per Line 196 : Add
ips =
{
-- use this to enable decoder and inspector alerts
--enable_builtin_rules = true,

-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
-- (see also related path vars at the top of snort_defaults.lua)

variables = default_variables,
rules = [[
include /usr/local/snort/etc/snort/rules/local.rules
include /usr/local/snort/etc/snort/rules/snort3-community-rules/snort3-community.rules
]]

}

3.Test Snort's main configuration changes

# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua

If everything is normal, the following will be displayed at the end.
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua

If everything is normal, the following will be displayed at the end.

--------------------------------------------------

pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).

o")~ Snort exiting

Install OpenAppID extension

Once the OpenAppID extension is installed, Snort can detect network threats at the application layer level

1.OpenAppID Extension Download and Deployment

# wget https://www.snort.org/downloads/openappid/33380 -O OpenAppId-33380.tgz
# tar -xzvf  OpenAppId-33380.tgz

1 2	# wget https://www.snort.org/downloads/openappid/33380 -O OpenAppId-33380.tgz # tar -xzvf OpenAppId-33380.tgz

2.Copy the extracted folder (odp) to the following directory

# cp -R odp /usr/local/lib/

1	# cp -R odp /usr/local/lib/

3.Edit the Snort main configuration file to define the location of the OpenAppID folder

# vi /usr/local/snort/etc/snort/snort.lua

1	# vi /usr/local/snort/etc/snort/snort.lua

[snort.lua] Edited Content

●Per Line 99 : Add to the appid section
appid =
{
-- appid requires this to use appids in rules
--app_detector_dir = 'directory to load appid detectors from'
app_detector_dir = '/usr/local/lib',
log_stats = true,
}
appid_listener =
{
json_logging = true,
file = "/var/log/snort/appid-output.log",
}

--[[
reputation =

4.Test Snort's main configuration changes

# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua

If everything is normal, the following will be displayed at the end.
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua

If everything is normal, the following will be displayed at the end.

--------------------------------------------------

pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).

o")~ Snort exiting

Verify that all configurations are set up correctly

# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -R /usr/local/snort/etc/snort/rules/local.rules -i ens160 -A alert_fast -s 65535 -k none

1	# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -R /usr/local/snort/etc/snort/rules/local.rules -i ens160 -A alert_fast -s 65535 -k none

Send a ping command from a remote computer to the IP address of the server. This will cause an alert log to appear in the console window of the host server

--------------------------------------------------
pcap DAQ configured to passive.
Commencing packet processing
Retry queue interval is: 200 ms
++ [0] ens160
01/02-16:45:48.748007 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83
01/02-16:45:48.748008 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83
01/02-16:45:48.748338 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6
01/02-16:45:48.748441 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6
01/02-16:45:49.751982 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83
01/02-16:45:49.751983 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83
01/02-16:45:49.752176 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6
01/02-16:45:49.752280 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6
01/02-16:45:50.765009 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83
01/02-16:45:50.765009 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83
01/02-16:45:50.765209 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6
01/02-16:45:50.765346 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6
01/02-16:45:51.780865 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83
01/02-16:45:51.780866 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83
01/02-16:45:51.781077 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6
01/02-16:45:51.781185 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6

--------------------------------------------------

pcap DAQ configured to passive.

Commencing packet processing

Retry queue interval is: 200 ms

++ [0] ens160

01/02-16:45:48.748007 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83

01/02-16:45:48.748008 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83

01/02-16:45:48.748338 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6

01/02-16:45:48.748441 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6

01/02-16:45:49.751982 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83

01/02-16:45:49.751983 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83

01/02-16:45:49.752176 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6

01/02-16:45:49.752280 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6

01/02-16:45:50.765009 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83

01/02-16:45:50.765209 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6

01/02-16:45:50.765346 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6

01/02-16:45:51.780865 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83

01/02-16:45:51.780866 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83

01/02-16:45:51.781077 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6

01/02-16:45:51.781185 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6

Configure Snort systemd service

1.Creating Users for the Snort Service

# useradd -r -s /usr/sbin/nologin -M snort

1	# useradd -r -s /usr/sbin/nologin -M snort

2.Create log folder and set permissions
Create directory folder for Snort logs and set folder permissions

# mkdir /var/log/snort
# chmod -R 5775 /var/log/snort
# chown -R snort:snort /var/log/snort

# mkdir /var/log/snort

# chmod -R 5775 /var/log/snort

# chown -R snort:snort /var/log/snort

3.Create Systemd service file

# vi /etc/systemd/system/snort3.service

1	# vi /etc/systemd/system/snort3.service

[snort3.service] contents

[Unit]
Description=Snort3 IDS Daemon Service
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort
ExecStop=/bin/kill -9 $MAINPID

[Install]
WantedBy=multi-user.target

Reload and activate the Snort service.

# systemctl daemon-reload
# systemctl enable --now snort3
Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /etc/systemd/system/snort3.service.

# systemctl daemon-reload

# systemctl enable --now snort3

Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /etc/systemd/system/snort3.service.

Launched Snort service

# systemctl restart snort3

1	# systemctl restart snort3

Check Status

# systemctl status snort3
● snort3.service - Snort3 IDS Daemon Service
     Loaded: loaded (/etc/systemd/system/snort3.service; enabled; preset: disabled)
     Active: active (running) since Fri 2026-01-02 16:48:12 JST; 11s ago
   Main PID: 122203 (snort3)
      Tasks: 2 (limit: 22903)
     Memory: 214.2M (peak: 214.6M)
        CPU: 631ms
     CGroup: /system.slice/snort3.service
             └─122203 /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort

Jan 02 16:48:12 Lepard snort[122203]:                       any: 8
Jan 02 16:48:12 Lepard snort[122203]:                 to_server: 69
Jan 02 16:48:12 Lepard snort[122203]:                 to_client: 48
Jan 02 16:48:12 Lepard snort[122203]: --------------------------------------------------
Jan 02 16:48:12 Lepard snort[122203]: search engine (ac_bnfa)
Jan 02 16:48:12 Lepard snort[122203]:                 instances: 334
Jan 02 16:48:12 Lepard snort[122203]:                  patterns: 10779
Jan 02 16:48:12 Lepard snort[122203]:             pattern chars: 175198
Jan 02 16:48:12 Lepard snort[122203]:                num states: 123200
Jan 02 16:48:12 Lepard snort[122203]:          num match states: 10502

# systemctl status snort3

● snort3.service - Snort3 IDS Daemon Service

Loaded: loaded (/etc/systemd/system/snort3.service; enabled; preset: disabled)

Active: active (running) since Fri 2026-01-02 16:48:12 JST; 11s ago

Main PID: 122203 (snort3)

Tasks: 2 (limit: 22903)

Memory: 214.2M (peak: 214.6M)

CPU: 631ms

CGroup: /system.slice/snort3.service

└─122203 /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort

Jan 02 16:48:12 Lepard snort[122203]: any: 8

Jan 02 16:48:12 Lepard snort[122203]: to_server: 69

Jan 02 16:48:12 Lepard snort[122203]: to_client: 48

Jan 02 16:48:12 Lepard snort[122203]: --------------------------------------------------

Jan 02 16:48:12 Lepard snort[122203]: search engine (ac_bnfa)

Jan 02 16:48:12 Lepard snort[122203]: instances: 334

Jan 02 16:48:12 Lepard snort[122203]: patterns: 10779

Jan 02 16:48:12 Lepard snort[122203]: pattern chars: 175198

Jan 02 16:48:12 Lepard snort[122203]: num states: 123200

Jan 02 16:48:12 Lepard snort[122203]: num match states: 10502

Snort IDS Logging

1.Configure Snort JSON logging

# vi /usr/local/snort/etc/snort/snort.lua

1	# vi /usr/local/snort/etc/snort/snort.lua

[snort.lua] Edited Content

●Per Line 259 : Add alert_json at the end of the '--7.configure outputs' section.

-------------------------------------------------------------------------------------
-- 7. configure outputs
-------------------------------------------------------------------------------------

-- event logging
-- you can enable with defaults from the command line with -A <alert_type>
-- uncomment below to set non-default configs
--alert_csv = { }
--alert_fast = { }
--alert_full = { }
--alert_sfsocket = { }
--alert_syslog = { }
--unified2 = { }

-- packet logging
-- you can enable with defaults from the command line with -L <log_type>
--log_codecs = { }
--log_hext = { }
--log_pcap = { }

-- additional logs
--packet_capture = { }
--file_log = { }
alert_json =
{
file = true,
limit = 50,
fields = 'timestamp msg pkt_num proto pkt_gen pkt_len dir src_addr src_port dst_addr dst_port service rule priority class action b64_data'
}

2.Restart Snort

# systemctl restart snort3

1	# systemctl restart snort3

3.Check log files
Ping command from a remote computer to the server, stored in the Snort alert_json.txt file.

# tail -f /var/log/snort/alert_json.txt

{ "timestamp" : "01/02-16:50:45.981914", "msg" : "Incoming ICMP", "pkt_num" : 728, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "01/02-16:50:45.981989", "msg" : "Incoming ICMP", "pkt_num" : 729, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "01/02-16:50:46.996245", "msg" : "Incoming ICMP", "pkt_num" : 731, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.6", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "01/02-16:50:46.996245", "msg" : "Incoming ICMP", "pkt_num" : 732, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.6", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "01/02-16:50:46.996476", "msg" : "Incoming ICMP", "pkt_num" : 733, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "01/02-16:50:46.996587", "msg" : "Incoming ICMP", "pkt_num" : 734, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "01/02-16:50:48.010198", "msg" : "Incoming ICMP", "pkt_num" : 765, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.6", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "01/02-16:50:48.010198", "msg" : "Incoming ICMP", "pkt_num" : 766, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.6", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "01/02-16:50:48.010458", "msg" : "Incoming ICMP", "pkt_num" : 767, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "01/02-16:50:48.010575", "msg" : "Incoming ICMP", "pkt_num" : 768, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }

# tail -f /var/log/snort/alert_json.txt

{ "timestamp" : "01/02-16:50:45.981914", "msg" : "Incoming ICMP", "pkt_num" : 728, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }

{ "timestamp" : "01/02-16:50:45.981989", "msg" : "Incoming ICMP", "pkt_num" : 729, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }

{ "timestamp" : "01/02-16:50:46.996245", "msg" : "Incoming ICMP", "pkt_num" : 731, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.6", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }

{ "timestamp" : "01/02-16:50:46.996245", "msg" : "Incoming ICMP", "pkt_num" : 732, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.6", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }

{ "timestamp" : "01/02-16:50:46.996476", "msg" : "Incoming ICMP", "pkt_num" : 733, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }

{ "timestamp" : "01/02-16:50:46.996587", "msg" : "Incoming ICMP", "pkt_num" : 734, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }

{ "timestamp" : "01/02-16:50:48.010198", "msg" : "Incoming ICMP", "pkt_num" : 765, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.6", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }

{ "timestamp" : "01/02-16:50:48.010198", "msg" : "Incoming ICMP", "pkt_num" : 766, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.6", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }

{ "timestamp" : "01/02-16:50:48.010458", "msg" : "Incoming ICMP", "pkt_num" : 767, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }

{ "timestamp" : "01/02-16:50:48.010575", "msg" : "Incoming ICMP", "pkt_num" : 768, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }

This completes the installation and configuration of Snort 3.

Go to top