SNORT3
Snort is an open source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks。
It can perform “protocol analysis,” “content search,” and “matching,” and can be used to detect various attacks such as “buffer overflows,” “stealth port scans,” “CGI attacks,” “SMB probes,” “OS fingerprinting attempts,” “semantic URL attacks,” and “server message block probes. The system can be used to detect a variety of attacks, such as
1.advance preparation
1.1 Installing Required Packages
1.Installing openssl-devel
# dnf install openssl-devel
2.Installing cmake
# dnf -y install cmake
Installed:
cmake-3.31.8-1.el10.x86_64 cmake-data-3.31.8-1.el10.noarch cmake-rpm-macros-3.31.8-1.el10.noarch
1.2 Install required packages
# dnf -y install libpcap-devel pcre2-devel hwloc-devel openssl-devel zlib-devel luajit-devel pkgconf libmnl-devel libunwind-devel libnfnetlink-devel libnetfilter_queue g++
# wget https://dl.fedoraproject.org/pub/epel/10/Everything/x86_64/Packages/l/libdnet-1.18.0-1.el10_1.x86_64.rpm
# rpm -Uvh libdnet-1.18.0-1.el10_1.x86_64.rpm
# dnf install libdnet
# wget https://dl.fedoraproject.org/pub/epel/10/Everything/x86_64/Packages/l/libdnet-devel-1.18.0-1.el10_1.x86_64.rpm
# rpm -Uvh libdnet-devel-1.18.0-1.el10_1.x86_64.rpm
# dnf install libdnet-devel
1.3 Installing LibDAQ
# cd
# dnf install git
# git clone https://github.com/snort3/libdaq.git
# cd libdaq/
# dnf install autoconf
# ./bootstrap
# ./configure
# make && make install
# ln -s /usr/local/lib/libdaq.so.3 /lib/
Adding Shared Libraries
# ldconfig
Verifying the library
# ldconfig -p|grep daq
libdaq.so.3 (libc6,x86-64) => /lib/libdaq.so.3
1.4 Installing Optional Packages
1.Installation of LZMA and UUID
# dnf -y install xz-devel libuuid-devel
2.Installing Tcmalloc
# dnf -y install gperftools-devel
2. Installing Snort3
# git clone https://github.com/snort3/snort3.git
# cd snort3/
# export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH
# export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:$PKG_CONFIG_PATH
# export CFLAGS="-O3"
# export CXXFLAGS="-O3 -fno-rtti"
# dnf install flex
# ./configure_cmake.sh --prefix=/usr/local/snort --enable-tcmalloc
# cd build/
# make -j$(nproc)
# make -j$(nproc) install
Version Check
# /usr/local/snort/bin/snort -V
,,_ -*> Snort++ <*-
o" )~ Version 3.12.2.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2026 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.27
Using libpcap version 1.10.4 (with TPACKET_V3)
Using LuaJIT version 2.1.1720049189
Using LZMA version 5.6.2
Using OpenSSL 3.5.5 27 Jan 2026
Using PCRE2 version 10.44 2024-06-07
Using ZLIB version 1.3.1.zlib-ng
test run
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pcap DAQ configured to passive.
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
Network interface settings
Check network interface
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:38:c5:9d brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname enx000c2938c59d
inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe38:c59d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
The network interface name is ens160
Set the network interface to promiscuous mode. This way, the network device can capture and inspect all network packets.
# ip link set dev ens160 promisc on
Check settings
# ip a | grep ens160 | grep mtu
2: ens160: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
Check the offload status of the network interface.
If you need to monitor network traffic on an interface, you must disable offloading
Confirm the current situation
# ethtool -k ens160 | grep receive-offload
generic-receive-offload: on
large-receive-offload: on
Since it is currently enabled, disable GRO and LRO using the following command:
# ethtool -K ens160 gro off lro off
Re-evaluate the situation
# ethtool -k ens160 | grep receive-offload
generic-receive-offload: off
large-receive-offload: off
The offload status for LRO and GRO is disabled.
Create systemd service for snort network interface
# touch /etc/systemd/system/snort3-nic.service
# vi /etc/systemd/system/snort3-nic.service
Please include the following information:
[Unit]
Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev ens160 promisc on
ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off
TimeoutStartSec=0
RemainAfterExit=yes
[Install]
WantedBy=default.target
systemd daemon applies changes
# systemctl daemon-reload
# systemctl enable snort3-nic.service
Created symlink /etc/systemd/system/default.target.wants/snort3-nic.service → /etc/systemd/system/snort3-nic.service.
# systemctl start snort3-nic.service
Check Snort NIC Service Status
# systemctl status snort3-nic.service
● snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
Loaded: loaded (/etc/systemd/system/snort3-nic.service; enabled; preset: disabled)
Active: active (exited) since Fri 2026-06-05 12:12:26 JST; 27s ago
Invocation: 63f6f6d9148346719e84511cc5991723
Process: 34427 ExecStart=/usr/sbin/ip link set dev ens160 promisc on (code=exited, status=0/SUCCESS)
Process: 34428 ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off (code=exited, status=0/SUCCESS)
Main PID: 34428 (code=exited, status=0/SUCCESS)
Mem peak: 1.2M
CPU: 9ms
Jun 05 12:12:26 Lepard systemd[1]: Starting snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, L>
Jun 05 12:12:26 Lepard systemd[1]: Finished snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, L>
Added Snort Community Ruleset
1.Create a folder for Snort rules, download the community ruleset from the Snort website, and place it in the designated rules directory
# mkdir /usr/local/snort/etc/snort/rules
# wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz | tar xz -C /usr/local/snort/etc/snort/rules/
2.Edit Snort main configuration file
# vi /usr/local/snort/etc/snort/snort.lua
Line 24 : Change
HOME_NET = '192.168.11.0/24'
Line 28 : Change
EXTERNAL_NET = '!$HOME_NET'
Pet Line 188 : Add at the end of the ips entry
ips =
{
-- use this to enable decoder and inspector alerts
-- enable_builtin_rules = true,
-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
-- (see also related path vars at the top of snort_defaults.lua)
variables = default_variables,
rules = [[
include /usr/local/snort/etc/snort/rules/snort3-community-rules/snort3-community.rules
]]
}
3.Test Snort's main configuration changes
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua
If everything is normal, the following will be displayed at the end.
--------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
Add custom rule
1.Create a file in the Snort rules directory
# touch /usr/local/snort/etc/snort/rules/local.rules
# vi /usr/local/snort/etc/snort/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:"Incoming ICMP"; sid:1000001; rev:1;)
2.Edit Snort main configuration file
Edit Snort main configuration file to include custom rules file directory in main configuration
# vi /usr/local/snort/etc/snort/snort.lua
Add around line 199
ips =
{
-- use this to enable decoder and inspector alerts
--enable_builtin_rules = true,
-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
-- (see also related path vars at the top of snort_defaults.lua)
variables = default_variables,
rules = [[
include /usr/local/snort/etc/snort/rules/local.rules
include /usr/local/snort/etc/snort/rules/snort3-community-rules/snort3-community.rules
]]
}
3.Test Snort's main configuration changes
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua
If everything is normal, the following will be displayed at the end.
--------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
Install OpenAppID extension
Once the OpenAppID extension is installed, Snort can detect network threats at the application layer level
1.OpenAppID Extension Download and Deployment
# wget https://www.snort.org/downloads/openappid/33380 -O OpenAppId-33380.tgz
# tar -xzvf OpenAppId-33380.tgz
2.Copy the extracted folder (odp) to the following directory
# cp -R odp /usr/local/lib/
3.Edit the Snort main configuration file to define the location of the OpenAppID folder
# vi /usr/local/snort/etc/snort/snort.lua
Add to the `appid` section around line 100
appid =
{
-- appid requires this to use appids in rules
--app_detector_dir = 'directory to load appid detectors from'
app_detector_dir = '/usr/local/lib',
log_stats = true,
}
appid_listener =
{
json_logging = true,
file = "/var/log/snort/appid-output.log",
}
--[[
reputation =
4.Test Snort's main configuration changes
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua
If everything is normal, the following will be displayed at the end.
--------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
Verify that all configurations are set up correctly
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -R /usr/local/snort/etc/snort/rules/local.rules -i ens160 -A alert_fast -s 65535 -k none
Send a ping command from a remote computer to the IP address of the server. This will cause an alert log to appear in the console window of the host server
-------------------------------------------------------------------------------------------------------------------------------------
pcap DAQ configured to passive.
Commencing packet processing
Retry queue interval is: 200 ms
++ [0] ens160
06/05-13:27:36.297858 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
06/05-13:27:36.297858 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
06/05-13:27:36.298082 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
06/05-13:27:37.313208 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
06/05-13:27:37.313208 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
06/05-13:27:37.313375 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
06/05-13:27:37.313478 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
06/05-13:27:38.328985 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
06/05-13:27:38.328986 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
06/05-13:27:38.329674 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
06/05-13:27:38.330226 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
06/05-13:27:39.340441 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
06/05-13:27:39.340441 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
06/05-13:27:39.341321 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
06/05-13:27:39.341799 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
Configure Snort systemd service
1.Creating Users for the Snort Service
# useradd -r -s /usr/sbin/nologin -M snort
2.Create log folder and set permissions
Create directory folder for Snort logs and set folder permissions
# mkdir /var/log/snort
# chmod -R 5775 /var/log/snort
# chown -R snort:snort /var/log/snort
3.Create Systemd service file
# touch /etc/systemd/system/snort3.service
# vi /etc/systemd/system/snort3.service
[Unit]
Description=Snort3 IDS Daemon Service
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort
ExecStop=/bin/kill -9 $MAINPID
[Install]
WantedBy=multi-user.target
Reload and activate the Snort service.
# systemctl daemon-reload
# systemctl enable --now snort3
Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /etc/systemd/system/snort3.service.
Launched Snort service
# systemctl start snort3
Check Status
# systemctl status snort3
● snort3.service - Snort3 IDS Daemon Service
Loaded: loaded (/etc/systemd/system/snort3.service; enabled; preset: disabled)
Active: active (running) since Fri 2026-06-05 13:32:01 JST; 57s ago
Invocation: 643250b17f6b43c280a48a0734227c13
Main PID: 40560 (snort3)
Tasks: 2 (limit: 22808)
Memory: 214.7M (peak: 215.1M)
CPU: 1.186s
CGroup: /system.slice/snort3.service
└─40560 /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort
Jun 05 13:32:01 Lepard snort[40560]: any: 8
Jun 05 13:32:01 Lepard snort[40560]: to_server: 69
Jun 05 13:32:01 Lepard snort[40560]: to_client: 48
Jun 05 13:32:01 Lepard snort[40560]: --------------------------------------------------
Jun 05 13:32:01 Lepard snort[40560]: search engine (ac_bnfa)
Jun 05 13:32:01 Lepard snort[40560]: instances: 334
Jun 05 13:32:01 Lepard snort[40560]: patterns: 10779
Jun 05 13:32:01 Lepard snort[40560]: pattern chars: 175202
Jun 05 13:32:01 Lepard snort[40560]: num states: 123205
Jun 05 13:32:01 Lepard snort[40560]: num match states: 10502
Snort IDS Logging
1.Configure Snort JSON logging
# vi /usr/local/snort/etc/snort/snort.lua
Per Line 261 : Add `alert_json` at the end of the `configure outputs` section.
---------------------------------------------------------------------------
-- 7. configure outputs
---------------------------------------------------------------------------
-- event logging
-- you can enable with defaults from the command line with -A <alert_type>
-- uncomment below to set non-default configs
--alert_csv = { }
--alert_fast = { }
--alert_full = { }
--alert_sfsocket = { }
--alert_syslog = { }
--unified2 = { }
-- packet logging
-- you can enable with defaults from the command line with -L <log_type>
--log_codecs = { }
--log_hext = { }
--log_pcap = { }
-- additional logs
--packet_capture = { }
--file_log = { }
alert_json =
{
file = true,
limit = 50,
fields = 'timestamp msg pkt_num proto pkt_gen pkt_len dir src_addr src_port dst_addr dst_port service rule priority class action b64_data'
}
2.Restart Snort
# systemctl restart snort3
3.Check log files
Ping command from a remote computer to the server, stored in the Snort alert_json.txt file.
# tail -f /var/log/snort/alert_json.txt
{ "timestamp" : "06/05-13:49:13.940163", "msg" : "Incoming ICMP", "pkt_num" : 31637, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "06/05-13:49:13.940636", "msg" : "Incoming ICMP", "pkt_num" : 31638, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "06/05-13:49:14.951788", "msg" : "Incoming ICMP", "pkt_num" : 31733, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.14", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "06/05-13:49:14.951788", "msg" : "Incoming ICMP", "pkt_num" : 31734, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.14", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "06/05-13:49:14.952099", "msg" : "Incoming ICMP", "pkt_num" : 31735, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "06/05-13:49:14.952325", "msg" : "Incoming ICMP", "pkt_num" : 31736, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "06/05-13:49:15.968934", "msg" : "Incoming ICMP", "pkt_num" : 31799, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.14", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "06/05-13:49:15.968935", "msg" : "Incoming ICMP", "pkt_num" : 31800, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.14", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "06/05-13:49:15.970157", "msg" : "Incoming ICMP", "pkt_num" : 31801, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "06/05-13:49:15.970681", "msg" : "Incoming ICMP", "pkt_num" : 31802, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
This completes the installation and configuration of Snort 3.