SNORT3
Snort is an open source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks。
It can perform “protocol analysis,” “content search,” and “matching,” and can be used to detect various attacks such as “buffer overflows,” “stealth port scans,” “CGI attacks,” “SMB probes,” “OS fingerprinting attempts,” “semantic URL attacks,” and “server message block probes. The system can be used to detect a variety of attacks, such as
1.advance preparation
1.1 Installing Required Packages
1.Installing openssl-devel
# dnf install openssl-devel
2.Installing cmake
# dnf -y install cmake
1.2 Install required packages
# dnf -y install libpcap-devel pcre-devel libdnet-devel hwloc-devel openssl-devel zlib-devel luajit-devel pkgconf libmnl-devel libunwind-devel libnfnetlink-devel libnetfilter_queue g++
1.3 Installing LibDAQ
# cd
# dnf install git
# git clone https://github.com/snort3/libdaq.git
# cd libdaq/
# dnf install autoconf
# ./bootstrap
# ./configure
# make && make install
# ln -s /usr/local/lib/libdaq.so.3 /lib/
Add Shared Library
# ldconfig
Check the library
# ldconfig -p|grep daq
libdaq.so.3 (libc6,x86-64) => /lib/libdaq.so.3
1.4 Installing Optional Packages
1.Installation of LZMA and UUID
# dnf -y install xz-devel libuuid-devel
2.Installing Hyperscan
# dnf -y install hyperscan hyperscan-devel
3.Installing Tcmalloc
# dnf -y install gperftools-devel
2. Installing Snort3
# git clone https://github.com/snort3/snort3.git
# cd snort3/
# export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH
# export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:$PKG_CONFIG_PATH
# export CFLAGS="-O3"
# export CXXFLAGS="-O3 -fno-rtti"
Installing Missing Packages
# dnf -y install pcre2-devel
# dnf install flex
Build, Compile, Install
# ./configure_cmake.sh --prefix=/usr/local/snort --enable-tcmalloc
# cd build/
# pwd
/root/snort3/build
# make -j$(nproc)
# make -j$(nproc) install
Version Check
# /usr/local/snort/bin/snort -V
,,_ -*> Snort++ <*-
o" )~ Version 3.12.2.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2026 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.27
Using Hyperscan version 5.4.1 2023-04-14
Using libpcap version 1.10.0 (with TPACKET_V3)
Using LuaJIT version 2.1.0-beta3
Using LZMA version 5.2.5
Using OpenSSL 3.5.5 27 Jan 2026
Using PCRE2 version 10.40 2022-04-14
Using ZLIB version 1.2.11
test run
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua
--------------------------------------------------
search engine (ac_bnfa)
instances: 2
patterns: 438
pattern chars: 2602
num states: 1832
num match states: 392
memory scale: KB
total memory: 71.2812
pattern memory: 19.6484
match list memory: 28.4375
transition memory: 22.9453
appid: MaxRss diff: 3200
appid: patterns loaded: 300
--------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
Network interface settings
Check network interface
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:55:a8:67 brd ff:ff:ff:ff:ff:ff
altname enp3s0
inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe55:a867/64 scope link noprefixroute
valid_lft forever preferred_lft forever
The network interface name is ens160
Set the network interface to promiscuous mode. This way, the network device can capture and inspect all network packets.
# ip link set dev ens160 promisc on
Check settings
# ip a | grep ens160 | grep mtu
2: ens160: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
Check the offload status of the network interface.
If you need to monitor network traffic on an interface, you must disable offloading
# ethtool -k ens160 | grep receive-offload
generic-receive-offload: on
large-receive-offload: on
Since it is enabled, disable GRO and LRO using the following command:
# ethtool -K ens160 gro off lro off
Re-evaluate the situation
# ethtool -k ens160 | grep receive-offload
generic-receive-offload: off
large-receive-offload: off
Create systemd service for snort network interface
# vi /etc/systemd/system/snort3-nic.service
[Unit]
Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev ens160 promisc on
ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off
TimeoutStartSec=0
RemainAfterExit=yes
[Install]
WantedBy=default.target
systemd daemon applies changes
# systemctl daemon-reload
# systemctl enable snort3-nic.service
Created symlink /etc/systemd/system/default.target.wants/snort3-nic.service → /etc/systemd/system/snort3-nic.service.
# systemctl start snort3-nic.service
Check Snort NIC Service Status
# systemctl status snort3-nic.service
● snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
Loaded: loaded (/etc/systemd/system/snort3-nic.service; enabled; preset: disabled)
Active: active (exited) since Fri 2026-07-03 16:19:44 JST; 39s ago
Process: 74335 ExecStart=/usr/sbin/ip link set dev ens160 promisc on (code=exited, status=0/SUCCESS)
Process: 74336 ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off (code=exited, status=0/SUCCESS)
Main PID: 74336 (code=exited, status=0/SUCCESS)
CPU: 4ms
Jul 03 16:19:44 Lepard systemd[1]: Starting Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot...
Jul 03 16:19:44 Lepard systemd[1]: Finished Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot.
Added Snort Community Ruleset
1.Create a folder for Snort rules, download the community ruleset from the Snort website, and place it in the designated rules directory
# mkdir /usr/local/snort/etc/snort/rules
# wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz | tar xz -C /usr/local/snort/etc/snort/rules/
2.Edit Snort main configuration file
# vi /usr/local/snort/etc/snort/snort.lua
●Line 24 : Change
HOME_NET = '192.168.11.0/24'
●Line 28 : Change
EXTERNAL_NET = '!$HOME_NET'
●Per Line 197 : Add at the end of the ips entry
ips =
{
-- use this to enable decoder and inspector alerts
-- enable_builtin_rules = true,
-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
-- (see also related path vars at the top of snort_defaults.lua)
variables = default_variables,
rules = [[
include /usr/local/snort/etc/snort/rules/snort3-community-rules/snort3-community.rules
]]
}
3.Test Snort's main configuration changes
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua
--------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
Add custom rule
1.Create a file in the Snort rules directory
# vi /usr/local/snort/etc/snort/rules/local.rules
Describe the following
alert icmp any any -> $HOME_NET any (msg:"Incoming ICMP"; sid:1000001; rev:1;)
2.Edit Snort main configuration file
Edit Snort main configuration file to include custom rules file directory in main configuration
# vi /usr/local/snort/etc/snort/snort.lua
●Per Line 199 : Add
ips =
{
-- use this to enable decoder and inspector alerts
--enable_builtin_rules = true,
-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
-- (see also related path vars at the top of snort_defaults.lua)
variables = default_variables,
rules = [[
include /usr/local/snort/etc/snort/rules/local.rules
include /usr/local/snort/etc/snort/rules/snort3-community-rules/snort3-community.rules
]]
}
3.Test Snort's main configuration changes
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua
--------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
Install OpenAppID extension
Once the OpenAppID extension is installed, Snort can detect network threats at the application layer level
1.OpenAppID Extension Download and Deployment
# wget https://www.snort.org/downloads/openappid/33380 -O OpenAppId-33380.tgz
# tar -xzvf OpenAppId-33380.tgz
2.Copy the extracted folder (odp) to the following directory
# cp -R odp /usr/local/lib/
3.Edit the Snort main configuration file to define the location of the OpenAppID folder
# vi /usr/local/snort/etc/snort/snort.lua
●Per Line 100 : Add to the appid section
appid =
{
-- appid requires this to use appids in rules
--app_detector_dir = 'directory to load appid detectors from'
app_detector_dir = '/usr/local/lib',
log_stats = true,
}
appid_listener =
{
json_logging = true,
file = "/var/log/snort/appid-output.log",
}
--[[
reputation =
4.Test Snort's main configuration changes
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua
--------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
Verify that all configurations are set up correctly
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -R /usr/local/snort/etc/snort/rules/local.rules -i ens160 -A alert_fast -s 65535 -k none
Send a ping command from a remote computer to the IP address of the server. This will cause an alert log to appear in the console window of the host server
pcap DAQ configured to passive.
Commencing packet processing
Retry queue interval is: 200 ms
++ [0] ens160
07/03-16:58:20.814588 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
07/03-16:58:20.814588 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
07/03-16:58:20.814796 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
07/03-16:58:20.814903 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
07/03-16:58:21.822194 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
07/03-16:58:21.822194 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
07/03-16:58:21.822394 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
07/03-16:58:21.822490 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
07/03-16:58:22.830746 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
07/03-16:58:22.830747 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
07/03-16:58:22.830943 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
07/03-16:58:22.831030 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
07/03-16:58:23.836851 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
07/03-16:58:23.836852 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
07/03-16:58:23.837073 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
07/03-16:58:23.837158 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
Configure Snort systemd service
1.Creating Users for the Snort Service
# useradd -r -s /usr/sbin/nologin -M snort
2.Create log folder and set permissions
Create directory folder for Snort logs and set folder permissions
# mkdir /var/log/snort
# chmod -R 5775 /var/log/snort
# chown -R snort:snort /var/log/snort
3.Create Systemd service file
# vi /etc/systemd/system/snort3.service
[Unit]
Description=Snort3 IDS Daemon Service
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort
ExecStop=/bin/kill -9 $MAINPID
[Install]
WantedBy=multi-user.target
Reload and activate the Snort service.
# systemctl daemon-reload
# systemctl enable --now snort3
Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /etc/systemd/system/snort3.service.
# systemctl restart snort3
Check Status
# systemctl status snort3
● snort3.service - Snort3 IDS Daemon Service
Loaded: loaded (/etc/systemd/system/snort3.service; enabled; preset: disabled)
Active: active (running) since Fri 2026-07-03 17:02:34 JST; 33s ago
Main PID: 76346 (snort3)
Tasks: 2 (limit: 22900)
Memory: 213.7M (peak: 214.1M)
CPU: 873ms
CGroup: /system.slice/snort3.service
└─76346 /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort
Jul 03 17:02:34 Lepard snort[76346]: any: 8
Jul 03 17:02:34 Lepard snort[76346]: to_server: 69
Jul 03 17:02:34 Lepard snort[76346]: to_client: 48
Jul 03 17:02:34 Lepard snort[76346]: --------------------------------------------------
Jul 03 17:02:34 Lepard snort[76346]: search engine (ac_bnfa)
Jul 03 17:02:34 Lepard snort[76346]: instances: 334
Jul 03 17:02:34 Lepard snort[76346]: patterns: 10779
Jul 03 17:02:34 Lepard snort[76346]: pattern chars: 175202
Jul 03 17:02:34 Lepard snort[76346]: num states: 123205
Jul 03 17:02:34 Lepard snort[76346]: num match states: 10502
Snort IDS Logging
1.Configure Snort JSON logging
# vi /usr/local/snort/etc/snort/snort.lua
●Per Line 261 : Add alert_json at the end of the '--7.configure outputs' section.
-------------------------------------------------------------------------------------
-- 7. configure outputs
-------------------------------------------------------------------------------------
-- event logging
-- you can enable with defaults from the command line with -A <alert_type>
-- uncomment below to set non-default configs
--alert_csv = { }
--alert_fast = { }
--alert_full = { }
--alert_sfsocket = { }
--alert_syslog = { }
--unified2 = { }
-- packet logging
-- you can enable with defaults from the command line with -L <log_type>
--log_codecs = { }
--log_hext = { }
--log_pcap = { }
-- additional logs
--packet_capture = { }
--file_log = { }
alert_json =
{
file = true,
limit = 50,
fields = 'timestamp msg pkt_num proto pkt_gen pkt_len dir src_addr src_port dst_addr dst_port service rule priority class action b64_data'
}
2.Restart Snort
# systemctl restart snort3
3.Check log files
Ping command from a remote computer to the server, stored in the Snort alert_json.txt file.
# tail -f /var/log/snort/alert_json.txt
{ "timestamp" : "07/03-17:10:04.805078", "msg" : "Incoming ICMP", "pkt_num" : 1698, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "07/03-17:10:04.805154", "msg" : "Incoming ICMP", "pkt_num" : 1699, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "07/03-17:10:05.816663", "msg" : "Incoming ICMP", "pkt_num" : 1729, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.14", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "07/03-17:10:05.816663", "msg" : "Incoming ICMP", "pkt_num" : 1730, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.14", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "07/03-17:10:05.816905", "msg" : "Incoming ICMP", "pkt_num" : 1731, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "07/03-17:10:05.817047", "msg" : "Incoming ICMP", "pkt_num" : 1732, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "07/03-17:10:06.826865", "msg" : "Incoming ICMP", "pkt_num" : 1791, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.14", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "07/03-17:10:06.826865", "msg" : "Incoming ICMP", "pkt_num" : 1792, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.14", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "07/03-17:10:06.828001", "msg" : "Incoming ICMP", "pkt_num" : 1793, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "07/03-17:10:06.828416", "msg" : "Incoming ICMP", "pkt_num" : 1794, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
This completes the installation and configuration of Snort 3.
