Skip to main content
This guide walks you from a clean machine to a running Snort 3 sensor. Follow each step in order.
1

Install Dependencies

Snort 3 requires the following packages. Install them using your system’s package manager before building.Required dependencies:
DependencyPurpose
CMakeBuild system
DAQPacket I/O abstraction layer
dnetNetwork utility functions
flex >= 2.6.0JavaScript syntax parser
g++ >= 7 (or any C++17 compiler)Compilation
hwlocCPU affinity management
LuaJITConfiguration and scripting
OpenSSLSHA/MD5 signatures, SSL detection
pcapPacket capture and tcpdump-style logging
PCRE2Regular expression pattern matching
pkgconfigLocates build dependencies
zlibDecompression (>= 1.2.8 recommended)
On Ubuntu/Debian:
sudo apt-get install -y \
  build-essential cmake flex g++ \
  libhwloc-dev libluajit-5.1-dev \
  libssl-dev libpcap-dev libpcre2-dev \
  pkg-config zlib1g-dev libdnet-dev
DAQ must be built and installed from source. See Building Snort 3 for instructions on setting PKG_CONFIG_PATH when DAQ is installed to a non-system path.
Install DAQ from source:
git clone https://github.com/snort3/libdaq.git
cd libdaq
./bootstrap
./configure --prefix=$my_path
make -j $(nproc) install
2

Clone the Repository

Get the latest Snort 3 source from GitHub:
git clone https://github.com/snort3/snort3.git
cd snort3
Alternatively, download a source tarball from snort.org and extract it:
tar zxf snort-3.0.0-a3.tar.gz
cd snort-3.0.0*/
3

Build and Install

Set your install prefix and build using the provided configure_cmake.sh script. This script automatically creates and populates a build/ subdirectory.
export my_path=/path/to/snorty
mkdir -p $my_path

./configure_cmake.sh --prefix=$my_path
cd build
make -j $(nproc) install
If DAQ was installed to a custom path, export PKG_CONFIG_PATH before running configure_cmake.sh:
export PKG_CONFIG_PATH=/libdaq/install/path/lib/pkgconfig:$PKG_CONFIG_PATH
If you are familiar with cmake, you can run cmake or ccmake directly instead of configure_cmake.sh. See Building Snort 3 for all available build methods and cmake options.
4

Verify the Build

Confirm Snort built and installed correctly by printing the version:
$my_path/bin/snort -V
You should see output similar to:
Snort++ 3.0.0 (Build 250)
You can also explore the available help:
$my_path/bin/snort --help
$my_path/bin/snort --help-module suppress
$my_path/bin/snort --help-config | grep thread
5

Run Your First Capture

Read and decode packets from a pcap file — no configuration or rules required:
$my_path/bin/snort -r a.pcap
Snort decodes and counts every packet, then prints statistics at exit. Only non-zero counts are shown.To see full packet details including TCP/UDP payloads:
$my_path/bin/snort -L dump -d -e -q -r a.pcap
To read from a live interface (replace eth0 with your interface name):
$my_path/bin/snort -i eth0 -L dump
Use -n <count> to limit the number of packets processed, or press Ctrl-C to stop a live capture.
To capture 10 packets from a live interface to a pcap file for later analysis:
$my_path/bin/snort -i eth0 -L pcap -n 10
6

Run IDS Mode with Rules

Load a configuration file and a rules file to enable intrusion detection.First, verify your configuration loads cleanly:
$my_path/bin/snort -c $my_path/etc/snort/snort.lua
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules
Run IDS mode against a pcap with cmg alert output (header + hex payload):
snort -c snort.lua -R rules.txt -r capture.pcap -A cmg
Run against a full pcap directory with multiple packet threads:
$my_path/bin/snort \
  -c $my_path/etc/snort/snort.lua \
  -R $my_path/etc/snort/sample.rules \
  --pcap-filter \*.pcap --pcap-dir pcaps/ \
  -A alert_fast --max-packet-threads 8
Suppress a specific rule at runtime without editing the config:
$my_path/bin/snort \
  -c $my_path/etc/snort/snort.lua \
  -R $my_path/etc/snort/sample.rules \
  -r a.pcap -A alert_test -n 100000 \
  --lua "suppress = { { gid = 1, sid = 2123 } }"
The -A cmg flag is equivalent to -A fast -d -e — it shows alert header details followed by the packet payload in hex and text. Other formats include -A u2 (unified2 binary), -A csv (customizable CSV), and -A alert_fast (one-line summary).
To see all available alert output types:
$my_path/bin/snort --list-plugins | grep logger

Configuration Basics

Snort’s configuration file is a Lua script. The default snort.lua shipped with Snort is a good starting point. A minimal working example looks like: 
-- Set the networks you are protecting
HOME_NET = 'any'
EXTERNAL_NET = 'any'

include 'snort_defaults.lua'

-- Enable stream reassembly
stream = { }
stream_tcp = { }

-- Enable HTTP inspection
http_inspect = { }

-- Autodetect protocols (no port binding needed)
wizard = default_wizard

-- Load detection rules
ips =
{
    variables = default_variables
}
Command line options override Lua configuration values. Use --lua to inject or override settings inline:
snort -c snort.lua --lua 'ips.enable_builtin_rules = true' -r capture.pcap

Next Steps

  • Review Building Snort 3 for advanced build options, Hyperscan integration, and platform-specific notes.
  • Run snort --help-counts to see all available peg count statistics.
  • Use snort --help-module <name> to explore any module’s configuration parameters.