Running modes

Snort can operate in several distinct modes depending on what you pass on the command line. Without a config file, Snort acts as a packet sniffer. With -c snort.lua, it activates intrusion detection. Using the afpacket DAQ with a bridged interface pair enables inline blocking.

Without a configuration file, Snort reads or captures packets and optionally dumps them to the console. No detection or alerting occurs.Read a pcap and display statistics:

snort -r a.pcap

Dump all packets to stdout:

snort -r a.pcap -L dump

Dump packets including application payload (-d) and layer 2 headers (-e):

snort -r a.pcap -L dump -d -e

Command line flags must be specified separately. snort -de will not work, but snort -Ldump will.

Dump all pcaps in a directory matching a filter:

snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -d -e

Log packets from a directory to a log directory:

snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -l /path/to/log/dir

Capture live traffic from an interface:

snort -i eth0 -L dump

Use -n <count> to limit the number of packets captured. For live capture, press Ctrl-C to stop.

Capture and save 10 packets to a pcap file:

snort -i eth0 -L pcap -n 10

Snort writes to log.pcap.<timestamp>. You can then read it back with -r.

Providing a Lua configuration file with -c activates the detection engine. Snort will process rules and generate alerts.Validate a configuration file (no packet source = validation only):

snort -c /opt/snort/etc/snort/snort.lua

Validate configuration and a separate rules file:

snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/sample.rules

Run IDS mode on a pcap, printing alerts in cmg format:

snort -c snort.lua -r a.pcap -A cmg

Run with a separate rules file and the alert_fast output:

snort -c snort.lua -r a.pcap -R rules.txt -A alert_fast

Limit processing to the first 100,000 packets:

snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/sample.rules \
    -r capture.pcap -A alert_test -n 100000

Override or extend configuration at the command line with --lua:

snort -c snort.lua -r a.pcap -A cmg \
    --lua 'ips = { enable_builtin_rules = true }'

Suppress a specific rule inline without editing the config:

snort -c snort.lua -R sample.rules -r capture.pcap -A alert_test -n 100000 \
    --lua "suppress = { { gid = 1, sid = 2123 } }"

Capture separate stdout, stderr, and alert log streams:

snort -c snort.lua -r a.pcap -A csv \
    1>out 2>err 3>log

Use -z (or --max-packet-threads) to process multiple input sources concurrently. Each packet thread handles one input source at a time.Process a directory of pcaps with 8 threads:

snort -c snort.lua --pcap-dir /path/to/pcap/dir \
    --pcap-filter '*.pcap' --max-packet-threads 8

Process a directory with rules, limited to 1000 packets per file:

snort -c snort.lua -R sample.rules \
    --pcap-filter '*.pcap' --pcap-dir /path/to/pcap/dir \
    -A alert_fast -n 1000 --max-packet-threads 8

Run on two live interfaces simultaneously:

snort -c snort.lua -i "eth0 eth1" -z 2 -A cmg

In file readback mode, Snort starts up to -z threads. As each thread finishes a file, it picks up the next unprocessed one. If there are fewer files than threads, fewer threads are started.

When running on live interfaces, all threads up to -z are always started. If you provide multiple interface inputs, each thread is assigned one ordinally (falling back to the first if threads outnumber inputs).

Inline mode actively passes or blocks traffic. Use the afpacket DAQ with two interface names joined by : to bridge traffic through Snort.

snort -c snort.lua --daq afpacket -i "eth0:eth1" -A cmg

The -Q flag sets inline mode explicitly. The afpacket DAQ infers inline mode when -i is given with -Q:

snort --daq-dir /usr/local/lib/daq --daq-dir /opt/lib/daq --daq afpacket \
    --daq-var debug --daq-var fanout_type=hash \
    -i eth1:eth2 -Q

You can configure the same setup in Lua:

daq =
{
    module_dirs =
    {
        '/usr/local/lib/daq',
        '/opt/lib/daq'
    },
    modules =
    {
        {
            name = 'afpacket',
            mode = 'inline',
            variables =
            {
                'debug',
                'fanout_type=hash'
            }
        }
    },
    inputs =
    {
        'eth1:eth2',
    },
    snaplen = 1518
}

Inline mode can drop or modify live traffic. Test your ruleset on a copy of traffic before deploying inline.

Snort 3 includes several DAQ modules beyond the default pcap module, useful for testing and specialized workloads.

Hext DAQ — text/hex packet input

The hext module generates packets from hex and plain-text input. Use it to feed Snort crafted packets from stdin or a file without needing a pcap.Process hext packets from stdin:

snort -c snort.lua \
    --daq-dir /opt/snort/lib/snort/daqs --daq hext -i tty << END
$packet 10.1.2.3 48620 -> 10.9.8.7 80
"GET / HTTP/1.1\r\n"
"Host: localhost\r\n"
"\r\n"
END

Process raw ethernet frames from a hext file:

snort -c snort.lua \
    --daq-dir /opt/snort/lib/snort/daqs --daq hext \
    --daq-var dlt=1 -r <hext-file>

Use -L hext to dump TCP stream payload in hext format (useful for creating hext test files from pcaps):

snort -c snort.lua -L hext

File DAQ — raw file processing

The file module processes files directly without extracting them from pcaps. Pair it with stream_file in your config for file type identification and signature services.Process a directory of plain files with 4 threads and 8 KB buffers:

snort -c snort.lua \
    --daq-dir /opt/snort/lib/snort/daqs --daq file \
    --pcap-dir path/to/files -z 4 -s 8192

Socket DAQ — TCP stream bridging

The socket module acts as a stream socket server, accepting up to two simultaneous TCP connections and bridging them together while passing data to Snort for inspection.Bridge two TCP connections on port 8000 and inspect the traffic:

snort -c snort.lua \
    --daq-dir /opt/snort/lib/snort/daqs --daq socket

Specify a custom port and protocol:

./snort --daq-dir /path/to/lib/snort_extra/daq \
    --daq socket --daq-var port=9000 --daq-var proto=tcp -Q

The socket DAQ requires stream_user to be configured in snort.lua.

To list available DAQ modules (including any you have installed externally):

snort --daq-dir /opt/snort/lib/daq --daq-list

Shell mode provides a live command interface to a running Snort process. It requires building Snort with --enable-shell.Enable shell mode:

snort --shell <other-args>

You will see the shell prompt:

o")~

Pause immediately after loading the config (and again before exiting):

snort --shell --pause <other-args>

When paused, you must run resume() to continue execution.Enable local telnet access on port 12345:

snort --shell -j 12345 <other-args>

Available shell commands:

Command	Description
`resume()`	Continue execution after a pause
`quit()`	Terminate Snort
`detach()`	Exit the shell without stopping Snort
`help()`	List available commands

The shell prompt can be changed by setting the SNORT_PROMPT environment variable.

You can control a running Snort process by sending it Unix signals. The examples below assume <pid> is the process ID of the running Snort instance.Reload a modified configuration without restarting:

echo 'suppress = { { gid = 1, sid = 2215 } }' >> snort.lua
kill -hup <pid>

Dump current statistics to stdout:

kill -usr1 <pid>

Shut down normally (flush all pending packets):

kill -term <pid>

Exit immediately without flushing packets:

kill -quit <pid>

List available signals on your platform:

snort --help-signals

Not all signals are available on every platform. Run snort --help-signals to see what is supported on your system.

Get Started

Configuration

Inspectors & Detection

Running Snort

Migration from Snort 2