-c snort.lua, it activates intrusion detection. Using the afpacket DAQ with a bridged interface pair enables inline blocking.
- Sniffer mode
- IDS mode
- Multi-threaded mode
- Inline IPS mode
- DAQ alternatives
- Shell mode
- Signals
Without a configuration file, Snort reads or captures packets and optionally dumps them to the console. No detection or alerting occurs.Read a pcap and display statistics:Dump all packets to stdout:Dump packets including application payload (Dump all pcaps in a directory matching a filter:Log packets from a directory to a log directory:Capture live traffic from an interface:Capture and save 10 packets to a pcap file:Snort writes to
snort -r a.pcap
snort -r a.pcap -L dump
-d) and layer 2 headers (-e):snort -r a.pcap -L dump -d -e
Command line flags must be specified separately.
snort -de will not work, but snort -Ldump will.snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -d -e
snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -l /path/to/log/dir
snort -i eth0 -L dump
Use
-n <count> to limit the number of packets captured. For live capture, press Ctrl-C to stop.snort -i eth0 -L pcap -n 10
log.pcap.<timestamp>. You can then read it back with -r.Providing a Lua configuration file with Validate configuration and a separate rules file:Run IDS mode on a pcap, printing alerts in Run with a separate rules file and the Limit processing to the first 100,000 packets:Override or extend configuration at the command line with Suppress a specific rule inline without editing the config:Capture separate stdout, stderr, and alert log streams:
-c activates the detection engine. Snort will process rules and generate alerts.Validate a configuration file (no packet source = validation only):snort -c /opt/snort/etc/snort/snort.lua
snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/sample.rules
cmg format:snort -c snort.lua -r a.pcap -A cmg
alert_fast output:snort -c snort.lua -r a.pcap -R rules.txt -A alert_fast
snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/sample.rules \
-r capture.pcap -A alert_test -n 100000
--lua:snort -c snort.lua -r a.pcap -A cmg \
--lua 'ips = { enable_builtin_rules = true }'
snort -c snort.lua -R sample.rules -r capture.pcap -A alert_test -n 100000 \
--lua "suppress = { { gid = 1, sid = 2123 } }"
snort -c snort.lua -r a.pcap -A csv \
1>out 2>err 3>log
Use Process a directory with rules, limited to 1000 packets per file:Run on two live interfaces simultaneously:When running on live interfaces, all threads up to
-z (or --max-packet-threads) to process multiple input sources concurrently. Each packet thread handles one input source at a time.Process a directory of pcaps with 8 threads:snort -c snort.lua --pcap-dir /path/to/pcap/dir \
--pcap-filter '*.pcap' --max-packet-threads 8
snort -c snort.lua -R sample.rules \
--pcap-filter '*.pcap' --pcap-dir /path/to/pcap/dir \
-A alert_fast -n 1000 --max-packet-threads 8
snort -c snort.lua -i "eth0 eth1" -z 2 -A cmg
In file readback mode, Snort starts up to
-z threads. As each thread finishes a file, it picks up the next unprocessed one. If there are fewer files than threads, fewer threads are started.-z are always started. If you provide multiple interface inputs, each thread is assigned one ordinally (falling back to the first if threads outnumber inputs).Inline mode actively passes or blocks traffic. Use the The You can configure the same setup in Lua:
afpacket DAQ with two interface names joined by : to bridge traffic through Snort.snort -c snort.lua --daq afpacket -i "eth0:eth1" -A cmg
-Q flag sets inline mode explicitly. The afpacket DAQ infers inline mode when -i is given with -Q:snort --daq-dir /usr/local/lib/daq --daq-dir /opt/lib/daq --daq afpacket \
--daq-var debug --daq-var fanout_type=hash \
-i eth1:eth2 -Q
daq =
{
module_dirs =
{
'/usr/local/lib/daq',
'/opt/lib/daq'
},
modules =
{
{
name = 'afpacket',
mode = 'inline',
variables =
{
'debug',
'fanout_type=hash'
}
}
},
inputs =
{
'eth1:eth2',
},
snaplen = 1518
}
Inline mode can drop or modify live traffic. Test your ruleset on a copy of traffic before deploying inline.
Snort 3 includes several DAQ modules beyond the default
To list available DAQ modules (including any you have installed externally):
pcap module, useful for testing and specialized workloads.Hext DAQ — text/hex packet input
Hext DAQ — text/hex packet input
The hext module generates packets from hex and plain-text input. Use it to feed Snort crafted packets from stdin or a file without needing a pcap.Process hext packets from stdin:Process raw ethernet frames from a hext file:Use
snort -c snort.lua \
--daq-dir /opt/snort/lib/snort/daqs --daq hext -i tty << END
$packet 10.1.2.3 48620 -> 10.9.8.7 80
"GET / HTTP/1.1\r\n"
"Host: localhost\r\n"
"\r\n"
END
snort -c snort.lua \
--daq-dir /opt/snort/lib/snort/daqs --daq hext \
--daq-var dlt=1 -r <hext-file>
-L hext to dump TCP stream payload in hext format (useful for creating hext test files from pcaps):snort -c snort.lua -L hext
File DAQ — raw file processing
File DAQ — raw file processing
The file module processes files directly without extracting them from pcaps. Pair it with
stream_file in your config for file type identification and signature services.Process a directory of plain files with 4 threads and 8 KB buffers:snort -c snort.lua \
--daq-dir /opt/snort/lib/snort/daqs --daq file \
--pcap-dir path/to/files -z 4 -s 8192
Socket DAQ — TCP stream bridging
Socket DAQ — TCP stream bridging
The socket module acts as a stream socket server, accepting up to two simultaneous TCP connections and bridging them together while passing data to Snort for inspection.Bridge two TCP connections on port 8000 and inspect the traffic:Specify a custom port and protocol:The socket DAQ requires
snort -c snort.lua \
--daq-dir /opt/snort/lib/snort/daqs --daq socket
./snort --daq-dir /path/to/lib/snort_extra/daq \
--daq socket --daq-var port=9000 --daq-var proto=tcp -Q
stream_user to be configured in snort.lua.snort --daq-dir /opt/snort/lib/daq --daq-list
Shell mode provides a live command interface to a running Snort process. It requires building Snort with You will see the shell prompt:Pause immediately after loading the config (and again before exiting):When paused, you must run Available shell commands:
--enable-shell.Enable shell mode:snort --shell <other-args>
o")~
snort --shell --pause <other-args>
resume() to continue execution.Enable local telnet access on port 12345:snort --shell -j 12345 <other-args>
| Command | Description |
|---|---|
resume() | Continue execution after a pause |
quit() | Terminate Snort |
detach() | Exit the shell without stopping Snort |
help() | List available commands |
The shell prompt can be changed by setting the
SNORT_PROMPT environment variable.You can control a running Snort process by sending it Unix signals. The examples below assume Dump current statistics to stdout:Shut down normally (flush all pending packets):Exit immediately without flushing packets:List available signals on your platform:
<pid> is the process ID of the running Snort instance.Reload a modified configuration without restarting:echo 'suppress = { { gid = 1, sid = 2215 } }' >> snort.lua
kill -hup <pid>
kill -usr1 <pid>
kill -term <pid>
kill -quit <pid>
snort --help-signals
Not all signals are available on every platform. Run
snort --help-signals to see what is supported on your system.
