Install and Configure Snort 3 NIDS on Ubuntu 20.04

Last Updated:

In this tutorial, you will learn how to install and configure Snort 3 NIDS on Ubuntu 20.04. Snort is a lightweight network intrusion detection system. It features rules-based logging and can perform content searching/matching in addition to detecting a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to
syslog, a separate “alert” file, or even to a Windows computer via Samba.

Some of the Snort 3 features include;

  • Support multiple packet processing threads
  • Shared configuration and attribute table
  • Use a simple, scriptable configuration
  • Make key components pluggable
  • Autodetect services for portless configuration
  • Support sticky buffers in rules
  • Autogenerate reference documentation
  • Provide better cross platform support

Installing Snort 3 NIDS on Ubuntu 20.04

As of this writing, Ubuntu 20.04 provides snort 2.9 on its default Universe repos;

apt show snort

Package: snort
Priority: optional
Section: universe/net
Origin: Ubuntu
Maintainer: Ubuntu Developers 
Original-Maintainer: Javier Fernández-Sanguino Peña 
Installed-Size: 1,987 kB
Pre-Depends: adduser (>= 3.11)
Depends: snort-common-libraries (>=, snort-rules-default (>=, snort-common (>=, debconf (>= 0.5) | debconf-2.0, rsyslog | system-log-daemon, logrotate, net-tools, libc6 (>= 2.16), libdaq2, libdumbnet1 (>= 1.8), liblzma5 (>= 5.1.1alpha+20120614), libpcap0.8 (>= 1.0.0), libpcre3, zlib1g (>= 1:1.1.4)
Recommends: iproute2
Suggests: snort-doc
Conflicts: snort-mysql, snort-pgsql
Replaces: snort-common (<< 2.0.2-3)
Download-Size: 656 kB
APT-Sources: focal/universe amd64 Packages

Build and Install Snort 3 from Source Code on Ubuntu 20.04

In order to install Snort 3 NIDS, you need to build it from the source.

Run System Update

To begin with, run system package cache update;

apt update
apt upgrade

Install Required Build Tools

For a successful build and installation of Snort 3 on Ubuntu 20.04, there are a number of build tools and dependencies that needs to be installed prior to the build process as outlined on the Dependencies page.

apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdnet-dev libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev

Download and install latest version of the Snort DAQ (Data Acquisition library) . DAQ is not available on the default Ubuntu repos and hence, you need to build and install it from the source;

mkdir snort-source-files
cd snort-source-files
git clone
cd libdaq
make install

Download and install google’s thread-caching malloc, Tcmalloc, a memory allocator optimized for high concurrency situations which will provide better speed for the trade-off of higher memory usage. This is an optional dependency but highly recommended.

cd ../
wget wget
tar xzf gperftools-2.9.1.tar.gz
cd gperftools-2.8/
make install

Install Snort 3 from Source Code on Ubuntu 20.04

Now that we have all required dependencies in place, download and install Snort 3 on Ubuntu 20.04;

cd ../

Extract and navigate to Snort 3 source directory, compile and install it;

tar xzf
cd snort3-
./ --prefix=/usr/local --enable-tcmalloc
snort version 3.0.2

Install options:
    prefix:     /usr/local
    includes:   /usr/local/include/snort
    plugins:    /usr/local/lib/snort

Compiler options:
    CC:             /usr/bin/cc
    CXX:            /usr/bin/c++
    CFLAGS:            -fvisibility=hidden   -DNDEBUG -g -ggdb  -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free 
    CXXFLAGS:          -fvisibility=hidden   -DNDEBUG -g -ggdb  -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free 

Feature options:
    DAQ Modules:    Static (afpacket;bpf;dump;fst;nfq;pcap;trace)
    Flatbuffers:    OFF
    Hyperscan:      OFF
    ICONV:          ON
    Libunwind:      ON
    LZMA:           ON
    RPC DB:         Built-in
    SafeC:          OFF
    TCMalloc:       ON
    UUID:           ON

-- Configuring done
-- Generating done
-- Build files have been written to: /root/snort-source-files/snort3/build

Navigate to the build directory and compile and install Snort 3 on Ubuntu 20.04;

cd build
make install

Once the installation completes, update shared libraries;


Verify Snort 3 Installation by checking the version;

snort -V

   ,,_     -*> Snort++ <*-
  o"  )~   Version
   ''''    By Martin Roesch & The Snort Team
           Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.6
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 3.0.2 15 Mar 2022
           Using libpcap version 1.10.1 (with TPACKET_V3)
           Using PCRE version 8.39 2016-06-14
           Using ZLIB version 1.2.11
           Using LZMA version 5.2.5

The above confirms that Snort 3 installation is successful and is working fine.

Obtaining Snort Command Line Help

To obtain Snort command line help, simply execute either of the commands below and check the difference;

snort --help
snort -?
-? <option prefix> output matching command line option quick help (same as --help-options) (optional)
-A <mode> set alert mode: none, cmg, or alert_*
-B <mask> obfuscated IP addresses in alerts and packet dumps using CIDR mask
-C print out payloads with character data only (no hex)
-c <conf> use this configuration
-D run Snort in background (daemon) mode
-d dump the Application Layer
-e display the second layer header info
-f turn off fflush() calls after binary log writes
-G <0xid> (same as --logid) (0:65535)
-g <gname> run snort gid as <gname> group (or gid) after initialization
-H make hash tables deterministic
-i <iface>... list of interfaces
-k <mode> checksum mode; default is all (all|noip|notcp|noudp|noicmp|none)
-L <mode> logging mode (none, dump, pcap, or log_*)
-l <logdir> log to this directory instead of current directory
-M log messages to syslog (not alerts)
-m <umask> set the process file mode creation mask (0x000:0x1FF)
-n <count> stop after count packets (0:max53)
-O obfuscate the logged IP addresses
-Q enable inline mode operation
-q quiet mode - suppress normal logging on stdout
-R <rules> include this rules file in the default policy
-r <pcap>... (same as --pcap-list)
-S <x=v> set config variable x equal to value v
-s <snap> (same as --snaplen); default is 1518 (68:65535)
-T test and report on the current Snort configuration
-t <dir> chroots process to <dir> after initialization
-U use UTC for timestamps
-u <uname> run snort as <uname> or <uid> after initialization
-V (same as --version)
-v be verbose
-X dump the raw packet data starting at the link layer
-x same as --pedantic
-y include year in timestamp in the alert and log files
-z <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 (0:max32)

Configuring Snort 3 NIDS on Ubuntu 20.04

Configure Network Interface Cards

First off, put the interface on which Snort is listening for network traffic on promiscuous mode so that it can be able to see all of the network traffic sent to it rather than seeing only the traffic originating from within the Snort 3 server alone.

ip link set dev enp0s8 promisc on


ip add sh enp0s8
3: enp0s8: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:7f:84:15 brd ff:ff:ff:ff:ff:ff
    inet brd scope global dynamic enp0s8
       valid_lft 446sec preferred_lft 446sec
    inet6 fe80::a00:27ff:fe7f:8415/64 scope link 
       valid_lft forever preferred_lft forever

Disable Interface Offloading to prevent Snort from truncating large packets larger than 1518 bytes. You can check if this feature is enabled;

ethtool -k enp0s8 | grep receive-offload
generic-receive-offload: on
large-receive-offload: off [fixed]

GRO is enabled while LRO is fixed and hence cannot be changed.

Then disable;

ethtool -K enp0s8 gro off lro off

The two NIC changes are temporary. To ensure the changes persists across system reboot, create and enable a systemd service unit to implement the changes;

vim /etc/systemd/system/snort3-nic.service
Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot

ExecStart=/usr/sbin/ip link set dev enp0s8 promisc on
ExecStart=/usr/sbin/ethtool -K enp0s8 gro off lro off


Reload systemd configuration settings;

systemctl daemon-reload

Start and enable the service on boot;

systemctl enable --now snort3-nic.service

Install Snort 3 Rulesets on Ubuntu 20.04

Rulesets is the main artery for Snorts intrusion detection engine. There are three types of Snort Rules:

  • Community Rules
  • Registered Rules
  • Subscriber Rules

In this tutorial, we will install the community Snort rules;

Create Snort Rules directory. In the /usr/local/etc/snort/snort_defaults.lua config file, the default rules path (RULE_PATH), is defined as /usr/local/etc/rules.

mkdir /usr/local/etc/rules

Download Snort 3 community rules from Snort 3 downloads page;


Extract the rules and store them on Snort rules directory;

tar xzf snort3-community-rules.tar.gz -C /usr/local/etc/rules/
ls /usr/local/etc/rules/snort3-community-rules/
AUTHORS  LICENSE  snort3-community.rules  VRT-License.txt

Now that we have the rules to get us started in place, you need to configure Snort 3. Open the main configuration file for editing;

vim /usr/local/etc/snort/snort.lua

Set the networks to protect against attacks as the value for the HOME_NET variable. For simplicity, i just set this to the subnet of Snort 3 interface. The EXTERNAL_NET is anything other than our HOME_NET;

-- HOME_NET and EXTERNAL_NET must be set now
-- setup the network addresses you are protecting

-- set up the external network addresses.
-- (leave as "any" in most situations)
-- EXTERNAL_NET = 'any'

Edit Snort condif in the /usr/local/etc/snort/snort.lua configuration file.

vim /usr/local/etc/snort/snort.lua

Under IPS section, define the location to your rules;

ips =
    -- use this to enable decoder and inspector alerts
    --enable_builtin_rules = true,

    -- use include for rules files; be sure to set your path
    -- note that rules files can include other rules files
    variables = default_variables,
    rules = [[ 
    include $RULE_PATH/snort3-community-rules/snort3-community.rules

Save and exit the configuration file.

Installing Snort OpenAppID

OpenAppID is an application layer plugin that enables Snort to detect various applications,  Facebook, Netflix, Twitter, and Reddit, used in the network. Run the commands below download from Snort 3 downloads page and install Snort OpenAppID;

wget -O OpenAppId-12159.tgz
tar -xzvf OpenAppId-12159.tgz
cp -R odp /usr/local/lib/

Next, edit the Snort 3 configuration file and define the location of the OpenAppID libraries;

vim /usr/local/etc/snort/snort.lua
appid =
    -- appid requires this to use appids in rules
    --app_detector_dir = 'directory to load appid detectors from'
    app_detector_dir = '/usr/local/lib',
    log_stats = true,


Save and exit the configuration file.

Create Snorts Log directory;

mkdir /var/log/snort

Next, run syntax checking;

snort -c /usr/local/etc/snort/snort.lua
Finished /usr/local/etc/snort/snort.lua:
Loading /usr/local/etc/rules/snort3-community-rules/snort3-community.rules:
Finished /usr/local/etc/rules/snort3-community-rules/snort3-community.rules:
rule counts
       total rules loaded: 829
               text rules: 829
            option chains: 829
            chain headers: 56
port rule counts
             tcp     udp    icmp      ip
     any      63       3       0       0
     src     124       2       0       0
     dst     539      98       0       0
    both       0       1       0       0
   total     726     104       0       0
ips policies rule stats
              id  loaded  shared enabled    file
               0     829       0     829    /usr/local/etc/snort/snort.lua
                  defined: 20
              not checked: 11
                  not set: 3
service rule counts          to-srv  to-cli
                      dns:       89       2
                      ftp:        7       2
                 ftp-data:        0       8
                     http:      489      92
                    http2:      489      92
                     imap:        0       8
                      irc:        4       1
              netbios-ssn:       15       1
                     pop3:        0       8
                     smtp:       16       0
                      ssl:       14      31
                   telnet:        1       0
                    total:     1124     245
fast pattern port groups        src     dst     any
                   packet:       11      24       2
fast pattern service groups  to-srv  to-cli
                   packet:        9       7
                      key:        2       0
                   header:        2       5
                     body:        2       0
                     file:        2       5
                   method:        2       0
search engine
                instances: 70
                 patterns: 1715
            pattern chars: 36451
               num states: 27885
         num match states: 1724
             memory scale: KB
             total memory: 785.997
           pattern memory: 102.521
        match list memory: 280.07
        transition memory: 394.656
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

Create Custom local rules for the purposes of testing our Snort setup.

vim /usr/local/etc/rules/local.rules

Create a rule to detect ping tests;

alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;)

Save and exit the local rules file. Check the syntax;

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules

Next, run the test by executing the command below;

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i enp0s8 -A alert_fast -s 65535 -k none

On another terminal, ping your Snort server. While the ping runs, you should see the alert lines written to standard output;

search engine
                instances: 70
                 patterns: 1715
            pattern chars: 36451
               num states: 27885
         num match states: 1724
             memory scale: KB
             total memory: 785.997
           pattern memory: 102.521
        match list memory: 280.07
        transition memory: 394.656
pcap DAQ configured to passive.
Commencing packet processing
++ [0] enp0s8
08/22-19:20:23.502536 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} ->
08/22-19:20:24.526491 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} ->
08/22-19:20:25.550241 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} ->
08/22-19:20:26.574652 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} ->
08/22-19:20:27.598509 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} ->

Configure Snort 3 Logging

To write Snort 3 events to log files, you need to enable configure alert settings. There are different Snort logging options that are explained well in the Snort 3 manual, Logger Modules section. To output the event data to a file, in brief format (as defined in the command line above by option -A alert_type), open the snort.lua configuration and head over to the outputs section.

vim /usr/local/etc/snort/snort.lua
-- 7. configure outputs

-- event logging
-- you can enable with defaults from the command line with -A 
-- uncomment below to set non-default configs
--alert_csv = { }
alert_fast = { 
        file = true, 
        packet = false,
        limit = 10,
--alert_full = { }
--alert_sfsocket = { }
--alert_syslog = { }
--unified2 = { }

The setting will cause snort to write logs to alert_fast.txt file. Save and exit the configuration and run syntax checking.

snort -c /usr/local/etc/snort/snort.lua

Run the command again, this time, without the option, -A alert_fast, but with an option to specify the log directory, -l /var/log/snort.

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i enp0s8 -s 65535 -k none -l /var/log/snort/

Run the ping test again. If you check on the logs directory, you should see an alert_fast.txt file created. You can tail this file;

tail -f /var/log/snort/alert_fast.txt
08/22-19:30:41.554941 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} ->
08/22-19:30:42.578554 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} ->
08/22-19:30:43.602594 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} ->
08/22-19:30:44.626660 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} ->
08/22-19:30:45.650654 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} ->
08/22-19:30:46.674630 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} ->

You can include the local rules in snort.lua;

ips =
    -- use this to enable decoder and inspector alerts
    -- enable_builtin_rules = true,

    -- use include for rules files; be sure to set your path
    -- note that rules files can include other rules files
    variables = default_variables,
    rules = [[ 
    include $RULE_PATH/snort3-community-rules/snort3-community.rules
    include $RULE_PATH/local.rules

Running Snort as a Service

While it is possible to run Snort as a daemon in the background with command line option -D, it is also possible to create a systemd service unit for Snort.

If you are going to run Snort as a service, it is prudent to run it a non privileged system user. Hence, create a non login system user account for Snort;

useradd -r -s /usr/sbin/nologin -M -c SNORT_IDS snort

Create a systemd service unit for Snort to be run as snort user. Adjust your interfaces accordingly.

vim /etc/systemd/system/snort3.service
Description=Snort 3 NIDS Daemon

ExecStart=/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i enp0s8 -m 0x1b -u snort -g snort
ExecStop=/bin/kill -9 $MAINPID


Reload systemd configs;

systemctl daemon-reload

Set the ownership and permissions on the log file;

chmod -R 5775 /var/log/snort
chown -R snort:snort /var/log/snort

Start and enable Snort to run on system boot. The service will run as root and then drop the privileges to Snort user created.

systemctl enable --now snort3

Check the service to confirm if it is running;

systemctl status snort3
● snort3.service - Snort 3 NIDS Daemon
     Loaded: loaded (/etc/systemd/system/snort3.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2020-08-22 20:50:26 UTC; 1min 14s ago
   Main PID: 43673 (snort)
      Tasks: 2 (limit: 2282)
     Memory: 145.3M
     CGroup: /system.slice/snort3.service
             └─43673 /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i enp0s8 -m 0x1b -u snort -g snort

Aug 22 20:50:26 ubuntu20 systemd[1]: Started Snort 3 NIDS Daemon.

Note that we have just scratched the service on what the configuration and what Snort 3 is capable of.


Snort 3 Installation

Further Reading

Snort 3 User Manual

Related Tutorials

Install and Configure AIDE on Ubuntu 20.04

Install and Configure Tripwire Security Monitoring tool on CentOS 8

Install and Setup Suricata on CentOS 8

Install and Setup Suricata on Ubuntu 18.04


We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
Co-founder of, Linux Tips and Tutorials. Linux/Unix admin and author at

4 thoughts on “Install and Configure Snort 3 NIDS on Ubuntu 20.04”

  1. Good article. I have snort up and running under Ubuntu Server 20.04. However, there were a few confusing and incomplete parts within the article.

    Starting here I will go through each issue I came across:

    “Set the networks to protect against attacks as the value for the HOME_NET variable. For simplicity, i just set this to the subnet of Snort 3 interface. The EXTERNAL_NET is anything other than our HOME_NET;”

    “HOME_NET = ‘′”

    Not sure I understand what we are protecting here. Is it the server hosting snort, or is it the network that the server is running on?

    What should be protected? Can it be a static public IP address? Can multiple addresses be added to HOME_NET?

    Should it be something like this:
    HOME_NET = ‘’ (server IP address)
    HOME_NET = ‘’ (network range)
    HOME_NET = ‘’ (public IP address)

    “You can edit Snort defaults in the /usr/local/etc/snort/snort_defaults.lua”

    ” ips =
    — use this to enable decoder and inspector alerts
    –enable_builtin_rules = true,

    — use include for rules files; be sure to set your path
    — note that rules files can include other rules files
    include = ‘/usr/local/etc/rules/snort3-community-rules/snort3-community.rules’

    Does section “ips =” go in the snort.lua (a “ips” section already exists in this file) or snort_defaults.lua (there is no “ips” section in this file)?
    More on this in 4.

    “Installing Snort OpenAppID”
    “wget -O OpenAppId-12159.tgz”

    OpenAppId-12159.tgz file does not exist. I found it at

    “Next, run syntax checking;”
    “snort -c /usr/local/etc/snort/snort.lua”

    Running the above command generated errors like “Undefined variable in the string: $HOME_NET”.

    I found a solution here:

    In the snort.lua file I placed sections “nets”, “paths”, “ports” found in the snort_defaults.lua file:

    ips =
    include = ‘/usr/local/etc/rules/local.rules’,
    include = ‘/usr/local/etc/rules/snort3-community-rules/snort3-community.rules’,
    variables =
    nets = {
    paths = {
    ports = {

    Yet these sections already exist in the snort_defauls.lua file and snort_defauls.lua is included in the snort.lua file (include ‘snort_defaults.lua’). However, it did not work until I updated the “ips” section as seen above. Why is this so?

    “You can include the local rules in snort.lua;”

    ips =
    — use this to enable decoder and inspector alerts
    — enable_builtin_rules = true,

    — use include for rules files; be sure to set your path
    — note that rules files can include other rules files
    include = ‘/usr/local/etc/rules/snort3-community-rules/snort3-community.rules’,
    include = ‘/usr/local/etc/rules/local.rules’

    include = ‘/usr/local/etc/rules/local.rules’,
    in my “ips = ” section above does not work. The local rules will work if I comment out the community rules. Snort only seems to understand only one “include” statement. What am I doing wrong here?

    Thank you for publishing this article it has been most helpful and with a few updates it will be even better!



    • very many thanks Robert for taking time to give us this feedback. We will review and update the post. Enjoy

  2. Bonjour j’ai besoin d’aide avec snort. Je veux utiliser une interface graphique web pour les differents configuations de snort donc j’avais besoin d’aide a ce niveau

  3. Hi this installation works on virtual machine like a charm. I installed snort3 10 times from here. But when I try to install snort on google cloud this installation gives error about libcap. So I recommend that people to install snort from snort3 installation guide if you are going to install it on Cloud service. Thanks for the great article.


Leave a Comment