Updated on 25.5.2022

How to install Snort on Ubuntu

Snort Ubuntu

Snort is a popular choice for running a network intrusion detection system or NIDS for short. It monitors the package data sent and received through a specific network interface. NIDS can catch threats targeting your system vulnerabilities using signature-based detection and protocol analysis technologies. NIDS software, when installed and configured appropriately, can identify the latest attacks, malware infections, compromised systems, and network policy violations. In this guide, you will find instructions on how to install Snort on Ubuntu 16. The install guide is also available for cloud servers running CentOS 7 and Debian 9.

Try UpCloud for free! Deploy a server in just 45 seconds

Snort is one of the most commonly used network-based IDS. It is a lightweight, open source, available on a multitude of platforms, and can be comfortably installed even on the smallest of cloud server instances. Although Snort is capable of much more than just network monitoring, this guide shows how to configure and run Snort in NIDS mode with a basic setup that you can later expand as needed.

Snort logo

Preparing your server

Setting up a basic configuration of Snort on Ubuntu is fairly simple but takes a few steps to complete. You will first need to install all the prerequisite software to ready your cloud server for installing Snort itself. Install the required libraries with the following command.

sudo apt install -y gcc libpcre3-dev zlib1g-dev libluajit-5.1-dev 
libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev 
bison flex libdnet autoconf libtool

With the prerequisites fulfilled, next up is how to install Snort on Ubuntu 16. Snort can be downloaded and installed manually from the source. Below you will find instructions on how to get this done.

Installing from the source

Setting up Snort on Ubuntu from the source code consists of a couple of steps: downloading the code, configuring it, compiling the code, installing it to an appropriate directory, and lastly configuring the detection rules.

Start by making a temporary download folder to your home directory and then changing into it with the command below.

mkdir ~/snort_src && cd ~/snort_src

Snort itself uses something called Data Acquisition library (DAQ) to make abstract calls to packet capture libraries. Download the latest DAQ source package from the Snort website with the wget command underneath. Replace the version number in the command if a newer source available.

wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz

The download will only take a few seconds. When complete, extract the source code and jump into the new directory with the following commands.

tar -xvzf daq-2.0.7.tar.gz
cd daq-2.0.7

The latest version requires an additional step to auto reconfigure DAQ before running the config. Use the command below which requires you need to have autoconf and libtool installed.

autoreconf -f -i

Afterwards, run the configuration script using its default values, then compile the program with make and finally install DAQ.

./configure && make && sudo make install

With the DAQ installed you can get started with Snort, change back to the download folder.

cd ~/snort_src

Next, download the Snort source code with wget. You can find the latest version number on the Snort downloads page. Replace it in the following command if necessary.

wget https://www.snort.org/downloads/snort/snort-2.9.16.tar.gz

Once the download is complete, extract the source and change into the new directory with these commands.

tar -xvzf snort-2.9.16.tar.gz
cd snort-2.9.16

Then configure the installation with sourcefire enabled, run make and make install.

./configure --enable-sourcefire && make && sudo make install

With that done, continue below on how to set up the configuration files.

Configuring Snort to run in NIDS mode

Next, you will need to configure Snort for your system. This includes editing some configuration files, downloading the rules that Snort will follow, and taking Snort for a test run.

Start with updating the shared libraries using the command underneath.

sudo ldconfig

Snort on Ubuntu gets installed to /usr/local/bin/snort directory, it is good practice to create a symbolic link to /usr/sbin/snort.

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

Setting up username and folder structure

To run Snort on Ubuntu safely without root access, you should create a new unprivileged user and a new user group for the daemon to run under.

sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

Then create the folder structure to house the Snort configuration, just copy over the commands below.

sudo mkdir -p /etc/snort/rules
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrules

Set the permissions for the new directories accordingly.

sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

Create new files for the white and blacklists as well as the local rules.

sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/rules/local.rules

Then copy the configuration files from the download folder.

sudo cp ~/snort_src/snort-2.9.16/etc/*.conf* /etc/snort
sudo cp ~/snort_src/snort-2.9.16/etc/*.map /etc/snort

Next up, you will need to download the detection rules Snort will follow to identify potential threats. Snort provides three tiers of rule sets, community, registered and subscriber rules.

  • Community rules are freely available although slightly limited.
  • By registering for free on their website you get access to your Oink code, which lets you download the registered users rule sets.
  • Lastly, subscriber rules are just that, available to users with an active subscription to Snort services.

Underneath you can find instructions for downloading both community rules or registered user rule sets.

Option 1. Using community rules

If you just want to quickly test out Snort, grab the community rules using wget with the command below.

wget https://www.snort.org/rules/community -O ~/community.tar.gz

Extract the rules and copy them to your configuration folder.

sudo tar -xvf ~/community.tar.gz -C ~/
sudo cp ~/community-rules/* /etc/snort/rules

By default, Snort on Ubuntu expects to find a number of different rule files which are not included in the community rules. You can easily comment out the unnecessary lines using the sed command underneath.

sudo sed -i 's/include $RULE_PATH/#include $RULE_PATH/' /etc/snort/snort.conf

Option 2. Obtaining registered user rules

You can also take a moment and register on the Snort website. Registering gives you access to use their Oink code to download the registered user rules. You can find the code in the Snort user account details.

Replace the oinkcode in the following command with your personal code.

wget https://www.snort.org/rules/snortrules-snapshot-29160.tar.gz?oinkcode=oinkcode -O ~/registered.tar.gz

Once downloaded, extract the rules over to your configuration directory.

sudo tar -xvf ~/registered.tar.gz -C /etc/snort

The rule sets for the registered users include an extensive amount of useful preconfigured detection rules. If you tried out Snort with the community rules first, you can enable additional rules by uncommenting their inclusions towards the end of the snort.conf file.

Configuring the network and rule sets

With the configuration and rule files in place, edit the snort.conf to modify a few parameters. Open the configuration file in your favourite text editor, for example using nano with the command below.

sudo nano /etc/snort/snort.conf

Find these sections shown below in the configuration file and change the parameters to reflect the examples here.

# Setup the network addresses you are protecting
ipvar HOME_NET server_public_ip/32
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET
# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
# Set the absolute path appropriately
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

In the same snort.conf file, scroll down to the section 6 and set the output for unified2 to log under filename of snort.log like below.

# unified2
# Recommended for most installs
output unified2: filename snort.log, limit 128

Lastly, scroll down towards the bottom of the file to find the list of included rule sets. You will need to uncomment the local.rules to allow Snort to load any custom rules.

include $RULE_PATH/local.rules

If you are using the community rules, add the line underneath to your ruleset as well, for example just below your local.rules line.

include $RULE_PATH/community.rules

Once you are done with the configuration file, save the changes and exit the editor.

Validating settings

Your Snort should now be ready to run. Test the configuration using the parameter -T to enable test mode.

sudo snort -T -c /etc/snort/snort.conf

After running the Snort configuration test, you should get a message like this example below.

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.16 GRE (Build 118) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.8.1
           Using PCRE version: 8.39 2016-06-14
           Using ZLIB version: 1.2.11

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 3.1  
           Preprocessor Object: SF_DCERPC2  Version 1.0  
           Preprocessor Object: SF_SSH  Version 1.1  
           Preprocessor Object: SF_FTPTELNET  Version 1.2  
           Preprocessor Object: SF_SDF  Version 1.1  
           Preprocessor Object: SF_DNP3  Version 1.1  
           Preprocessor Object: SF_REPUTATION  Version 1.1  
           Preprocessor Object: SF_IMAP  Version 1.0  
           Preprocessor Object: SF_SMTP  Version 1.1  
           Preprocessor Object: SF_GTP  Version 1.1  
           Preprocessor Object: appid  Version 1.1  
           Preprocessor Object: SF_MODBUS  Version 1.1  
           Preprocessor Object: SF_POP  Version 1.0  
           Preprocessor Object: SF_DNS  Version 1.1  
           Preprocessor Object: SF_SSLPP  Version 1.1  
           Preprocessor Object: SF_SIP  Version 1.1  

Snort successfully validated the configuration!
Snort exiting

In case you get an error, the print out should tell you what the problem was and where to fix it. Most likely problems are missing files or folders, which you can usually resolve by either adding any you might have missed in the setup above, or by commenting out unnecessary inclusion lines in the snort.conf file. Check the configuration part and try again.

Testing the configuration

To test if Snort is logging alerts as intended, add a custom detection rule alert on incoming ICMP connections to the local.rules file. Open your local rules in a text editor.

sudo nano /etc/snort/rules/local.rules

Then add the following line to the file.

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)

The rule consists of the following parts:

  • action for traffic matching the rule, alert in this case
  • traffic protocol like TCP, UDP or ICMP like here
  • the source address and port, simply marked as any to include all addresses and ports
  • the destination address and port, $HOME_NET as declared in the configuration and any for port
  • some additional bits
    • log message
    • unique rule identifier (sid) which for local rules needs to be 1000001 or higher
    • rule version number.

Save the local.rules and exit the editor.

Start Snort with -A console options to print the alerts to stdout. You will need to select the correct network interface with the public IP address of your server, for example, eth0.

sudo snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf

If you are not sure which interface to use, check your UpCloud control panel for the public IPv4 address of your server in the Network settings. You can also use the following command on your server.

ip addr

The output will list all of your currently configured network interfaces. Find the one with the same public IP address as shown in the Network settings, commonly eth0.

With Snort up and running, ping your cloud server from any other computer. You should see a notice for each ICMP call in the terminal running Snort.

07/12-11:20:33.501624  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 83.136.252.119 -> 80.69.173.202

After the alerts show up you can stop Snort with ctrl+C.

Snort records the alerts to a log under /var/log/snort/snort.log.timestamp, where the timestamp is the point in time when Snort was started marked in Unix time. You can read the logs with the command underneath. Since you have only run Snort once, there is only one log, complete your command by pressing TAB.

snort -r /var/log/snort/snort.log.

The log shows a warning for each ICMP call with source and destination IPs, time and date, plus some additional info as shown in the example below.

WARNING: No preprocessors configured for policy 0.
07/12-11:20:33.501624 83.136.252.118 -> 80.69.173.202
ICMP TTL:63 TOS:0x0 ID:20187 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:13891 Seq:1 ECHO

Running Snort in the background

To run Snort on Ubuntu as a service in the background you will need to add a startup script for Snort. Open a new file in a text editor for example with the next command.

sudo nano /lib/systemd/system/snort.service

Enter the following to the file, save and exit the editor.

[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

[Install]
WantedBy=multi-user.target

With the service defined, reload the systemctl daemon.

sudo systemctl daemon-reload

Snort can then be run with the configuration you set up using the command below.

sudo systemctl start snort

The startup script also includes other usual systemctl commands: stop, restart, and status. For example, you can check the status of the service with the following command.

sudo systemctl status snort

Conclusions

Congratulations, you should have now successfully configured and tested a network-based intrusion detection system. This guide however only covers the very basics with an introduction to Snort and NIDS in general. To get more out of your installation, check out the deployment guides over at the Snort documents page, or jump right into writing your own detection rules with their helpful Snort rules info graph.

Janne Ruostemaa

Editor-in-Chief

  1. hi sir
    I have followed your tutorial from beginning to end
    when i execute snort, there is an error message

    Running in Test mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file “/etc/snort/snort.conf”
    PortVar ‘HTTP_PORTS’ defined : [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
    PortVar ‘SHELLCODE_PORTS’ defined : [ 0:79 81:65535 ]
    PortVar ‘ORACLE_PORTS’ defined : [ 1024:65535 ]
    PortVar ‘SSH_PORTS’ defined : [ 22 ]
    PortVar ‘FTP_PORTS’ defined : [ 21 2100 3535 ]
    PortVar ‘SIP_PORTS’ defined : [ 5060:5061 5600 ]
    PortVar ‘FILE_DATA_PORTS’ defined : [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
    PortVar ‘GTP_PORTS’ defined : [ 2123 2152 3386 ]
    Detection:
    Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
    ERROR: /etc/snort/snort.conf(250) Could not stat dynamic module path “/usr/local/lib/snort_dynamicengine/libsf_engine.so”: No such file or directory.

    Fatal Error, Quitting..

    i have already create those directory manually but it still got the same error
    pls help

    thanks in advance

  2. Janne Ruostemaa

    Hi Ben, it would seem that Snort didn’t get fully installed. The /usr/local/lib/snort_dynamicengine directory should have been created automatically by the install process. I’d recommend trying to run the install command again:
    ~/snort_src/snort-2.9.12/configure --enable-sourcefire && make && sudo make install
    Note that the ‘sudo make install‘ command needs to be run using sudo privileges.
    Afterwards, verifying that the dynamic engine was set up and try testing the Snort config again. If you get any errors during the install, check that all the required software packages were installed.

  3. I have a question i want to use snort with nids and hids is that possible !!

  4. Janne Ruostemaa

    Hi Mensi, thanks for the question. In short, no. Snort is not designed to monitor files, processes, logs or user context which means it’s not suited to be used as a host-based intrusion detection system. A good option for HIDS would be OSSEC https://www.ossec.net/

  5. Hello! How do I set up Snort in Ubuntu to be in IPS mode? Thank you!!

  6. Janne Ruostemaa

    Hi Jacob, thanks for the question. You can find the additional steps required to configure Snort in IPS mode with DAQ at their documentation page.

  7. Dear all
    I have problema like this
    abreu@ubuntu:~$ snort -r /var/log/snort/archived_logs/
    Running in packet dump mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    Specified pcap is not a regular file: /var/log/snort/archived_logs/
    ERROR: Error getting pcaps.
    Fatal Error, Quitting..
    abreu@ubuntu:~$

    I need answer for all…
    Please help me!
    Thanks

  8. Janne Ruostemaa

    Hi Abreu, thanks for reaching out. The snort -r command is for reading logs and needs a file as the last parameter instead of a directory. Try something like snort -r /var/log/snort/archived_logs/snort.log where snort.log is one of your archived log files.

  9. Mohammed siraj

    i think the link is broken, can you please verify.! BTW, thanx for the awesome “How to ” tut.

  10. Janne Ruostemaa

    Hi Mohammed, thanks for the heads up on the link. Snort recently released their latest update with version 2.9.13 which unfortunately means our link for the 2.9.12 no longer works. Simply replace the version number in all commands and the rest of the guide should work just fine granted the update didn’t include any major changes. You can always check for the most up to date version at Snort downloads page.

  11. Shaik Mohammed Siraj

    the “configure Snort in IPS mode with DAQ” link appears to be down, can you please verify ASAP..!!..

  12. Janne Ruostemaa

    Hi Mohammed, the link to the Snort IPS with DAQ was to one of the guides at Snort’s official documentation.

  13. hello , please can you help me i have this error with dump Running in packet dump mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    Error getting stat on pcap file: /var/log/snort/snort.log.: No such file or directory
    ERROR: Error getting pcaps.
    Fatal Error, Quitting..

  14. Janne Ruostemaa

    Hi there, thanks for reaching out. Looking at the error message, it seems you are trying to read a log file but didn’t complete the file name to include the long series of numbers at the end. The example snort -r /var/log/snort/snort.log.xxxx is just a path to the log files, you’ll need to pick one to read, e.g. by pressing TAB to use autocomplete on Linux.

  15. Thanks for amazing tutorial for installing NIDS service. I’m really appreciated it!

  16. Great tutorial.
    But I had a problem with the community rules. Your ‘sudo sed’ command refers to ‘/etc/snort/snort.conf’ but this file doesn’t exsist. For me it had to be ‘/etc/snort/rules/snort.conf’.

  17. Janne Ruostemaa

    Hi Mike, thanks for the comment. You must have installed Snort slightly differently for the configuration file to be in the /rules directory but it’ll work all the same. Just remember to use the same config file path when running Snort, e.g. sudo snort -T -c /etc/snort/snort.conf for you would be sudo snort -T -c /etc/snort/rules/snort.conf
    Alternatively, you can always move the config file to the /etc/snort/ directory as well.

  18. Hi ! Thanks for the tutorial!

    I have two problems i send ” sudo snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf” and snort say that ERROR: /etc/snort//etc/snort/rules/app-detect.rules(0) Unable to open rules file “/etc/snort//etc/snort/rules”: No such file or directory.

    I send sudo snort -A console -i eth0 -u snort -g snort -c /etc/snort” and it works

    The second problem is when the command works i send a ping to the host and snort say me
    “”Warning: no Preprocessors configured for policy 0.

    What can i do !?

    Thanks a lot!

  19. Janne Ruostemaa

    Hi Ismael, thanks for the question. It seems your rule path in the /etc/snort/snort.conf is set relative to the working directory but uses the whole path. Check the snort.conf file and set the rule path exactly like this: var RULE_PATH /etc/snort/rules

    The warning is normal and nothing to worry about as the example configuration just doesn’t include a preprocessor.

  20. Hello Dear Janne Roustemaa, first thanks for the tutorial.
    ANYWAY i have a question, with a problem that is avoiding me to use snort.
    Well after a start snort:
    _______________________________________________________________
    user@ubuntu: snort

    Running in packet dump mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    ERROR: Failed to lookup interface: socket: Socket type not supported. Please specify one with -i switch
    Fatal Error, Quitting..
    ______________________________________________________________
    And this appears, avoiding Snort from starting.
    I’ll wait for an answer, thank a lot anyway.
    Best regards!

  21. Ademayokun Daini

    thanks for the guide, really appreciate it.
    however i need to be able to send my logs to arcsight SIEM which my connector is installed to read the /var/log/snort/snort.log.* files but files have permissions granted to only the snort user.
    how can i make this possible to send logs to my SIEM?

  22. Janne Ruostemaa

    Hi there, thanks for the question. According to ArcSight documentation, you should be able to use ArcSight Connector to manage Snort logs.

  23. Janne Ruostemaa

    Hi there, thanks for the question. You need to enter a couple of command-line parameters to successfully run Snort. The -i switch refers to the network interface Snort should listen to such as eth0. For example: sudo snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf

  24. Hi

    When trying to run configuration test, I get the message “Failed to parse the IP address: server_public_ip/32. What should I do now?

    Thanks

  25. Janne Ruostemaa

    Hi Rory, thanks for the question. You would need to replace the server_public_ip in your /etc/snort/snort.conf with your own IP address to set the home network, for example, ipvar HOME_NET 94.123.234.214/32

  26. ERROR! LuaJIT library not found. Go get it from http://www.luajit.org/ (or)
    Try compiling without openAppId using ‘–disable-open-appid’
    configure: error: “Fatal!”

  27. Janne Ruostemaa

    Hi Vanelle, thanks for the comment. You would need to make sure the LuaJIT library is installed, try running the following command sudo apt install -y libluajit-5.1-dev and then attempt to compile Snort again.

  28. hello , thanks for the great tutorial
    please can you help me
    ————————————————–
    sudo snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf
    ————————————————–
    Result
    [ Number of patterns truncated to 20 bytes: 45 ]
    pcap DAQ configured to passive.
    Acquiring network traffic from “eth0”.
    Reload thread starting…
    Reload thread started, thread 0x7f18209f4700 (2541)
    ERROR: Can’t start DAQ (-1) – SIOCGIFHWADDR: No such device!
    Fatal Error, Quitting..
    ————————————————-
    What should i do
    Thanks

  29. Janne Ruostemaa

    Hi there, thanks for the question. The error would indicate that your network interface is not called eth0. Have a look at your network information with the command ip addr and check what your internet-facing network interface is called. Then replace eth0 with it in the Snort run command.

  30. Janne Ruostemaa

    Hi Yakob, thanks for the comment. You need to use your personal “oinkcode” which you can find in the Snort user account details after registering. Alternatively, you can use the community rules wget https://www.snort.org/rules/community -O ~/community.tar.gz

  31. Hi! First of all thanks for the tutorial.

    I have the following problem after running [osboxes@localhost snort-2.9.15]$ ./configure –enable-sourcefire && make && sudo make install
    ../../src/util.h: At top level:
    ../../src/util.h:377:21: error: static declaration of ‘gettid’ follows non-static declaration
    377 | static inline pid_t gettid(void)
    | ^~~~~~
    In file included from /usr/include/unistd.h:1170,
    from /usr/local/include/daq_common.h:25,
    from /usr/local/include/daq.h:26,
    from ../../src/decode.h:48,
    from ../../src/spo_plugbase.h:31,
    from ../../src/snort.h:36,
    from sfcontrol.c:37:
    /usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ was here
    34 | extern __pid_t gettid (void) __THROW;
    | ^~~~~~
    make[3]: *** [Makefile:362: sfcontrol.o] Error 1
    make[3]: Leaving directory ‘/home/osboxes/snort-2.9.15/src/control’
    make[2]: *** [Makefile:558: all-recursive] Error 1
    make[2]: Leaving directory ‘/home/osboxes/snort-2.9.15/src’
    make[1]: *** [Makefile:516: all-recursive] Error 1
    make[1]: Leaving directory ‘/home/osboxes/snort-2.9.15’
    make: *** [Makefile:382: all] Error 2

    I tried to fix it following this http://cgit.openembedded.org/meta-openembedded/tree/meta-networking/recipes-connectivity/snort/snort/0001-chdeck-for-gettid-API-during-configure.patch?h=master but it does not work.

    Can you help me?

  32. Janne Ruostemaa

    Hi there, thanks for the question. It would seem a function declaration in the Snort source code is conflicting with an existing library. The instructions in the link you included should, in theory, solve the conflict. If not, you could try temporarily disabling the existing declaration by renaming the file /usr/include/bits/unistd_ext.h to something else and then running the ./configure –enable-sourcefire command again. Don’t forget to name the /usr/include/bits/unistd_ext.h file back to the original afterwards.

  33. Hello and thanks for the guide!

    My problem: I’ve enabled (uncommented) preprocessors in my conf, however when I ping my host I still get

    Warning: no Preprocessors configured for policy 0.

    What could be the reason?

  34. Janne Ruostemaa

    Hi Anna, thanks for the question. When running Snort, make sure you include the right configuration file, for example, snort -v -c /etc/snort/snort.conf

  35. Safar Mohammad Forotan

    Hello dear Ruostemaa,
    Thank you for the documentation.
    I did these configurations from beginning till the end but I cannot get the effect of detection.
    Also, there is nothing in the log file: /var/log/snort#
    Please help me.

  36. Janne Ruostemaa

    Hi there, thanks for the comment. I would first suggest checking that your rules are being included. Any local rules like the ping detection in the example need to be added manually while community rules have many useful detector rules. You can test your configuration with snort -T -c /etc/snort/snort.conf but note that it exits the program after the test. Start Snort on the front ground e.g. with snort -v -c /etc/snort/snort.conf which will allow you to see any reports right away.

  37. Hello, I would ask… how to log snort alert in /var/log/snort/alert? Since I have to process it by using swatch.

  38. Janne Ruostemaa

    Hi there, thanks for the question. You could try enabling the Snort output to syslog which should be easier for swatch to monitor.

  39. Whenever I run snort -r on a log file I get the below error.

    Running in packet dump mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    pcap DAQ configured to read-file.
    ERROR: Can’t initialize DAQ pcap (-1) – unknown file format
    Fatal Error, Quitting..

  40. Janne Ruostemaa

    Hi there, thanks for the question. It’s likely that the log file is empty, I’d check your rules and do a test run on the terminal to see what you should have in the logs.

  41. There are several logs in that directory and each log (aside from the first couple that I tested with) are 128mb.

    Sample output from an ls -lh command:
    -rw——- 1 snort snort 128M Jan 23 17:46 snort.log.1579826756
    -rw——- 1 snort snort 128M Jan 23 17:46 snort.log.1579826763
    -rw——- 1 snort snort 128M Jan 23 17:46 snort.log.1579826768
    -rw——- 1 snort snort 128M Jan 23 17:46 snort.log.1579826773
    -rw——- 1 snort snort 128M Jan 23 17:46 snort.log.1579826778

  42. Hi Sir, Please help i have promblem with this command :

    sudo cp /snort_src/snort-2.9.15.1.tar/etc/*.conf* /etc/snort
    cp: cannot stat ‘/snort_src/snort-2.9.15.1.tar/etc/*.conf*’: No such file or directory

    Thank you

  43. Janne Ruostemaa

    Hi there, thanks for the question. The command you need to use is sudo cp ~/snort_src/snort-2.9.15.1/etc/*.conf* /etc/snort as you cannot copy directly from inside a .tar package.

  44. Any thoughts?

  45. Hi mister,
    i have a problem to view my logs. i got follow error.
    How can i fix that?

    snort -r /var/log/snort/snort.log.1581521350
    Running in packet dump mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    pcap DAQ configured to read-file.
    ERROR: Can’t initialize DAQ pcap (-1) – /var/log/snort/snort.log.1581521350: Per mission denied
    Fatal Error, Quitting..

    greetings,
    Markus

  46. Janne Ruostemaa

    Hi Markus, thanks for the question. According to the error message, it seems your user name does not have permission to access the log files. You may wish to use sudo to run the snort log command or switch temporarily to the root user.

  47. Hello, I follow this manual and works fine, but when i put sudo systemctl status snort
    i am getting Unit snort.service could not be found.
    I dont know for what reason if snort is looking the traffic

  48. Janne Ruostemaa

    Hi Luis, thanks for the question. It’s likely that snort.service hasn’t been loaded. Check that the service file /lib/systemd/system/snort.service is set and then run sudo systemctl daemon-reload

  49. Dear Janne,
    Thanks for great article!
    I’d like to run SNORT3.0 or latter on top of DPDK. Are there existing support for that?
    I’m trying do that by myself but no DPDK driver registered when I run snort.

  50. Janne Ruostemaa

    Hi Michael, thanks for the question. Snort 3.0 is still currently in beta but you can test it by installing it from the source though don’t think there’s at least official support for DPDK. We don’t have a guide for Snort 3.0 specifically and it’ll likely differ in some points from the older 2.9 versions but the overall process should be similar.

  51. Dear Janne, thank you for reply. I check the link but found the DPDK support is on roadmap only and not yet implemented.

    Regards,
    Michael

  52. Thanks dude! This guide is very useful!

  53. AdjabiAbderrahmane

    Hi i did everything as you said .. but when i tried that rule snort stuck at Commencing packet processing …

  54. Janne Ruostemaa

    Hi there, thanks for the question. Try running the config test again to see if there’s some hint at what might be a miss sudo snort -T -c /etc/snort/snort.conf

  55. Hey Guys,

    When downloading “wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
    I get this error –

    system@ubuntu:~$ wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
    –2020-05-21 05:35:48– https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
    Resolving http://www.snort.org (www.snort.org)… 104.18.138.9, 104.18.139.9, 2606:4700::6812:8b09, …
    Connecting to http://www.snort.org (www.snort.org)|104.18.138.9|:443… connected.
    HTTP request sent, awaiting response… 404 Not Found
    2020-05-21 05:35:48 ERROR 404: Not Found.

    Any clue what the issue and how could this be fixed???

  56. Janne Ruostemaa

    Hi Dion, thanks for the comment. Snort recently updated their DAQ to version 2.0.7 and don’t seem to like to keep older versions available, hence the missing file. We’ve updated the tutorial on steps to install the latest versions DAQ 2.0.7 and Snort 2.9.16.

  57. Hey,
    When running the test i get the error below
    system@ubuntu:~/snort_src/snort-2.9.16$ sudo snort -T -c /etc/snort/snort.conf
    Running in Test mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file “/etc/snort/snort.conf”
    PortVar ‘HTTP_PORTS’ defined : [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
    PortVar ‘SHELLCODE_PORTS’ defined : [ 0:79 81:65535 ]
    PortVar ‘ORACLE_PORTS’ defined : [ 1024:65535 ]
    PortVar ‘SSH_PORTS’ defined : [ 22 ]
    PortVar ‘FTP_PORTS’ defined : [ 21 2100 3535 ]
    PortVar ‘SIP_PORTS’ defined : [ 5060:5061 5600 ]
    PortVar ‘FILE_DATA_PORTS’ defined : [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
    PortVar ‘GTP_PORTS’ defined : [ 2123 2152 3386 ]
    Detection:
    Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
    ERROR: /etc/snort/../rules/local.rules(0) Unable to open rules file “/etc/snort/../rules/local.rules”: No such file or directory.

    Fatal Error, Quitting..
    system@ubuntu:~/snort_src/snort-2.9.16$

  58. I do see you have mentioed the below –
    It seems your rule path in the /etc/snort/snort.conf is set relative to the working directory but uses the whole path. Check the snort.conf file and set the rule path exactly like this: var RULE_PATH /etc/snort/rules

    The warning is normal and nothing to worry about as the example configuration just doesn’t include a preprocessor.

    But where can this be changed in th file?

  59. Hey,

    So i managed to get this above working with no issues,

    When testing the configuration I am getting some issues

    This is a result of the status
    system@ubuntu:~$ sudo systemctl status snort
    ● snort.service – LSB: Lightweight network intrusion detection system
    Loaded: loaded (/etc/init.d/snort; generated)
    Active: failed (Result: exit-code) since Fri 2020-05-22 21:08:32 PDT; 21s ago
    Docs: man:systemd-sysv-generator(8)

    May 22 21:08:32 ubuntu snort[55791]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
    May 22 21:08:32 ubuntu snort[55791]: alert_fragments: INACTIVE
    May 22 21:08:32 ubuntu snort[55791]: alert_large_fragments: INACTIVE
    May 22 21:08:32 ubuntu snort[55791]: alert_incomplete: INACTIVE
    May 22 21:08:32 ubuntu snort[55791]: alert_multiple_requests: INACTIVE
    May 22 21:08:32 ubuntu snort[55791]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_SDF version 1.1.1 (-1)
    May 22 21:08:32 ubuntu snort[55781]: …fail!
    May 22 21:08:32 ubuntu systemd[1]: snort.service: Control process exited, code=exited status=1
    May 22 21:08:32 ubuntu systemd[1]: snort.service: Failed with result ‘exit-code’.
    May 22 21:08:32 ubuntu systemd[1]: Failed to start LSB: Lightweight network intrusion detection system.

  60. Janne Ruostemaa

    Hi Dion, thanks for the question. The problem likely occurred if you installed the latest version on top of an older installation. Check the dynamic preprocessors with ls -la /usr/local/lib/snort_dynamicpreprocessor and remove any libsf_sdf_preproc.* files older than the newest files in that directory.

  61. Hey,

    Still getting the below

    ● snort.service – LSB: Lightweight network intrusion detection system
    Loaded: loaded (/etc/init.d/snort; generated)
    Active: failed (Result: exit-code) since Sat 2020-05-23 22:33:50 PDT; 19s ago
    Docs: man:systemd-sysv-generator(8)
    Process: 85124 ExecStart=/etc/init.d/snort start (code=exited, status=1/FAILURE)

    May 23 22:33:50 ubuntu snort[85133]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
    May 23 22:33:50 ubuntu snort[85133]: alert_fragments: INACTIVE
    May 23 22:33:50 ubuntu snort[85133]: alert_large_fragments: INACTIVE
    May 23 22:33:50 ubuntu snort[85133]: alert_incomplete: INACTIVE
    May 23 22:33:50 ubuntu snort[85133]: alert_multiple_requests: INACTIVE
    May 23 22:33:50 ubuntu snort[85133]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_SDF version 1.1.1 (-1)
    May 23 22:33:50 ubuntu snort[85124]: …fail!
    May 23 22:33:50 ubuntu systemd[1]: snort.service: Control process exited, code=exited status=1
    May 23 22:33:50 ubuntu systemd[1]: snort.service: Failed with result ‘exit-code’.
    May 23 22:33:50 ubuntu systemd[1]: Failed to start LSB: Lightweight network intrusion detection system.

  62. Did this but had no luck

  63. How do I configure Snort and forward the rule to my different machine in VM?

  64. Is there any way the snort file could be modified?
    If so how can that be done?

  65. Janne Ruostemaa

    Hi there, thanks for the question. I’m assuming you want to have Snort monitor the network traffic of another server. If that’s the case, you’d need to route the network traffic through your Snort server, for example, by creating a private network and configuring the Snort server as a routing gateway for all traffic.

  66. Thanks for the tutorial. All works fine except reading logs. initd started and created /var/log/snort/snort.log and alert.log with some content in it (binary). I use Debian 10.

    If I start “snort -r /var/log/snort/snort.log” I get:

    Running in packet dump mode
    –== Initializing Snort ==–
    Initializing Output Plugins!
    pcap DAQ configured to read-file.
    ERROR: Can’t initialize DAQ pcap (-1) – unknown file format
    Fatal Error, Quitting..

  67. Janne Ruostemaa

    Hi Martin, thanks for the question. Snort often gives this error when the log file is empty. Try to run Snort on the console to see if your rules trigger alerts sudo snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf . If the alerts show, e.g. when pinging the server, you should also be able to read the logs.

  68. Thank you for the tuto

    Could you help me please by replying these questions :
    1. How to run Snort in Dataset (i.e KDD dataset) ?
    2. When can I find the alerts generated by Snort ? and how to know what alert is from which class (class means : False Positive, False Negative, True Positive or True Negative) ?

    Thank you in advance.

  69. Janne Ruostemaa

    Hi there, thanks for the question. You should be able to have snort read captured network package files in .pcap format by using the following commands snort -c /etc/snort/snort.conf -r /path/to/test/traffic.pcap as an example. You may want to set a specific configuration for analysis. As for classifying the alert types you mentioned, presumably, you would need to know the type for each network package and compare e.g. timestamps with recorded alerts in /var/log/snort/alert.log to figure out how Snort responded to the network event.

  70. Thanks for your tutorial,it helps a lot.
    why i typed “snort -v -c /etc/snort/snort.conf”
    there also exists the problem “No preprocessors configured for policy 0”
    it confuses me very much!!

  71. Thank you for excellent instruction, but if i want to use at IPS mode, how i can config?, i use snort 2.9.16, thanks!

  72. Janne Ruostemaa

    Hi there, thanks for the question. It’s possible to run Snort as an intrusion prevention system but it does add a fair bit of complexity to setup. You can find out more about it in Snort’s IPS mode tutorial.

  73. Janne Ruostemaa

    Hi there, thanks for the question. The warning on preprocessors is nothing to worry about, it simply means there’s no preprocessor in use for that rule. Preprocessor code is run before the detection engine is called, but after the packet has been decoded. The packet can be modified or analyzed in an out-of-band manner using this mechanism. You can read more about Snort preprocessors if you want to configure one for your rule.

  74. thanks for your comments,but in thes days,i try to run snort on common user,as you mentioned in above tutorial, “sudo groupadd snort
    sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort”

    and everytime i run commmand “sudo -u snort snort ” ,it will display “ERROR: Can’t start DAQ (-1) – socket: Operation not permitted!

    what should i do if i want to run snort in nologin user snort

  75. Janne Ruostemaa

    Hi Wei, thanks for the question. Running snort requires elevated privileges using sudo which is interpreting the command sudo -u snort snort as “use snort user to execute command snort” and doesn’t pass the privileges to the snort command. Snort itself includes options to run using a specific user, you should try e.g. sudo snort -u snort -g snort to have the snort command first, then the user and group parameters.

  76. should i run snort on other nologin user using the following command,
    snort -i eth0 -dev icmp and src xxxx -D -u snort -g snort
    this means snort is running in another non-root user?
    thank you

  77. thank you, i have understood, no additional reply,
    take good care of yourself,
    thanks again!

  78. Dear, Janne
    Your instructions to install snort are superb. They are very well written. Thank you so much!
    I spent quite a lot of time following wrong instructions to install from various sites (e.g. https://medium.com/@koayyongcett/snort-installation-in-kali-linux-from-the-source-9a005558a2ea)
    Now.. to my question.
    AfterI upgraded to 2.9.16 from 2.9.2.2, I still see the older version
    when I issue command w/out sudo access. with sudo access, it shows the correct version.
    e.g.
    sudo snort –version
    Version 2.9.16 GRE
    and w/out sudo
    2.9.2.2

    What needs to be changed?

    A disclaimer: I’m new to Linux and snort. Trying to prepare for the school project in about week.

  79. Janne Ruostemaa

    Hi Boris, thanks for the question. Installing a new version of Snort on top of an old may cause some issues depending on what’s changed in the update. It seems you have an old version of Snort binary that can still be found in your PATH variable, echo $PATH. I’d recommend checking up for any old files e.g. with find /usr -name "snort" -type f -executable which should only return one file, usually at /usr/local/bin/snort and remove the old one. You can see which file is newer by listing the files for example with ls -l /usr/local/bin

  80. Thank you Janne for great manual and information. It is really great and detailed.

    I observe that when I leave ICMP test in local.rules my network is pinged every 10 minutes. I just can’t figure out what is sending these two packets.

    Thanks!

  81. Janne Ruostemaa

    Hi Bojan, thanks for the comment. It’s common to have network health monitors use ping to periodically check if devices are reachable. Also, public IPs often get randomly pinged by bot networks.

  82. Thank you Janne.

  83. Hi Sir, first of all thank you so much for this tutorial.

    So after doing all the instalation, when I tried test with the :
    sudo snort -T -c /etc/snort/snort.conf

    I get this message:
    snort: error while loading shared libraries: libpcre.so.1: cannot open shared object file: No such file or directory

    I already find this file at -> /opt/bitnami/common/lib/libpcre.so.1
    and try to export with:
    export LD_LIBRARY_PATH=/opt/bitnami/common/lib:$LD_LIBRARY_PATH

    but nothing works.

  84. Janne Ruostemaa

    Hi Felipe, thanks for the question. You should check that you have libpcre3-dev installed, it would usually be found at /usr/lib/x86_64-linux-gnu/libpcre32

  85. Great tutorial, everything is working so far, I have a question:

    How do I monitor two interfaces?

    is it as easy as including two int in snort.service

    [Unit]
    Description=Snort NIDS Daemon
    After=syslog.target network.target

    [Service]
    Type=simple
    ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i enp3s0f0

    [Install]
    WantedBy=multi-user.target

    ** if so what would the service config look like?

  86. Janne Ruostemaa

    Hi Rob, thanks for the question. As far as I can tell, Snort doesn’t support specifying multiple interfaces as is. However, you should be able to get around this by running multiple instances of Snort. You’ll likely also need to create a separate configuration file for each NIC, e.g. /etc/snort/snort.enp3s0f0.conf and specify each to use their own log. Then start snort for one interface by running snort -q -u snort -g snort -c /etc/snort/snort.enp3s0f0.conf -i enp3s0f0 and starting a second instance for your other network interface.

    You can also configure the service file to take a parameter to define which NIC you want to start.
    Rename the snort.service to /lib/systemd/system/[email protected] and set the ExecStart as follows.

    ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.%i.conf -i %i

    Afterwards, reload the system daemon and then start each instance of Snort by adding your NIC to the service call. E.g.

    sudo systemctl start snort@enp3s0f0

  87. Hi sir, I understood installation part I have a basic doubt if I mention HOME_NET cidr block can my snort server be able to detect packets flowing in the HOME_NET or is it only the reference in logs to print appropriate timestamp with local ip address.

  88. Janne Ruostemaa

    Hi there, thanks for the question. Snort uses the HOME_NET to define the IP addresses it’s supposed to protect and EXTERNAL_NET as everything else. These can then be used to define detection rules that are easier to read. For example, alert icmp EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;) alerts on any ping from an external IP to the server’s IP address.

  89. Yashaswi Dasari

    sudo snort -T -c /etc/snort/snort.conf
    Running in Test mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file “/etc/snort/snort.conf”
    PortVar ‘HTTP_PORTS’ defined : [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
    PortVar ‘SHELLCODE_PORTS’ defined : [ 0:79 81:65535 ]
    PortVar ‘ORACLE_PORTS’ defined : [ 1024:65535 ]
    PortVar ‘SSH_PORTS’ defined : [ 22 ]
    PortVar ‘FTP_PORTS’ defined : [ 21 2100 3535 ]
    PortVar ‘SIP_PORTS’ defined : [ 5060:5061 5600 ]
    PortVar ‘FILE_DATA_PORTS’ defined : [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
    PortVar ‘GTP_PORTS’ defined : [ 2123 2152 3386 ]
    Detection:
    Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
    ERROR: /etc/snort//etc/snort/rules/app-detect.rules(0) Unable to open rules file “/etc/snort//etc/snort/rules/app-detect.rules”: No such file or directory.

    Fatal Error, Quitting..

  90. Janne Ruostemaa

    Hi Yashaswi, thanks for the comment. The error at the end of the test indicates that Snort is using a relative path for the rules directory. You should remove the /etc/snort/ from your snort.conf file to make it look like the following:

    # Path to your rules files (this can be a relative path)
    var RULE_PATH rules
    var SO_RULE_PATH so_rules
    var PREPROC_RULE_PATH preproc_rules
  91. Did you solve it? i have same problem

  92. Janne Ruostemaa

    Hi there, thanks for the comment. If you are getting the “Failed to initialize dynamic preprocessor: SF_SDF version 1.1.1 (-1)” error, it’s likely a version conflict. Have you perhaps installed two different versions of Snort or rule sets? If so, you should uninstall the old versions and make a clean install.

  93. Hi Janne, your instructions are really well-written and definitely helped me a lot! But when I test my snort, an error as shown below occurred.

    Running in Test mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file “/etc/snort/snort.conf”

    Reputation config:
    WARNING: Can’t find any whitelist/blacklist entries. Reputation Preprocessor disabled.

    +++++++++++++++++++++++++++++++++++++++++++++++++++
    Initializing rule chains…
    ERROR: /etc/snort/rules/local.rules(8) Illegal direction specifier: ->
    Fatal Error, Quitting..

  94. Janne Ruostemaa

    Hi Alccy, thanks for the comment. The error would indicate that you have a formatting error in your local.rules file. It could be an issue of different typeface so try to copy and paste the test rule as is and try running the snort config test again.

    alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)
  95. Alexandros Antonopoulos

    Commencing packet processing (pid=xxxx) also here but when i Ctrl + C i see the results of snort

  96. Janne Ruostemaa

    Hi Alexandros, thanks for the comment. Your output settings might be slightly different to create this type of functionality. You might want to check your snort.conf and set the unified2 output to log the alerts instead of printing them to the command line.

  97. Hi there Janne! Everything works well on my Snort, but when i run the command “sudo snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf”, i get stuck on the Commencing packet processing (pid=xxxx). I tried to ping from two different pc but have no luck with any logs displaying on ubuntu. I have tried to check sudo snort -T -c /etc/snort/snort.conf as well but there are no errors. Any ideas how to solve this problem? Thank you in advance!

  98. Alexandros Antonopoulos

    Thank u for response…
    No everything i tried i have the same problem Stucked on Commencing packet processing and i have try many things to solve it but nothing works…any idea? i also have run sudo snort -T -c /etc/snort/snort.conf no errors founded

  99. Janne Ruostemaa

    Hi Yan, thanks for the comment. If Snort starts successfully by running the command you mentioned, it’s probably just that the alert rule isn’t triggering. Running snort in the console is supposed to stay at the foreground and is meant just for testing. Check that you’ve enabled the local rules in your snort.conf. You can also change the rule to

    alert icmp any any -> any any (msg:"ICMP test"; sid:10000001; rev:001;)

    to also detect outgoing pings.

  100. Janne Ruostemaa

    Right, if you are starting snort using the -A console option, it’s meant to stay up and wait for detections until stopped with ctrl+c. If you are not getting any output, you should check your alert rules to make sure they are detecting what you want.

  101. Snort 3.0 is under way.

  102. Alexandros Antonopoulos

    any any -> any any

    instead

    any any -> $HOME_NET any

    solve the problem thank you very much

  103. Janne Ruostemaa

    Hi Pek, thanks for the comment. You are right that Snort 3.0 is in development but currently only available in beta. We’ll look at updating the tutorials when 3.0 is released.

  104. Hi Janne!
    Thank you for posting this amazing tutorial. It was a big help for me! However I am running into some errors after installing it and would like your help.

    My first couple of errors were
    1. ERROR: /etc/snort/snort.conf(249) Could not stat dynamic module path “/usr/local/lib/snort_dynamicpreprocessor/”: No such file or directory.
    2. ERROR: /etc/snort/snort.conf(252) Could not stat dynamic module path “/usr/local/lib/snort_dynamicengine/libsf_engine.so”: No such file or directory.

    —> I worked through those errors by just making directories for them. Yet this next error initials more.

    3. ERROR: /etc/snort//etc/snort/rules/etc/snort/rules/community.rules(0) Unable to open rules file “/etc/snort//etc/snort/rules/etc/snort/rules/community.rules”: No such file or directory.

    I seen that you suggested to go into the /etc/snort/snort.conf file and set the rule path to: var RULE_PATH /etc/snort/rules, which I did and I even changed the site specific rules to include the /etc/snort/rules/community.rules, yet I am still running into the same error.

    I would really appreciate your help!

  105. Janne Ruostemaa

    Hi Aliyah, thanks for the comment. It looks like your RULES_PATH is expecting to be entered relative to the install directory. Try setting it as just rules instead. Also, if you are missing the community rules, they can be downloaded from https://snort.org/downloads/community/community-rules.tar.gz

  106. Hello Janne, thank you for these instructions. My snort “alert” file (in this path : var/log/snort/alert) is empty. Same think for “snort.log” file.
    However snort.log.xxxx is not empty.

    Thank you

  107. Janne Ruostemaa

    Hi Mari, thanks for the comment. Snort dates its logs by adding a timestamp to the end of the log file name which also applies for the alert logs. Check the log files that end with a long number.

  108. Hi Janne,
    Thanks for this great tutorial, i have successfully installed snort and the test ICMP ping is also detected.
    I have registered and downloaded the rules with my code but about 90 percent of all the rule files have no rules, they only have the copyright text at the top of these files.
    Any

  109. Janne Ruostemaa

    Hi Josh, thanks for the comment. You are right that quite a few of the registered user rules are just place holders but there are also many with highly detailed detection rules for applications, exploits and malware.

  110. Good to know and thanks

  111. Hi Janne,
    Once again, thanks for your time.

    I have gone through many tutorial about setting up snort as IPS but I just want to verify one thing if I actually get it right from the tutorials and documents.

    It will seem that to setup snort as IPS, you need to install snort on one computer and set it up as IPS, then connect other computers that you actually want to protect.
    This will mean that you cannot setup snort in single cloud Server as IPS and for the purpose of protecting this same single Cloud Server. Is this right?

  112. Janne Ruostemaa

    Hi Josh, thanks for the question. Snort monitors the traffic going through the network interface on the installed server. It’s relatively lightweight and can be used for monitoring on a single cloud server. In network-wide monitoring, the Snort server should be set up as the default gateway for all other servers it is meant to protect.

  113. Thanks for the reply Janne.
    I understand that it can be used for monitoring on a single cloud server triggering alerts when setup as NDS, What am not sure about is, if snort is setup as IPS on a single cloud Server, can it protect this single Server like drop incoming packets?
    Like if i only have one single cloud server, can i setup snort as IPS on this single server, to protect it like drop packets?

  114. Thank you sir!

  115. Help Me Sir
    My Command :

    root@debian-mgl:~/snort_src/snort-2.9.17# sudo snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf
    Running in IDS mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file “/etc/snort/snort.conf”
    PortVar ‘HTTP_PORTS’ defined : [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
    PortVar ‘SHELLCODE_PORTS’ defined : [ 0:79 81:65535 ]
    PortVar ‘ORACLE_PORTS’ defined : [ 1024:65535 ]
    PortVar ‘SSH_PORTS’ defined : [ 22 ]
    PortVar ‘FTP_PORTS’ defined : [ 21 2100 3535 ]
    PortVar ‘SIP_PORTS’ defined : [ 5060:5061 5600 ]
    PortVar ‘FILE_DATA_PORTS’ defined : [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
    PortVar ‘GTP_PORTS’ defined : [ 2123 2152 3386 ]
    Detection:
    Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
    ERROR: /etc/snort/snort.conf(260) Missing/incorrect dynamic engine lib specifier.
    Fatal Error, Quitting..

    How is the solution to this problem in debian 10 Sir?

  116. Please, update this manual to Snort 3.x.

  117. Janne Ruostemaa

    Hi Aron, thanks for the comment. With the release of Snort 3, we’ll certainly look into getting the tutorial updated for the new version. Stay tuned.

  118. Janne Ruostemaa

    Hi there, thanks for the comment. The error is likely referring to a line in your snort.conf which should read dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so Check that the dynamic engine is specified and that the library file listed is available. If it’s missing, you can redownload the snort package and get it from snort-2.9.17/src/dynamic-plugins/sf_engine/.libs/libsf_engine.so

  119. When running this comand :
    ./configure –enable-sourcefire && make && sudo make install

    It return :
    ./configure: line 13028: daq_load_modules in -ldaq_static… no
    ERROR! daq_static library not found, go get it from http //www.snort.org/

  120. Janne Ruostemaa

    Hi there, thanks for the comment. It seems you are missing DAQ. Check that you’ve run the autoreconf -f- i command then configure, make and install DAQ. Afterwards, try configuring Snort again.

  121. Hello, thank you for your response,
    I tried these instructions again :
    autoreconf -f -i
    ./configure && make && sudo make install
    cd snort-2.9.17.1
    ./configure –enable-sourcefire && make && sudo make install

    Still return :
    ./configure: line 13028: daq_load_modules in -ldaq_static… no
    ERROR! daq_static library not found, go get it from http //www.snort.org/

    But I shoud note that running (./configure && make && sudo make install), returned also the following lines :
    config.status: error: in ‘home/mari/snort_src/daq-2.0.7’:
    config.status: error: Something went wrong bootstrapping makefile fragments for automatic dependency tracking. Try re-running configure with the ‘–disable-dependency-tracking’ option to at least be able to build the package (albeit without support for automatic dependency tracking).
    See ‘config.log’ for more details

  122. Janne Ruostemaa

    Right so DAQ is failing on configuration preventing it from being installed which in turn is causing Snort config to fail. You could try following the suggestion in the error message and configuring DAQ without automatic dependency tracking.

    ./configure --disable-dependency-tracking && make && sudo make install

    See if that completes successfully and then try configuring and installing Snort itself.

  123. Hi Janne,
    To run Snort on pcap I used the following command :
    $ snort -r /home/mina/Downloads/test.pcap -c /etc/snort/snort.conf -l /var/log/snort/

    I tried to read Snort log file :
    $ sudo snort -r /var/log/snort/snort.log.xxxxxxx

    Running in packet dump mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    pcap DAQ configured to read-file.
    ERROR: Can’t initialize DAQ pcap (-1) – truncated dump file; tried to read 4 file header bytes, only got 0
    Fatal Error, Quitting..

    N.B
    I’m on Ubuntu 20.04, and I installed Snort 2.9.17.1

  124. Hello,
    Run Snort on a PCAP file, it does not detect nothing.
    I uncommented the Rules in step #7 in snort.conf ?

    Thank you.

  125. Janne Ruostemaa

    Hi Mina, thanks for the question. Snort is able to analyse PCAP type files but the detections will depend on the rules you used and the captured network traffic recorded in the file. Having Snort read PCAP files can be helpful in troubleshooting detection rules so if you know your file contains certain network traffic you are trying to detect, double-check your rules and try again.

  126. Janne Ruostemaa

    The error would indicate that the log file is empty, it’s likely that your rules didn’t detect anything during the log time.

  127. Hi Janne,

    Thank you for your tutorial, it helped me a lot.

    I have compiled snort 2.9.17.1 GRE (Build 1013) aarch64 from source on openSUSE Tumbleweed. I can observe ICMP packets via console, including the ping test. I am struggling to daemonise it. I’ve tried various commands and I always end up with with a ‘merged.log’ file in /var/log/snort/ . When I run it via console, it generates the ‘snort.log.xxxxx’ file and no ‘merged.log’ file. This doesn’t happen when I try to daemonise it or when I run it in the background. Content of merged.log:

    Running in packet dump mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    pcap DAQ configured to read-file.
    ERROR: Can’t initialize DAQ pcap (-1) – unknown file format
    Fatal Error, Quitting..

    When the output goes to console it prints ‘Running in IDS mode’ as opposed to ‘Running in packet dump mode’ when running it as a service/background process.

    Apologies, I’m new to all this and still trying to figure out things.

    How can I confirm the ping test when it’s running as a service?

    Could you please advise what am I doing wrong?

    Thank you.

    Kind regards,
    Radu

  128. Janne Ruostemaa

    Hi Radu, thanks for the question. Running snort in the background seems to cause some difference in logging. You should try disabling the unified2 output and enabling the log_tcpdump instead. Then restart your snort service and test if the ping rules trigger.

  129. Stephen Sobulo

    Hello sir, thank you very much for this detailed lecture. I got the following error when trying to access the log created by snort:

    stevenadeniyi@ubuntu:~/snort_src/snort-2.9.17.1$ snort -r /var/log/snort/snort.log.1623716776
    Running in packet dump mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    pcap DAQ configured to read-file.
    ERROR: Can’t initialize DAQ pcap (-1) – /var/log/snort/snort.log.1623716776: Permission denied
    Fatal Error, Quitting..

    What should I do to fix this error?

  130. Janne Ruostemaa

    Hi Stephen, thanks for the question. Judging by the error “Permission denied”, you need to use sudo to read the log files. So try the following:

    sudo snort -r /var/log/snort/snort.log.1623716776
  131. Hello Jaan , thank you for your effort ,I have 2 question if you can help me as soon is possible
    1-i have a project in univ and we want to send defferent attack from onother machine to snort machine and i want to see all the alert and evenement what snort react for each attack is the output configure like you do and just read the log file or there is other configuriation with syslog or any interface grafic to show alert
    2-I have a probleme whene i try to running snort in the back ground the statut of snort is failed
    when i try the commend : sudo systemctl status snort

    ● snort.service – Snort NIDS Daemon
    Loaded: loaded (/lib/systemd/system/snort.service; disabled; vendor preset: e
    Active: failed (Result: exit-code) since Wed 2021-06-23 15:27:36 PDT; 3s ago
    Process: 125903 ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/sn
    Main PID: 125903 (code=exited, status=1/FAILURE)

    Jun 23 15:27:36 ubuntu systemd[1]: Started Snort NIDS Daemon.
    Jun 23 15:27:36 ubuntu snort[125903]: ERROR: Can’t start DAQ (-1) – eth0: SIOCET
    Jun 23 15:27:36 ubuntu snort[125903]: Fatal Error, Quitting..
    Jun 23 15:27:36 ubuntu systemd[1]: snort.service: Main process exited, code=exit
    Jun 23 15:27:36 ubuntu systemd[1]: snort.service: Unit entered failed state.
    Jun 23 15:27:36 ubuntu systemd[1]: snort.service: Failed with result ‘exit-code’
    l

  132. Janne Ruostemaa

    Hi Mohamed, thanks for the question. Looking at the error output, it seems your process start command is incomplete. Check the /lib/systemd/system/snort.service file, it should have the following line:

    ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

    Replace the eth0 with your network interface if it’s name something different.

  133. thanks jaan it ‘s work one more question I try to use registered user rules but when i running snort I just see 505 rules which is only community rules what should I do or change in the snort.conf to activate registered rules like community rules !!

  134. Janne Ruostemaa

    Once you’ve downloaded and extracted the registered users rules, you will need to enable each ruleset you want to use. Edit your /etc/snort/snort.conf file and uncomment the rules you want to enable. Similarly, you can disable the community rules by commenting out the line include $RULE_PATH/community.rules if you added that earlier.

  135. Hello Jane Rosmala, I need your help. I can’t run the command below:

    cp ~/snort_src/snort-2.9.16/etc/*.conf* /etc/snort sudo
    cp ~/snort_src/snort-2.9.16/etc/*.map /etc/snort

    can you give me a solution ?

    thank you

  136. Janne Ruostemaa

    Hi Rifal, thanks for the comment. If you downloaded the currently latest version 2.9.18, you’ll need to update the copy commands appropriately. For example:

    sudo cp ~/snort_src/snort-2.9.18/etc/*.conf* /etc/snort
    sudo cp ~/snort_src/snort-2.9.18/etc/*.map /etc/snort
  137. Hi Janne, I’ve done according to the steps you provided, but I’m still having problems like the following:

    Running in Test mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file “/etc/snort/snort.conf”
    PortVar ‘HTTP_PORTS’ defined : [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
    PortVar ‘SHELLCODE_PORTS’ defined : [ 0:79 81:65535 ]
    PortVar ‘ORACLE_PORTS’ defined : [ 1024:65535 ]
    PortVar ‘SSH_PORTS’ defined : [ 22 ]
    PortVar ‘FTP_PORTS’ defined : [ 21 2100 3535 ]
    PortVar ‘SIP_PORTS’ defined : [ 5060:5061 5600 ]
    PortVar ‘FILE_DATA_PORTS’ defined : [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
    PortVar ‘GTP_PORTS’ defined : [ 2123 2152 3386 ]
    Detection:
    Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
    ERROR: /etc/snort/rules/app-detect.rules(0) Unable to open rules file “/etc/snort/rules/app-detect.rules”: No such file or directory.

    Fatal Error, Quitting..

    can you give me a solution?

    thank you

  138. Janne Ruostemaa

    Seems your Snort config is expecting to find /etc/snort/rules/app-detect.rules but the file does not exist. You can either download the community rules or disable the app-detect rules by commenting out the include line in your Snort config.

  139. Hi Janne,

    Could you please help me? I followed your instructions and when I start Snort using: sudo snort -A console -i ens33 -u snort -g snort -c /etc/snort/snort.conf
    I get:

    Running in IDS mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file “/etc/snort/snort.conf”


    –== Initialization Complete ==–

    ,,_ -*> Snort! <*-
    o" )~ Version 2.9.18 GRE (Build 169)
    '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
    Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
    Copyright (C) 1998-2013 Sourcefire, Inc., et al.
    Using libpcap version 1.9.1 (with TPACKET_V3)
    Using PCRE version: 8.39 2016-06-14
    Using ZLIB version: 1.2.11

    Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.2
    Preprocessor Object: SF_DCERPC2 Version 1.0
    Preprocessor Object: SF_SDF Version 1.1
    Preprocessor Object: SF_SMTP Version 1.1
    Preprocessor Object: SF_MODBUS Version 1.1
    Preprocessor Object: SF_SSH Version 1.1
    Preprocessor Object: SF_GTP Version 1.1
    Preprocessor Object: SF_S7COMMPLUS Version 1.0
    Preprocessor Object: SF_SIP Version 1.1
    Preprocessor Object: SF_POP Version 1.0
    Preprocessor Object: SF_DNS Version 1.1
    Preprocessor Object: appid Version 1.1
    Preprocessor Object: SF_SSLPP Version 1.1
    Preprocessor Object: SF_DNP3 Version 1.1
    Preprocessor Object: SF_IMAP Version 1.0
    Preprocessor Object: SF_REPUTATION Version 1.1
    Preprocessor Object: SF_FTPTELNET Version 1.2
    Commencing packet processing (pid=98118)

    But when Ido ping on 192.168.230.131 which is the IP I get from Ip addr, I don’t get an alert and there is no log in /var/log/snort.

    Not sure what I’m doing wrong, or I’m missing somthing. Please help

  140. Janne Ruostemaa

    Hi Veneta, thanks for the question. Guessing by the IP address you mentioned, you have install Snort in your local network. If you would then need to ping it from another device in the same network for the detection to work using that IP.

  141. Hi Janne, I’m having problems like the following:

    Running in Test mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file “/etc/snort/snort.conf”
    PortVar ‘HTTP_PORTS’ defined : [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
    PortVar ‘SHELLCODE_PORTS’ defined : [ 0:79 81:65535 ]
    PortVar ‘ORACLE_PORTS’ defined : [ 1024:65535 ]
    PortVar ‘SSH_PORTS’ defined : [ 22 ]
    PortVar ‘FTP_PORTS’ defined : [ 21 2100 3535 ]
    PortVar ‘SIP_PORTS’ defined : [ 5060:5061 5600 ]
    PortVar ‘FILE_DATA_PORTS’ defined : [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
    PortVar ‘GTP_PORTS’ defined : [ 2123 2152 3386 ]
    Detection:
    Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
    ERROR: /etc/snort/classification.config(0) Unable to open rules file “/etc/snort/classification.config”: No such file or directory.

    Fatal Error, Quitting..

    can you give me a solution?

    thank you

  142. Teemu Toivanen

    Hey there!

    The error says’ ERROR: /etc/snort/classification.config(0) Unable to open rules file “/etc/snort/classification.config”: No such file or directory. ‘

    So you need to confirm that the path to that file (classification.config) is correct. Did you move that classification.config file to folder: /etc/snort/ ?
    sudo cp ~/snort_src/snort-2.9.16/etc/*.conf* /etc/snort

  143. Hi Janne, I’m having problems like the following:
    Running in packet dump mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    pcap DAQ configured to read-file.
    ERROR: Can’t initialize DAQ pcap (-1) – unknown file format
    Fatal Error, Quitting..

    Can you give me a solution?

    Thank you.

  144. Janne Ruostemaa

    Hi Ryo, thanks for the question. Snort gives this error when the log file is empty. Try to run Snort on the console to see if your rules trigger alerts sudo snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf . If the alerts show, e.g. when pinging the server, you should also be able to read the logs.

  145. Thank you for this great tutorial! But if I try to run snort:
    sudo snort -A console -i venet0 -u snort -g snort -c /etc/snort/snort.conf
    I receive this error: ERROR: Cannot decode data link type 113
    Fatal Error, Quitting..
    Do you have a solution?

  146. Hello there, thanks for the question. Since you are not using a non-ethernet network interface, you need to add the flag –enable-non-ether-decoders when you run the configuration script.

  147. i am trying to install snort and i have followed all your instructions but i am hooked in the ” autoreconf -f -i ” stage. When i input the ” autoreconf -f -i ” it keeps telling me “autoreconf: ‘configure.ac’ or ‘configure.in’ is required” . Please what should i do

  148. hello, when i run this command sudo snort -v -c /etc/snort/snort.conf i am getting error
    afpacket DAQ configured to inline.

    ERROR: Can’t initialize DAQ afpacket (-1) – afpacket_daq_initialize: Invalid interface specification: ‘enp0s3’!

  149. Janne Ruostemaa

    Hi there, thanks for the question. When running Snort, you should specify the network interface you want Snort to monitor by including e.g. -i eth0 in your command.

  150. Janne Ruostemaa

    Hi Bema, thanks for the question. Depending on the version you are attempting to install, the steps might be a little different. Check the required build commands on Snort’s GitHub page if you are installing the latest release.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top