Installing Snort++ in Ubuntu (Version 3.0 Alpha 4 build 245)

The instructions below show how to install Snort 3 alpha 4 build 245 on Ubuntu. This install has been tested on Ubuntu 14, 16, and 18, for the x64 architecture. For an outdated Ubuntu 12 version of these instructions, please go here. Note that Snort 3 is Alpha software, and therefore has bugs and issues, and should be installed for testing purposes only (not on production systems).

Snort 3 Alpha 4 Build 245 was released on May 24th, 2018, and this guide has been tested with that version (releases after this specific release may not follow the same steps). Generic build instructions, prerequisites, and detailed notes are available in the manual.

If you want a more in-depth explanation of the install steps, which are very similar to the 2.9.9.x version of Snort, as well as instructions on how to configure and enhance Snort’s functionality, see my series on installing Snort 2.9.9.x on Ubuntu.

So let’s get started. First, we will create a directory to save the downloaded tarball files:

mkdir ~/snort_src
cd ~/snort_src

Next we need to install all the Snort pre-requisites from the Ubuntu repositories:

sudo apt-get install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev libpcre3-dev zlib1g-dev pkg-config libhwloc-dev

For Ubuntu 16 and 18, you can install cmake from the default repository:

# Ubuntu 16 and 18 (and greater) only:
sudo apt-get install -y cmake

For Ubuntu 14, you have to install cmake from source, because the version in the Ubuntu repository is too old to compile Snort:

# Ubuntu 14 only
sudo apt-get remove -y cmake
cd ~/snort_src
tar -xzvf cmake-3.10.3.tar.gz
cd cmake-3.10.3
sudo make install

Note: If you are running Ubuntu 14 x86, you must install a newer version of gcc, either from a ppa or from source. Snort will not compile properly on the x86 platform with the version of gcc in the Ubuntu repository (4.8.4). I do not cover these steps in this guide, but you can easily google this process. This does not apply to the x64 version of Ubuntu 14 which you can easily install using the steps below.

Install the optional (recommended) software:

sudo apt-get install -y liblzma-dev openssl libssl-dev cpputest libsqlite3-dev uuid-dev

Install tools required for compiling the source from github:

sudo apt-get install -y libtool git autoconf

Install the DAQ pre-requisites:

sudo apt-get install -y bison flex

If you want to build the documentation as well (not really needed, unless you want it, usually about 700 MB of libraries):

sudo apt-get install -y asciidoc dblatex source-highlight w3m

If you want to run Snort in inline mode using NFQ, install the required packages (not required for IDS mode or inline mode using afpacket). If you’re unsure, you should install this package.

sudo apt-get install -y libnetfilter-queue-dev

Next, compile and install safec for runtime bounds checks on certain legacy C-library calls (this is optional but recommended):

cd ~/snort_src
tar -xzvf libsafec-10052013.tar.gz
cd libsafec-10052013
sudo make install

Download and install gperftools 2.7, google’s thread-caching malloc (used in chrome). Tcmalloc is a memory allocator that’s optimized for high concurrency situations which will provide better speed for the trade-off of higher memory usage. We don’t want the version of tcmalloc from the repositories (version 2.5 in libgoogle-perftools-dev) as they don’t work with Snort. Tcmalloc is optional but recommended:

cd ~/snort_src
tar xzvf gperftools-2.7.tar.gz
cd gperftools-2.7
sudo make install

One of the Snort recommended prerequisites is Hyperscan 4.4.0. From their webpage: “Hyperscan is a regular expression engine designed to offer high performance, the ability to match multiple expressions simultaneously and flexibility in scanning operation.” Hyperscan needs Ragel 6.9 and the Boost header libraries.

Install Ragel 6.10 from source:

cd ~/snort_src
tar -xzvf ragel-6.10.tar.gz
cd ragel-6.10
sudo make install

Download the Boost 1.67.0 libraries, but do not install:

cd ~/snort_src
tar -xvzf boost_1_67_0.tar.gz

Install Hyperscan 4.7.0 from source, referencing the location of the Boost source directory:

cd ~/snort_src
tar -xvzf v4.7.0.tar.gz
mkdir ~/snort_src/hyperscan-4.7.0-build
cd hyperscan-4.7.0-build/

cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_67_0/ ../hyperscan-4.7.0

sudo make install

If you want to test that Hyperscan works, from the build directory, run:

cd ~/snort_src/hyperscan-4.7.0-build/

The unit tests will run (this takes a few minutes).

Snort has an optional requirement for flatbuffers, A memory efficient serialization library:

cd ~/snort_src
wget -O flatbuffers-v1.9.0.tar.gz
tar -xzvf flatbuffers-1.9.0.tar.gz
mkdir flatbuffers-build
cd flatbuffers-build
cmake ../flatbuffers-1.9.0
sudo make install

Download and install Data AcQuisition library (DAQ) from the Snort website (note that DAQ for Snort 3 is a different DAQ than for the 2.9.9.x series of Snort):

cd ~/snort_src
tar -xvzf daq-2.2.2.tar.gz
cd daq-2.2.2
sudo make install

Run the following command to update shared libraries:

sudo ldconfig

Now we are ready to install Snort from source. This command downloads and installs the latest version of Snort 3 (currently 3.0.0 Alpha 4, build 245, but as the codebase is updated, you’ll get a newer version).

If you want to install all the snort directories under a single directory, see the section at the bottom of this document titled Changing the install location of Snort. Here we choose to install Snort to the /usr/local directory (the standard location for additional software from the LSB)

cd ~/snort_src
git clone git://
cd snort3
./ --prefix=/usr/local
cd build
sudo make install

Optional: If you are interested in seeing what additional options can be configured when building Snort, run ./configure ‐‐help for a full list. Some options you may be interested in is the Snort3 command line shell (‐‐enable-shell) or support for pcap files over 2 GB (‐‐enable-large-pcap).

Snort 3 requires a few environmental variables, we store them temporarily in the current session so we can continue working, and save them permanently to the ~/.bashrc file (you’ll need to do this for every user profile):

export LUA_PATH=/usr/local/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=/usr/local/etc/snort

sh -c "echo 'export LUA_PATH=/usr/local/include/snort/lua/\?.lua\;\;' >> ~/.bashrc"
sh -c "echo 'export SNORT_LUA_PATH=/usr/local/etc/snort' >> ~/.bashrc"

to ensure that these two environmental variables are available when using sudo, we need to add them to the /etc/sudoers file:

sudo visudo

in the editor, add the following to to the bottom of the file:

Defaults env_keep += "LUA_PATH SNORT_LUA_PATH"

use ctrl-x to exit, save when prompted by pressing y, then press enter to save the file to /etc/sudoers.tmp (which will get copied automatically to /etc/sudoers).

The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to print the current version. You should see output similar to the following:

user@snort3:~$ snort -V

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.0.0-a4 (Build 245) from 2.9.11
   ''''    By Martin Roesch & The Snort Team
           Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 2.2.2
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 1.1.0g 2 Nov 2017
           Using libpcap version 1.8.1
           Using PCRE version 8.39 2016-06-14
           Using ZLIB version 1.2.11
           Using FlatBuffers 1.9.0
           Using Hyperscan version 4.7.0 2018-06-12
           Using LZMA version 5.2.2


A note on install locations:

When you install snort to /usr/local, you get the following folder structure:

user@snort3x86:/opt/snort$ tree /usr/local -L 3
├── bin
│   ├── fbstreamer
│   ├── snort
│   ├── snort2lua
│   ├── u2boat
│   └── u2spewfoo
├── etc
│   └── snort
│       ├── file_magic.lua
│       ├── snort_defaults.lua
│       └── snort.lua
├── include
│   └── snort
│       ├── actions
│       ├── codecs
│       ├── daqs
│       ├── decompress
│       ├── detection
│       ├── events
│       ├── file_api
│       ├── flow
│       ├── framework
│       ├── hash
│       ├── log
│       ├── lua
│       ├── main
│       ├── managers
│       ├── mime
│       ├── packet_io
│       ├── profiler
│       ├── protocols
│       ├── pub_sub
│       ├── search_engines
│       ├── sfip
│       ├── stream
│       ├── time
│       └── utils
├── lib
│   ├── pkgconfig
│   │   └── snort.pc
│   └── snort
│       └── daqs
└── share
    └── doc
        └── snort

38 directories, 8 files

The /usr/local/bin folder contains the following Snort binaries:

  • fbstreamer : A utility for accessing the statistics generated in flatbuffer format.
  • snort : The Snort binary.
  • snort2lua : Tool to convert a Snort 2.9.8.x configuration file into a 3.x configuration file. More notes here.
  • u2boat : U2boat is a tool for converting unified2 files into different formats.
  • u2spewfoo: U2SpewFoo is a lightweight tool for dumping the contents of unified2 files to stdout.

Additionally, the following folders are created / used:

  • /opt/snort/bin : Binaries for Snort and supporting software.
  • /opt/snort/etc/snort : The configuration files for Snort.
  • /opt/snort/include/snort : All include files for Snort.
  • /opt/snort/lib/pkgconfig : The pkgconfig file for Snort (compilation details for Snort).
  • /opt/snort/share/doc/snort : The documentation for the installed version of Snort.

Changing the install location of Snort

If you would rather have all these folders install to a single-folder location for testing (/opt/snort), add ‑‑prefix=/opt/snort to the ./configure command when preparing to build Snort. This will install all these folders under the path you choose. You also need to modify some of the other paths detailed above, so if you decide to install in that manner, you should follow the install instructions detailed in the Snort blog.

Snort Rules

Snort3 rules have more options than Snort 2 rules, and while the normal rules downloaded with PulledPork or manually will work, for testing you will probably want to download the set of community rules specificallycreated for snort3. You can manually download snort3 specific community rules from the snort website:

cd ~/snort_src/
tar -xvzf snort3-community-rules.tar.gz
cd snort3-community-rules

sudo mkdir /usr/local/etc/snort/rules
sudo mkdir /usr/local/etc/snort/builtin_rules
sudo mkdir /usr/local/etc/snort/so_rules
sudo mkdir /usr/local/etc/snort/lists

sudo cp snort3-community.rules /usr/local/etc/snort/rules/
sudo cp /usr/local/etc/snort/rules/

now test that snort can load these rules:

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/snort3-community.rules

your output should contain something similar:

Loading rules:
Loading /opt/snort/etc/snort/rules/snort3-community.rules:
Finished /opt/snort/etc/snort/rules/snort3-community.rules.
Finished rules.
rule counts
total rules loaded: 829
text rules: 829
option chains: 829
chain headers: 46

you may want to run Snort with the following flags to detect issues: the warn-all and pedantic flags. From the Snort3 manual:
Warnings are not emitted unless –warn-* is specified. –warn-all enables all warnings, and –pedantic makes such warnings fatal

Installing OpenAppID

OpenAppID allows for the identification of application layer traffic. The Snort team has put together a package of detectors, with assistance from the community that you can download and install, called the Application Detector Package which needs to be installed. First download the OpenAppID detector package:

cd ~/snort_src/
wget -O OpenAppId-7630.tar.gz
tar -xzvf OpenAppId-7630.tar.gz
sudo cp -R odp /usr/local/lib/

Now we need to edit our snort configuration file to point to this odp directory:

sudo vi /usr/local/etc/snort/snort.lua

At line 113 (yours line number may be slightly different) you will see the appid= entry. You will want to add the app detector dir option here, pointing to the parent folder of the odf folder. It should look like this:

appid =
    app_detector_dir = '/usr/local/lib',

note that you must have four spaces (not a tab) for the indented line. Now we want to test the configuration file loads correctly:

snort -c /usr/local/etc/snort/snort.lua --warn-all

you should see output similar to:

Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting

Now to load Snort with the OpenAppID detectors, as well as all rules (we omit the pedantic flag, since the rules will throw flowbit warnings that are non fatal and can be ignored:)

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/snort3-community.rules --warn-all

Create a simple rule to test that OpenAppID is working correctly:

sudo touch /usr/local/etc/snort/rules/local.rules
sudo vi /usr/local/etc/snort/rules/local.rules

with the following content:

alert tcp any any -> any any ( msg:"Facebook trafic Seen"; appids:"Facebook";sid:10000001; )

test to make sure the rule loads correctly:

snort -c /usr/local/etc/snort/snort.lua -R /opt/snort/etc/snort/rules/local.rules --warn-all

You should see one rule loaded successfully. Now let’s run snort in detection mode on an interface (change eth0 below to match your interface name), printing alerts to the console:

sudo snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/local.rules -i eth0 -A alert_fast -k none

the -k none flag tells Snort to ignore bad checksums. the Stream and Frag decoders will drop packets that have bad checksums, and the packets will not get processed by the OpenAppID detectors. By including this flag, we ensure that a packet with a bad checksum still gets processed. Now from another window on that computer (open a new terminal window or a second ssh session), use wget
to connect to facebook:


from the first console window you will see alerts output similar to the following:

08/05−19:13:45.451834 [∗∗] [1:10000001:0] ”Facebook trafic Seen” [∗∗] [Priority: 0] [AppID: Facebook] {TCP} −>
08/05−19:13:45.451842 [∗∗] [1:10000001:0] ”Facebook trafic Seen” [∗∗] [Priority: 0] [AppID: Facebook] {TCP} −>

use ctrl-c to stop Snort.

Note: if you are collecting packets with a larger MTU that the standard MTU for your adapter (VLAN tagged packets, MPLS Packets, packets from a different network type with a larger MTU), you may need to use the –snaplen flag to adjust snort to process larger packets)

Where to go from here

If you want to learn more about how to run the 2.9.9.x version of Snort, and how to install additional software to enhance a Snort system, see my series on installing Snort on Ubuntu. If you want to develop Snort plugins, please see my guide: Installing Snort++ Example Plugins.

I would love to get feedback from you about this guide. Recommendations, issues, or ideas, please contact me here.

Comments are Disabled