Skip to main content

Snort IDS – Part 01: Installing Snort

Jason J. Boderebe
5 min read
#snort #ids #network-security #installation
Snort IDS – Part 01: Installing Snort

Welcome Back!

Snort remains one of the most widely encountered intrusion detection systems (IDS) in modern security environments. If you have ever worked with traditional antivirus (AV) software on an endpoint, the concept is similar. Instead of scanning files on a machine, Snort analyzes network traffic and notifies you when it identifies signatures or behaviors associated with malicious activity. It is a foundational tool to understand for anyone developing defensive skills or working within network security.

Snort was originally developed by Martin Roesch in 1999. Its adoption grew rapidly, and in 2014 Cisco acquired it, integrating Snort into many of their security appliances and platforms. Because Cisco maintains a significant presence across enterprise networks, there is a strong probability that you will encounter Snort directly or indirectly throughout your cybersecurity journey.

Even if your organization does not deploy Snort or Cisco solutions, understanding Snort’s architecture remains valuable. Many IDS and IPS technologies are built on similar principles, and Snort provides a clear and accessible foundation for learning modern network detection practices.

This article begins a complete series on Snort 3, the updated and actively maintained version of the Snort IDS engine. In this first part, we focus entirely on installing Snort 3 on Kali Linux using two different methods.


Method 1: Installing Snort 3 from the Repositories

Snort installation is straightforward when your distribution provides it in its repositories. Recent versions of Kali Linux include Snort 3 directly, which allows installation without modifying any external sources.

To begin, update your package lists:

sudo apt-get update

Running apt-get update

After the update completes, install Snort 3:

sudo apt-get install -y snort3

Installing Snort 3 from repository

You can verify the installation and check Snort’s version number:

snort3 -V

Snort 3 version output

Snort 3 is now installed and ready for use. This method is fast and effective for learning, testing, and general experimentation. However, for environments where performance, customization, or the most recent updates are essential, installing Snort from source remains the preferred method.


Method 2: Installing Snort 3 from Source

Installing Snort 3 from source requires more steps, but it provides significant advantages. Compiling Snort specifically for your system’s architecture often results in better performance. Performance matters greatly in IDS systems because the engine must process traffic quickly and consistently. Performance issues can slow down the network or cause packet loss, and both outcomes negatively affect detection accuracy.

Source installation also ensures that you are working with the most recent Snort 3 version, which may include updates not yet available through distribution repositories.

We will begin by preparing a working directory for Snort’s source files.


1. Create a Directory for Snort Source

Create a workspace:

mkdir snort_source

Navigate into it:

cd snort_source

Creating and entering snort_source


2. Install Required Build Dependencies

Snort 3 has several development dependencies that must be installed before compiling from source. Install them with the following command:

sudo apt-get install -y build-essential cmake pkg-config \
libpcap-dev libpcre3-dev libdnet-dev zlib1g-dev \
libluajit-5.1-dev libssl-dev libhwloc-dev \
libnetfilter-queue-dev libmnl-dev autoconf automake libtool git

Installing Snort 3 build dependencies


3. Download and Install the Modern DAQ Library

Snort 3 uses the updated Data Acquisition (DAQ) library, maintained on GitHub. Download the source:

git clone https://github.com/snort3/libdaq.git

Enter the directory:

cd libdaq

Prepare and configure the DAQ build environment:

./bootstrap
./configure

Compile and install DAQ:

make
sudo make install

DAQ configuration output

DAQ compilation progress

Return to your main source directory:

cd ..

4. Download Snort 3 Source Code

Download the official Snort 3 repository:

git clone https://github.com/snort3/snort3.git

Navigate into the Snort directory:

cd snort3

Snort 3 download and directory entry


5. Configure and Build Snort 3

Configure Snort using the official script:

./configure_cmake.sh --prefix=/usr/local/snort3

Move into the build directory:

cd build

Compile Snort:

make

Install Snort:

sudo make install

Snort 3 configuration output

Snort 3 compilation output


6. Update Shared Libraries

Because new libraries were installed during this process, update the system’s shared library cache:

sudo ldconfig

Running ldconfig


To run Snort 3 globally from any directory, create a symbolic link:

sudo ln -s /usr/local/snort3/bin/snort /usr/sbin/snort3

Creating Snort 3 symlink


8. Test the Snort 3 Installation

Validate the installation:

snort3 -V

Snort should display its version information along with DAQ details.

Snort 3 version confirmation

Snort is now installed successfully and ready for configuration.


With Snort installed, we will next focus on configuring the system so that it can begin analyzing traffic and detecting malicious activity. The next article in this series will guide you through rule loading, network variables, and essential configuration steps.

Stay Curious!