# Snort 3 — Open-Source Network Intrusion Detection and Prevention System > Snort 3 is a complete rewrite of the original Snort IDS/IPS, now maintained by Cisco. It performs real-time traffic analysis and packet logging, detecting threats using signature-based, protocol-analysis, and anomaly-based inspection methods on network traffic. ## Install Save as a script file and run: # Snort 3 — Open-Source Network Intrusion Detection and Prevention System ## Quick Use ```bash # Install on Ubuntu sudo apt install snort3 # Or build from source git clone https://github.com/snort3/snort3.git cd snort3 && mkdir build && cd build cmake .. -DCMAKE_INSTALL_PREFIX=/usr/local && make -j$(nproc) && sudo make install # Run in IDS mode on an interface sudo snort -c /usr/local/etc/snort/snort.lua -i eth0 -A alert_fast ``` ## Introduction Snort 3 is a next-generation network intrusion detection and prevention system that analyzes network traffic in real time. Originally created in 1998, Snort is one of the most widely deployed IDS/IPS platforms. Version 3 is a ground-up C++ rewrite with multithreading, a Lua configuration language, and a modern plugin architecture. ## What Snort 3 Does - Inspects live network traffic or pcap files for malicious patterns and protocol anomalies - Matches packets against a database of community and commercial rule sets (Snort rules) - Operates in IDS mode (passive detection) or IPS mode (inline blocking) - Reassembles TCP streams and decodes application-layer protocols (HTTP, DNS, SMB, etc.) - Logs alerts in multiple formats including JSON, syslog, and unified2 ## Architecture Overview Snort 3 uses a pipeline architecture: packet acquisition (DAQ) feeds raw packets into decoders, which normalize protocols and hand off to the detection engine. The detection engine evaluates rules using a multi-pattern matcher (hyperscan or AC-full) against the reassembled stream. Inspectors are protocol-specific plugins that decode HTTP headers, extract file data, or track application state. The entire pipeline is multithreaded, with each packet thread processing independently. ## Self-Hosting & Configuration - Configuration uses a Lua script (snort.lua) instead of the legacy conf format - Install community rules from snort.org or use Cisco Talos subscription rules - Deploy inline using the DAQ afpacket or NFQ module for IPS (blocking) mode - Tune performance with the max-threads setting and pin threads to CPU cores - Output alerts to JSON for consumption by SIEMs like Elasticsearch or Splunk ## Key Features - Multithreaded packet processing for line-rate inspection on multi-core systems - Lua-based configuration and rule scripting for dynamic detection logic - Hyperscan regex engine integration for high-speed pattern matching - File identification and extraction for malware analysis and policy enforcement - Plugin architecture for custom inspectors, loggers, and IPS actions ## Comparison with Similar Tools - **Suricata** — multi-threaded IDS/IPS with EVE JSON logging; Snort 3 adds Lua scripting and the Talos rule ecosystem - **Zeek (Bro)** — network analysis framework focused on logging and scripting; Snort focuses on signature-based alerting - **OSSEC/Wazuh** — host-based IDS; Snort operates at the network level inspecting packets on the wire - **Falco** — cloud-native runtime security for containers; Snort inspects traditional network traffic ## FAQ **Q: What is the difference between Snort 2 and Snort 3?** A: Snort 3 is a full C++ rewrite with multithreading, Lua configuration, a plugin architecture, and improved protocol inspection. Snort 2 rules are largely compatible. **Q: Can I use Snort as an IPS?** A: Yes. Deploy it inline using the NFQ or afpacket DAQ module, and configure rules with drop, reject, or rewrite actions. **Q: Where do I get rules?** A: Snort.org provides free community rules. Cisco Talos offers a registered (free, 30-day delay) and a subscriber (real-time) rule set. **Q: Does Snort 3 support hardware offload?** A: Yes. It integrates with DPDK for high-speed packet capture and hyperscan for hardware-accelerated regex matching on supported CPUs. ## Sources - https://github.com/snort3/snort3 - https://www.snort.org/snort3 --- Source: https://tokrepo.com/en/workflows/asset-8e2ee290 Author: Script Depot