Snort 3 Installation

Required Packages

The very first thing to do is make sure all necessary dependencies are installed. The following is a list of required packages:

  • cmake to build from source
  • The Snort 3 libdaq for packet IO
  • dnet for network utility functions
  • flex >= 2.6.0 for JavaScript syntax parsing
  • g++ >= 5 or other C++14 compiler
  • hwloc for CPU affinity management
  • LuaJIT for configuration and scripting
  • OpenSSL for SHA and MD5 file signatures, the protected_content rule option, and SSL service detection
  • pcap for tcpdump style logging
  • pcre for regular expression pattern matching
  • pkgconfig to locate build dependencies
  • zlib for decompression

Information on where to download each of these required packages can be found here:

Optional Packages

There are also a few optional packages that can be installed to take advantage of some of Snort's optional features. These include:

  • asciidoc to build the HTML manual
  • cpputest to run additional unit tests with make check
  • dblatex to build the PDF manual included with Snort 3 installs
  • flatbuffers for enabling the flatbuffers serialization format
  • hyperscan >= 4.4.0 to build the new regex and sd_pattern rule options and hyperscan search engine.
  • iconv for converting UTF16-LE filenames to UTF8 (usually included in glibc)
  • libunwind to attempt to dump a somewhat readable backtrace when a fatal signal is received
  • lzma >= 5.1.2 for decompression of SWF and PDF files
  • safec >= 3.5 for runtime bounds checks on certain legacy C-library calls
  • source-highlight to generate the dev guide
  • w3m from to build the plain text manual
  • uuid from uuid-dev package for unique identifiers

Information on where to download each of these optional packages can be found here:

Installing LibDAQ

We now need to install the Snort 3 LibDAQ, which provides an abstraction layer for communicating with a data source (such as a network interface).

If you have LibDAQ already installed for Snort 2 and want to install a DAQ just for Snort 3, or if you want to install LibDAQ in a custom location, you can change the DAQ install location with the --prefix option when configuring: ./configure --prefix=/usr/local/lib/daq_s3.

To show this in action, first clone the LibDAQ repository from GitHub:

$ git clone

Then, run the following commands to generate the configure script, configure with a specified prefix, build, and lastly install:

$ cd libdaq
$ ./bootstrap
$ ./configure --prefix=/usr/local/lib/daq_s3
$ make install

After installing libdaq, you must then run ldconfig to configure your system's dynamic linker run-time bindings. However, if you have installed the DAQ in a nonstandard location, you'll first need to tell your system where to find the new shared libraries. One common solution is to create a file in the /etc/ directory that points to where those libraries are located:

$ cat /etc/

Once ready you may proceed with the ldconfig command to configure the run-time bindings:

$ sudo ldconfig

Building Snort

After all dependencies have been installed, it is time to build Snort.

To do this, first clone the Snort 3 repository:

$ git clone

You can choose to install Snort in the system-default directories, or you can specify to install it in some other directory with the --prefix=<path> command line argument.

$ export my_path=/path/to/snorty
$ mkdir -p $my_path
$ cd snort3
$ ./ --prefix=$my_path 

Additionally, if the LibDAQ has been installed in a non-standard or custom location, then you must include the --with-daq-libraries and --with-daq-includes arguments and set them accordingly.

$ ./ --prefix=$my_path \
                       --with-daq-includes=/usr/local/lib/daq_s3/include/ \

There are many more CMake configuration options to choose from (like enabling debug mode, for example), and the full list of options can be seen by running the following command:

$ ./ --help

Once you've configured CMake to your liking and the build files are ready to go, it's time to compile and install Snort. To do this, cd to the newly-created build directory, and then compile and install:

$ cd build
$ make -j $(nproc)
$ make install

If all goes well, run snort -V at the command line to verify successful installation.

$ $my_path/bin/snort -V

   ,,_     -*> Snort++ <*-
  o"  )~   Version
   ''''    By Martin Roesch & The Snort Team
           Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.6
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 1.1.1q  5 Jul 2022
           Using libpcap version 1.10.1 (with TPACKET_V3)
           Using PCRE version 8.45 2021-06-15
           Using ZLIB version 1.2.12
           Using LZMA version 5.2.6

Lastly, verify that your installation has the appropriate DAQs available to it:

$ $my_path/bin/snort --daq-list
Available DAQ modules:
afpacket(v7): live inline multi unpriv
  buffer_size_mb <arg> - Packet buffer space to allocate in megabytes
  debug - Enable debugging output to stdout
  fanout_type <arg> - Fanout loadbalancing method
  fanout_flag <arg> - Fanout loadbalancing option
  use_tx_ring - Use memory-mapped TX ring

If, however, you get No available DAQ modules (try adding directories with --daq-dir)., then you will need to specify --daq-dir as the error points out:

$ $my_path/bin/snort --daq-dir /usr/local/lib/daq_s3/lib/daq --daq-list

If that's the case, you can create an "alias" for your Snort command so that you don't have to specify --daq-dir each time you want to invoke Snort:

alias snort='/path/to/bin/snort --daq-dir /usr/local/lib/daq_s3/lib/daq'