Skip to main content
This page covers everything you need to build Snort 3 from source on Linux and macOS.

Dependencies

Required

DependencySourcePurpose
C++17 compiler (g++ >= 7)SystemCompilation
CMakeSystemBuild system
DAQGitHubPacket I/O abstraction
dnetGitHubNetwork utility functions
hwlocopen-mpi.orgCPU affinity management
LuaJITluajit.orgConfiguration and scripting
OpenSSLopenssl.orgSHA/MD5 signatures, protected_content rule option, SSL detection
pcaptcpdump.orgPacket capture and tcpdump-style logging
PCRE2pcre.orgRegular expression pattern matching
pkgconfigfreedesktop.orgLocates build dependencies
zlib >= 1.2.8zlib.netDecompression

Optional

DependencySourcePurpose
hyperscan >= 4.4.0GitHubHigh-performance regex via regex and sd_pattern rule options and Hyperscan search engine
cpputestcpputest.github.ioAdditional unit tests (make check)
libmlGitHubSnort ML — neural network-based exploit detection
libunwindnongnu.orgReadable backtraces on fatal signals
lzma >= 5.1.2tukaani.orgDecompression of SWF and PDF files
safec >= 3.5GitHubRuntime bounds checks on legacy C-library calls
iconvgnu.orgUTF16-LE to UTF8 filename conversion (usually in glibc)
uuid (uuid-dev)SystemUnique identifiers
asciidocasciidoc.orgBuild the HTML manual
dblatexsourceforge.netBuild the PDF manual (requires asciidoc)
w3msourceforge.netBuild the plain text manual
source-highlightgnu.orgGenerate the developer guide
Hyperscan is large. Follow the Hyperscan build instructions and build it as a shared library before enabling it in Snort.

Setting Up

Before building, set your install prefix and create the directory: 
export my_path=/path/to/snorty
mkdir -p $my_path
If DAQ was installed to a custom (non-system) path, export PKG_CONFIG_PATH so cmake can find it: 
export PKG_CONFIG_PATH=/libdaq/install/path/lib/pkgconfig:$PKG_CONFIG_PATH

Build Methods

cmake Options

The following cmake options can be passed to configure_cmake.sh or directly to cmake/ccmake:
OptionDescription
--prefix=<path>Set the installation prefix
--enable-shellEnable the local and remote command line shell
--enable-unit-testsConfigure unit tests; run with snort --catch-test [tags]|all
--enable-benchmark-testsConfigure benchmark tests; run with snort --catch-test [tags]|all or as a separate executable
--generator=<gen>Specify a cmake project generator (e.g. Xcode, Eclipse CDT4 - Unix Makefiles)
Benchmark tests run best on a non-debug build with optimizations enabled. Avoid debug builds when measuring performance.
Example — build with unit tests enabled: 
./configure_cmake.sh --prefix=$my_path --enable-unit-tests
cd build
make -j $(nproc) install

# Run all unit tests
$my_path/bin/snort --catch-test all
Adding plugins at runtime: Built-in and dynamic plugins are functionally equivalent. Load external plugin libraries at startup: 
$my_path/bin/snort --plugin-path /path/to/install/lib -c snort.lua

Verifying the Build

After installation, confirm the binary works: 
$my_path/bin/snort -V
Verify a configuration file loads without errors: 
$my_path/bin/snort -c $my_path/etc/snort/snort.lua
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules
List available plugins to confirm modules compiled in: 
$my_path/bin/snort --list-plugins

Common Build Issues

If you build with Hyperscan on macOS and see the following error when running src/snort:
dyld: Library not loaded: @rpath/libhs.4.0.dylib
Workaround 1 — export DYLD_LIBRARY_PATH with the path to libhs:
export DYLD_LIBRARY_PATH=/path/to/hyperscan/lib:$DYLD_LIBRARY_PATH
Workaround 2 — fix the rpath in the binary directly:
install_name_tool -change @rpath/libhs.4.0.dylib \
    /path-to/libhs.4.0.dylib src/snort
Snort built with tcmalloc support (--enable-tcmalloc) crashes immediately on Ubuntu 17.04 and 18.04 due to a bug in gperftools 2.5 provided by those distributions.Workaround — uninstall the distribution’s gperftools and install gperftools 2.7 before building Snort:
sudo apt-get remove google-perftools libgoogle-perftools-dev
# Download and build gperftools 2.7 from source
# https://github.com/gperftools/gperftools/releases
If cmake cannot find LibDAQ, it means the library is not in a standard system path.Set PKG_CONFIG_PATH to point to the DAQ pkgconfig directory before running cmake:
export PKG_CONFIG_PATH=/libdaq/install/path/lib/pkgconfig:$PKG_CONFIG_PATH
./configure_cmake.sh --prefix=$my_path
The dump DAQ does not work correctly with multiple packet threads.Workaround — disable dump output when using multiple threads:
snort -c snort.lua --daq dump --daq-var output=none --max-packet-threads 4 -r capture.pcap

Build docs developers (and LLMs) love

Get started for freeTalk to us