Protocol Inspectors

Snort 3 ships with service inspectors for dozens of protocols beyond HTTP. Each inspector decodes its protocol, normalizes the data for the detection engine, and provides protocol-specific IPS rule options so rules do not need raw byte-level decoding.

Industrial / OT protocols

Modbus

Modbus is a SCADA protocol typically carried over TCP port 502 (Modbus TCP). The inspector decodes the Modbus Application Protocol (MBAP) header and provides rule options to match on specific function codes, unit IDs, and raw PDU data without writing complex content/byte_test chains.

Configuration
Rule options
Example rules

binder =
{
    {
        when = { proto = 'tcp', ports = '502' },
        use  = { type = 'modbus' },
    },
}

modbus = { }

Option	Description
`modbus_data`	Sets the cursor to the start of the Modbus PDU data
`modbus_func`	Matches a specific Modbus function code
`modbus_unit`	Matches a specific Modbus unit identifier

# Alert on any Modbus write multiple registers (function 16 = 0x10)
alert tcp any any -> any 502 (
    msg:"Modbus write multiple registers";
    flow:to_server, established;
    modbus_func:16;
    sid:1000;
)

# Inspect raw Modbus PDU data
alert tcp any any -> any 502 (
    msg:"Modbus suspicious payload";
    flow:to_server, established;
    modbus_data;
    content:"|01 83|", depth 2;
    sid:1001;
)

DNP3

DNP3 (Distributed Network Protocol 3) is used in electric utilities and water treatment facilities. Snort 3 supports DNP3 over TCP (default port 20000) and UDP. The inspector reassembles transport-layer fragments into application-layer PDUs before presenting them to the detection engine.

Configuration
Rule options
Example rules

binder =
{
    {
        when = { proto = 'tcp', ports = '20000' },
        use  = { type = 'dnp3' },
    },
}

dnp3 = { }

Option	Description
`dnp3_data`	Sets the cursor to the start of the DNP3 application data
`dnp3_func`	Matches a specific DNP3 function code
`dnp3_ind`	Matches DNP3 internal indication flags
`dnp3_obj`	Matches DNP3 object group and variation

# DNP3 function code in rule header (service-based rule)
alert dnp3 any any -> any any (
    msg:"DNP3 traffic detected";
    dnp3_data;
    sid:2000;
)

# Match on specific DNP3 function code
alert tcp any any -> any 20000 (
    msg:"DNP3 direct operate command";
    flow:to_server, established;
    dnp3_func:3;
    sid:2001;
)

IEC 60870-5-104 (IEC104)

IEC 60870-5-104 is a telecontrol protocol for sending messages between control stations and substations, typically on TCP port 2404. The inspector decodes APDU/APCI/ASDU structures and provides rule options that avoid the need to manually check control field bits.

Configuration
Rule options
Example rules

binder =
{
    {
        when = { proto = 'tcp', ports = '2404' },
        use  = { type = 'iec104' },
    },
}

iec104 = { }

Option	Description
`iec104_apci_type`	Matches the APCI type (`i`, `S`, or `unnumbered_control_function`)
`iec104_asdu_func`	Matches the ASDU function code by name or lowercase name

# Match on Information Transfer (Type I) APCI
alert tcp any any -> any 2404 (
    msg:"IEC104 Information Transfer APCI";
    flow:established;
    iec104_apci_type:i;
    sid:3000;
)

# Match on M_SP_NA_1 (single-point information, no time tag)
alert tcp any any -> any 2404 (
    msg:"IEC104 M_SP_NA_1 ASDU function";
    flow:established;
    iec104_asdu_func:M_SP_NA_1;
    sid:3001;
)

S7CommPlus

S7comm-Plus is the protocol used by Siemens Simatic S7 PLCs (S7-1200 and S7-1500 series). The inspector decodes S7comm-Plus PDUs and provides rule options for opcode, function code, and raw content matching.

binder =
{
    {
        when = { proto = 'tcp', ports = '102' },
        use  = { type = 's7commplus' },
    },
}

s7commplus = { }

Rule options: s7commplus_content, s7commplus_func, s7commplus_opcode.

OPC UA

OPC Unified Architecture is a platform-independent industrial protocol maintained by the OPC Foundation. Unlike most protocols, OPC UA does not define a fixed port. The inspector uses the wizard for service identification.

Configuration
Rule options
Example rules

wizard = { curses = { 'opcua' }, }
opcua = { }

binder =
{
    { when = { service = 'opcua' }, use = { type = 'opcua' } },
    { use = { type = 'wizard' } },
}

Option	Description
`opcua_msg_type`	Matches the message type (`HEL`, `ACK`, `ERR`, `RHE`, `OPN`, `MSG`, `CLO`)
`opcua_msg_service`	Matches a named OPC Foundation service (e.g., `BrowseRequest`)
`opcua_node_id`	Matches the node ID integer
`opcua_node_namespace_index`	Matches the node namespace index integer

alert opcua (
    msg:"PROTOCOL-SCADA OPC UA BrowseRequest detected";
    flow:to_server, established;
    content:"MSG", depth 3;
    opcua_msg_service:BrowseRequest;
    sid:4000;
)

alert opcua (
    msg:"PROTOCOL-SCADA OPC UA ERR 0x80020000 detected";
    flow:to_client, established;
    opcua_msg_type:ERR;
    content:"|00 00 02 80|", offset 8, depth 4;
    sid:4001;
)

MMS (IEC 61850)

Manufacturing Message Specification (MMS) is part of the IEC 61850 family, used in power system automation. It runs over OSI layers (TPKT, COTP, Session, Presentation, ACSE) on TCP port 102. The inspector decodes all encapsulating layers and presents the MMS PDU directly to rule options.

Configuration
Rule options
Example rules

wizard = { curses = { 'mms' }, }
mms = { }

binder =
{
    { when = { service = 'mms' }, use = { type = 'mms' } },
    { use = { type = 'wizard' } },
}

Option	Description
`mms_data`	Sets the cursor to the start of the MMS PDU, bypassing all OSI layers
`mms_func`	Matches a Confirmed Service Request/Response by name or function number

alert tcp (
    msg:"PROTOCOL-SCADA MMS Initiate-Request";
    flow:to_server, established;
    mms_data;
    content:"|A8|", depth 1;
    sid:5000;
)

alert tcp (
    msg:"PROTOCOL-SCADA MMS svc get_name_list";
    flow:to_server, established;
    content:"|A0|";
    mms_func:get_name_list;
    sid:5001;
)

Email and messaging

SMTP

The SMTP inspector examines SMTP connections for commands and responses, extracts MIME attachments, identifies TLS negotiation, and can log sender addresses, recipient addresses, attachment filenames, and email headers.

Configuration
Per-command limits
Example rules

smtp =
{
    normalize             = 'cmds',
    normalize_cmds        = 'EXPN VRFY RCPT',
    max_command_line_len  = 512,
    max_header_line_len   = 1000,
    max_response_line_len = 512,
    ignore_tls_data       = true,
    log_mailfrom          = true,
    log_rcptto            = true,
    log_filename          = true,
    log_email_hdrs        = true,
    xlink2state           = 'alert',
    b64_decode_depth      = -1,
    qp_decode_depth       = -1,
    bitenc_decode_depth   = -1,
    uu_decode_depth       = -1,
}

The normalize option accepts all, none, or cmds. When set to cmds, only commands listed in normalize_cmds are normalized (extra whitespace is collapsed).xlink2state detects CVE-2005-0560 (Exchange X-LINK2STATE heap overflow): alert, drop, or disable.MIME decoding depth options (per attachment): set to 0 to disable, -1 for unlimited:

b64_decode_depth — Base64-encoded attachments
qp_decode_depth — Quoted-Printable attachments
bitenc_decode_depth — Non-encoded MIME attachments
uu_decode_depth — UUencoded attachments

Override the default command line length for specific commands:

smtp =
{
    alt_max_command_line_len =
    {
        { command = 'MAIL', length = 260 },
        { command = 'RCPT', length = 300 },
        { command = 'HELO', length = 500 },
        { command = 'EXPN', length = 255 },
    },
}

# Detect malicious attachment by filename
alert smtp (
    msg:"Suspicious .exe attachment in email";
    flow:established;
    file_data;
    content:".exe", nocase;
    sid:6000;
)

# Detect JavaScript normalization in SMTP
alert smtp (
    msg:"Obfuscated JS in email";
    js_data;
    content:"var var_0000";
    sid:6001;
)

IMAP and POP3

The IMAP inspector handles IMAP4 protocol and the POP inspector handles POP3. Both extract and decode MIME attachments for file inspection rules.

Configuration
Example rules

binder =
{
    {
        { when = { proto = 'tcp', ports = '110' }, use = { type = 'pop' } },
        { when = { proto = 'tcp', ports = '143' }, use = { type = 'imap' } },
    },
}

imap =
{
    qp_decode_depth   = 500,
    b64_decode_depth  = -1,
}

pop =
{
    qp_decode_depth  = -1,
    b64_decode_depth = 3000,
}

All four MIME depth options (b64_decode_depth, qp_decode_depth, bitenc_decode_depth, uu_decode_depth) are shared with SMTP. Set to 0 to disable, -1 for unlimited. The limit applies per attachment.

# Detect malware in IMAP attachment
alert imap (
    msg:"Suspicious file in IMAP attachment";
    flow:established;
    file_data;
    content:"|4D 5A|", depth 2;  -- MZ header (Windows PE)
    sid:7000;
)

# Detect obfuscated JS delivered via POP3
alert pop (
    msg:"Obfuscated JS in POP3 mail";
    js_data;
    content:"eval";
    sid:7001;
)

FTP and Telnet

The FTP inspector splits FTP handling into three separate modules: ftp_server (server command/response parsing), ftp_client (client-side response parsing), and ftp_data (data channel file inspection).

ftp_server configuration
ftp_client configuration
ftp_data configuration

ftp_server =
{
    def_max_param_len = 100,
    telnet_cmds       = true,
    ignore_data_chan   = false,
    cmd_validity =
    {
        { command = 'USER', length = 16 },
        { command = 'CWD',  length = 200 },
        { command = 'PORT', format = '< host_port >' },
        { command = 'MODE', format = '< char SBC >' },
    },
}

def_max_param_len: Default maximum length for FTP command parameters. Exceeding it triggers a buffer overflow alert.
cmd_validity: Per-command length and format constraints.
telnet_cmds: Alert when Telnet escape sequences appear in the FTP command channel.
ignore_data_chan: Skip inspection of FTP data channel connections entirely (performance optimization, but disables file inspection).

ftp_client =
{
    max_resp_len           = 256,
    telnet_cmds            = true,
    ignore_telnet_erase_cmds = true,
}

max_resp_len limits response message length to detect buffer overflow exploits targeting FTP clients.

Enable FTP data channel file inspection:

ftp_data = { }

Network services

DCE/RPC

DCE/RPC is used for Windows inter-process communication (MSRPC, SMB named pipes). Attackers commonly use DCE/RPC fragmentation to evade IDS/IPS rules. The DCE/RPC inspector performs SMB desegmentation and DCE/RPC defragmentation, eliminating these evasion techniques. In Snort 3, the Snort 2 DCE/RPC preprocessor is split into three transport-specific inspectors: dce_smb, dce_tcp, and dce_udp.

Configuration
Target-based policy
SMB file inspection
Rule options
Example rules

binder =
{
    {
        when = { proto = 'tcp', ports = '139 445 1025' },
        use  = { type = 'dce_smb' },
    },
    {
        when = { proto = 'tcp', ports = '135 2103' },
        use  = { type = 'dce_tcp' },
    },
    {
        when = { proto = 'udp', ports = '1030' },
        use  = { type = 'dce_udp' },
    },
}

dce_smb = { }
dce_tcp = { }
dce_udp = { }

Each inspector can be tuned to the behavior of a specific OS/Samba version:

dce_smb = { policy = 'Win7' }
dce_tcp = { policy = 'WinVista' }

Supported policies: WinXP (default), Win2000, WinVista, Win2003, Win2008, Win7, Samba, Samba-3.0.37, Samba-3.0.22, Samba-3.0.20.

dce_smb =
{
    smb_file_inspection = 'on',
    smb_file_depth      = 0,  -- 0 = unlimited
}

file_inspect =
{
    enable_type      = true,
    enable_signature = true,
    enable_capture   = true,
    file_rules       = magics,
}

Option	Description
`dce_iface`	Match on a DCE/RPC interface UUID, optionally with version and fragment constraints
`dce_opnum`	Match on a DCE/RPC operation number or range
`dce_stub_data`	Set cursor to the start of the DCE/RPC stub data
`byte_test: ..., dce`	Byte test with endianness derived from the DCE/RPC header
`byte_jump: ..., dce`	Byte jump with endianness derived from the DCE/RPC header

# Match on Messenger service interface UUID
alert tcp any any -> any any (
    msg:"DCE/RPC Messenger interface bind";
    flow:to_server, established;
    dce_iface:5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc;
    dce_opnum:1;
    dce_stub_data;
    content:"|00 00|", depth 2;
    sid:8000;
)

# Byte test using DCE/RPC endianness
alert tcp any any -> any any (
    msg:"DCE/RPC suspicious length field";
    flow:to_server, established;
    dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188;
    dce_opnum:15-18;
    dce_stub_data;
    byte_test:4,>,35000,0,relative,dce;
    sid:8001;
)

dce_iface automatically inserts a fast pattern into the MPSE. For TCP rules it inserts |05 00 00| (to_server) or |05 00 02| (to_client). For UDP rules it inserts the interface UUID in both endian forms.

DNS

The DNS inspector processes DNS queries and responses, enabling detection of DNS-based attacks, tunneling, and malicious domains.

dns = { }

SSL / TLS

The SSL inspector parses TLS handshakes, making certificate information, cipher suites, and SNI (Server Name Indication) available to AppID and rules.

ssl = { }

SSH

The SSH inspector performs SSH protocol inspection and anomaly detection.

ssh = { }

SIP

The SIP inspector handles VoIP Session Initiation Protocol traffic. It parses SIP messages (INVITE, REGISTER, BYE, etc.) and tracks call state. AppID subscribes to SIP events to identify VoIP applications.

binder =
{
    { when = { proto = 'udp', ports = '5060' }, use = { type = 'sip' } },
    { when = { proto = 'tcp', ports = '5060' }, use = { type = 'sip' } },
}

sip = { }

NetFlow

The NetFlow inspector processes NetFlow v5, v9, and IPFIX flow records exported by routers and switches.

netflow = { }

SOCKS

The SOCKS inspector decodes SOCKS4/4a and SOCKS5 proxy handshakes, extracts tunnel metadata (target address, port, command type), and hands off tunneled traffic to the wizard for protocol identification.

wizard = { curses = { 'socks' }, }
socks  = { }

binder =
{
    { when = { service = 'socks' }, use = { type = 'socks' } },
    { use = { type = 'wizard' } },
}

Rule options: socks_version, socks_state, socks_command, socks_address_type, socks_remote_address, socks_remote_port.

alert tcp any any -> any 1080 (
    msg:"SOCKS5 CONNECT to suspicious domain";
    flow:to_server, established;
    socks_version:5;
    socks_command:1;
    socks_address_type:3;
    socks_remote_address;
    content:"evil.com";
    sid:9000;
)

Threat detection

Port scan detection

The port_scan inspector (IT_PROBE type) detects network reconnaissance by tracking negative responses (ICMP unreachables, TCP RSTs) and connection patterns. It runs after detection. port_scan detects:

Portscan types (one-to-one)

TCP, UDP, and IP portscans: one host scanning multiple ports on another host.
Filtered variants: no ICMP unreachable or TCP RST responses (common behind firewalls).

Decoy portscans

TCP, UDP, IP Decoy: real scanner address mixed with spoofed source addresses.

Distributed portscans (many-to-one)

Multiple hosts scanning a single target. Detected by tracking the scanned host rather than scanning hosts.

Portsweeps (one-to-many)

One host scanning the same port across many hosts. Typical exploit propagation behavior.
Also available for ICMP.

Sensitivity levels:

port_scan = default_low_port_scan   -- error packets only; fewest false positives
port_scan = default_med_port_scan   -- tracks connection counts; may false positive on NATs
port_scan = default_high_port_scan  -- continuous tracking; most sensitive, needs tuning

Fine-tune individual settings:

port_scan = default_low_port_scan

port_scan.tcp_ports.scans   = 5
port_scan.tcp_ports.rejects = 3
port_scan.tcp_ports.nets    = 1
port_scan.tcp_ports.ports   = 10

Exclude known-active hosts to reduce false positives:

port_scan =
{
    watch_ip        = "10.0.0.0/8",
    ignore_scanners = "10.0.0.1 10.0.0.2",  -- NAT, DNS cache
    ignore_scanned  = "10.0.0.100",
}

Back Orifice detection

The back_orifice inspector (IT_NETWORK type) detects the Back Orifice remote access trojan. It analyzes UDP traffic for Back Orifice server detection packets.

back_orifice = { }

This inspector does not require stream tracking and fires on raw network packets.

Sensitive data detection

The sd_pattern IPS rule option detects Personally Identifiable Information (PII) in traffic using Hyperscan-powered pattern matching.

sd_pattern requires Snort to be built with Hyperscan. It works as an IPS rule option with no separate inspector module to configure.

Built-in patterns:

alert tcp ( msg:"Credit card number";        sd_pattern:"credit_card";       sid:1; )
alert tcp ( msg:"US Social Security Number";  sd_pattern:"us_social";         sid:2; )
alert tcp ( msg:"US SSN no dashes";           sd_pattern:"us_social_nodashes"; sid:3; )
alert tcp ( msg:"US phone number";            sd_pattern:"us_phone";          sid:4; )
alert tcp ( msg:"Email address";              sd_pattern:"email";             sid:5; )

Custom regex pattern with a threshold:

alert tcp (
    msg:"Internal email address detected";
    sd_pattern:"\b\w+@example\.com\b", threshold 1;
    sid:6;
)

Enable PII obfuscation in logs for built-in patterns:

ips =
{
    obfuscate_pii = true  -- enabled by default
}

When obfuscation is active, matched PII bytes are replaced with X in CMG and Unified2 log output. Custom regex patterns are not obfuscated.

Get Started

Configuration

Inspectors & Detection

Running Snort

Migration from Snort 2

Protocol Inspectors

Industrial / OT protocols

Modbus

DNP3

IEC 60870-5-104 (IEC104)

S7CommPlus

OPC UA

MMS (IEC 61850)

Email and messaging

SMTP

IMAP and POP3

FTP and Telnet

Network services

DCE/RPC

DNS

SSL / TLS

SSH

SIP

NetFlow

SOCKS

Threat detection

Port scan detection

Back Orifice detection

Sensitive data detection

Build docs developers (and LLMs) love

Get Started

Configuration

Inspectors & Detection

Running Snort

Migration from Snort 2

​Industrial / OT protocols

​Modbus

​DNP3

​IEC 60870-5-104 (IEC104)

​S7CommPlus

​OPC UA

​MMS (IEC 61850)

​Email and messaging

​SMTP

​IMAP and POP3

​FTP and Telnet

​Network services

​DCE/RPC

​DNS

​SSL / TLS

​SSH

​SIP

​NetFlow

​SOCKS

​Threat detection

​Port scan detection

​Back Orifice detection

​Sensitive data detection

Build docs developers (and LLMs) love

Industrial / OT protocols

Modbus

DNP3

IEC 60870-5-104 (IEC104)

S7CommPlus

OPC UA

MMS (IEC 61850)

Email and messaging

SMTP

IMAP and POP3

FTP and Telnet

Network services

DCE/RPC

DNS

SSL / TLS

SSH

SIP

NetFlow

SOCKS

Threat detection

Port scan detection

Back Orifice detection

Sensitive data detection