Key Features
Multi-threaded Processing
Process multiple packet streams in parallel using configurable packet threads. Scale across CPU cores with built-in CPU affinity management via hwloc.
Lua Configuration
The entire Snort configuration is a live Lua script. Use variables, functions, conditionals, and includes — configuration is no longer just a static file.
Plugin Framework
Over 200 built-in modules covering codecs, inspectors, IPS options, loggers, fast-pattern engines, and shared-object rules. Extend Snort with custom plugins.
Portless Service Detection
The wizard inspector automatically identifies protocols from traffic content rather than port numbers. Rules bound to services fire regardless of which port a service runs on.
Hyperscan Support
Optionally integrate Intel Hyperscan (>= 4.4.0) for high-performance regular expression and fast-pattern matching, enabling the
regex and sd_pattern rule options.New HTTP Inspector
A completely rewritten HTTP inspector with deep request and response analysis, sticky buffers, and inspection events for downstream consumers.
Performance Monitoring
The
perf_monitor module captures configurable peg counts at runtime. The profiler module tracks time and memory per module and rule so you can tune your deployment.Inspection Events
Inspectors publish access to their data (HTTP URI, file data, etc.) using a publish-subscribe pattern. Downstream inspectors consume only what they need, enabling just-in-time normalization.
Processing Architecture
Snort 3 is a signature-based IPS. As packets arrive, they flow through a structured pipeline where each stage reassembles, normalizes, and inspects the traffic before a final verdict is issued.| Stage | What happens |
|---|---|
| decode | Stateless decoding of encapsulation layers (e.g. eth:ip:tcp:http). Checks each protocol for sanity and anomalies. |
| stream | Stateful reassembly. IP fragments are reordered; TCP segments are reassembled into the original application PDU. |
| service | Protocol-specific inspectors (HTTP, SMTP, DNS, FTP, SMB, and more) normalize PDU content. Service is identified by the wizard when no port binding matches. |
| detect | Two-step detection: (1) fast-pattern multipattern search across all compiled rule groups, (2) full rule evaluation for any matches. |
| log | Alert loggers write events in the configured format (fast, unified2, CSV, etc.). Packet loggers write pcap or hex dumps. |
| verdict | In passive mode, traffic passes. In inline mode, Snort can block, reset, or allow the flow based on the triggered rule action. |
Snort 3 uses inspection events so that data is published by access reference, not by value. Normalization happens only on first access — subsequent reads reuse the cached result. This “just-in-time” model avoids wasted work when data is produced but never consumed.
Snort 3 vs. Snort 2
Snort 3 is not backwards compatible with Snort 2. This was a deliberate decision to remove architectural constraints and enable the features above.| Area | Snort 2 | Snort 3 |
|---|---|---|
| Configuration | snort.conf (custom DSL) | snort.lua (full Lua script) |
| Preprocessors | Ordered list, iterated per packet | Named inspector types with event-driven dispatch |
| Threading | Single packet thread | Multiple packet threads (--max-packet-threads) |
| Port binding | Explicit port lists required | Wizard autodetects services portlessly |
| Rule syntax | Snort 2 syntax | Updated syntax — comma-separated sub-options, sticky buffers, alert http style service rules |
| SO rules | Supported | Significantly improved |
| Pattern matching | ac_bnfa default | ac_bnfa default + optional Hyperscan integration |
| HTTP inspection | Legacy HTTP preprocessor | Completely rewritten HTTP inspector |
| Config callbacks | Limited | Full Lua scripting: variables, environment, functions |
If you have an existing Snort 2 deployment, use the bundled This generates
snort2lua tool to automatically convert your snort.conf and rules files to the Snort 3 format:snort.lua from your existing configuration. Review the output and adjust as needed.What’s Next
Quickstart
Install dependencies, build from source, and run your first packet capture in minutes.
Building Snort 3
Full reference for all build methods, dependencies, cmake options, and platform-specific notes.