Snort 3

Why Snort 3?

SNORT® Intrusion Prevention System, the world's foremost open source IPS, has officially launched Snort 3, a sweeping upgrade featuring improvements and new features resulting in enhanced performance, faster processing, improved scalability for your network and a range of 200+ plugins so users can create a custom set-up for their network.

This version of Snort was developed in close collaboration with the Snort community. The benefits of upgrading are readily apparent:

More Adaptable

Snort 3 is redesigned in C++ which makes the code base more modular and easier to maintain on your network.

More Efficient

Threading and shared memory allow you to scale Snort 3 to your network and create a much faster start-up. This allows multiple packet processing to free up more memory for more packet processing power.

More Customizable

Plugins with Luajit allows users to write their own plugins much easier than before to do things like add your own Snort Rule options, in-depth file processing, and more.

Better Performance

Snort Rule Syntax has been updated to make it easier to write and to understand, especially for new users. The rule syntax is more concise with fewer rule parts which will allow rules to run quicker.

Full Feature List

Feature Snort 2 Snort 3
Packet threads One per process Any number per process
Config memory use N processes * M GB M GB total, more for packets
Config reload N processes, slower One thread that can be pinned to separate cores
Startup Single-threaded, slower Multithreaded, faster
Plugins Limited to preprocs and outputs Full plugin system with more than 200 plugins
DAQ 2.X, run to completion 3.X, vector input, multiple outstanding packets
DAQ modules Only legacy modules Stacked modules, IOCTLs, file, socket and text modules
PCAP readback speed X Mbits/sec for Max-Detect 2X with AC, 4X with hyperscan
IP layers Two max Arbitrary and configurable limits
IP reputation Complex with shared memory Simplified process memory
Stream TCP Complex implementation New and improved implementation
Service detection AppID only, port configs required Autodetection, most port configs optional
HTTP inspector Partly stateful Fully stateful
Port scan detection High, medium and low thresholds only Fully configurable detection thresholds
Config parsing Report one error and quit Report all errors
Command line Some overlapping with config file Set to override any config file from the command line
Default config Complex, needs tuning Simplified, effective
Policy examples None Tweaks to fit all standard Talos policies
Policy binding One level Nested
Rule syntax Inconsistent and requires line escapes Uniform system with arbitrary whitespace
Rule parsing Buggy with limited warnings Robust with numerous optional warnings
Rule comments Comments only #, #begin/#end marks, C-style and rem options
Alert file rules No Yes
Alert service rules No Yes
Fast-pattern buffers 6 available 14 available
SO rule features Restricted functionality True superset of text rules
Simple SO rules No Yes
Dump built-in stubs No (SO stubs only) Yes
Runtime tracing No (debug tracing and misc logs only) Yes
Documentation LaTeX-based PDF, READMEs ASCII docs, text, HTML and PDFs
Command-line help No Yes
Source code 470,000 lines of C, with an average of 400 lines per file 389,000 lines of C++, with an average of 200 lines per file
Distribution Snort.org tarballs, with updates coming every six months GitHub repo, with updates coming every two weeks

Installation

This video will help you install and configure Snort 3 quickly and easily. Use the following resources mentioned in the video to help you through installation, configuration, and the labs portion of the video to familiarize yourself with Snort 3.

Downloads

Resources

Latest Blog Posts