From upstream's description: Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users.

Snort can operate in several modes:

  1. Alert/logging only, so-called Intrusion Detection System (IDS)
  2. Alert/logging + blocking, so-called Intrusion Prevention System (IPS)

The IDS configuration will:

  • Only require a single NIC
  • Only alert users to rule matches but take no action to prevent them (ie will not drop or reject)

The IPS configuration will:

  • Require at least two NICs, one LAN facing and a second one WAN facing. If the device is the network router, only two are required but if the device is physically connected to the router, a third NIC will be needed in order to connect to the snort box.

Packages for both Snort 2.x as well as Snort 3.x are currently available. This page is focused exclusively on the 3.x series.

To install snort:

opkg update
opkg install snort3

At a minimum, grab a copy of the freely available community rules and place snort3-community.rules in a directory of your choosing, for example on external media, for example, /mnt/mmcblk0p3/snort/

In addition to this rule set, users may optionally register for a free account at which grants access to more rule sets to augment the free ones described above. Follow the instructions to download your snortrules-snapshot tarball.

Here is a simple helper script:

# snortver needs to be manually defined
# find the largest number from
wget "$shortver.tar.gz?oinkcode=$oinkcode" -O /tmp/new.tar.gz || exit 1
tar zxf /tmp/new.tar.gz -C "$snort" || exit 1

Changes were merged on 07-Dec-2022 simplifying configuration. Users of a stable build such as 22.03.x will not have the snort3 package containing these changes whereas users of a development snapshot will. The following sections are therefore split to reflect the two configurations.

There are several config files:

  • /etc/config/snort is the OpenWrt daemon config file holding some runtime options.
  • /etc/snort/snort.lua is the main configuration, allowing the implementation and configuration of Snort inspectors (preprocessors), rules files inclusion, event filters, output, etc.
  • /etc/snort/snort_defaults.lua file contains default values such as paths to rules, AppID, intelligence lists, and network variables.

1. Define which interface on which to listen in /etc/config/snort (default is eth0).

2. Edit /etc/snort/snort_defaults.lua defining the path to the directory holding the contents of the tarball. In the example below, we are using attached storage but any path will work:

RULE_PATH = '/mnt/mmcblk0p3/snort/rules/'
BUILTIN_RULE_PATH = '/mnt/mmcblk0p3/snort/builtin_rules'
PLUGIN_RULE_PATH = '/mnt/mmcblk0p3/snort/so_rules'

3. Edit the main config file, /etc/snort/snort.lua for the initial setup. At a minimum, we need to define three sections:

  • HOME_NET (define the network/networks to protect by IP range, note that multiple ranges can be defined as shown below)
  • EXTERNAL_NET (define everything but HOME_NET)
  • ips section (setup run mode [listen and alert only or listen, alert, and drop] and define the .rules file/files to read)
HOME_NET = [[ ]]

Snort can operate in three different modes namely tap (passive), inline, and inline-test.

  1. To have snort act as an IDS, only alerting to rule matches, use mode = tap,
  2. To have snort act as an IPS, both alerting to rule matches AND triggering corresponding drop rules, use mode = inline,
  3. A third mode is available which simulates the inline mode to allow users to evaluation the behavior of inline without affecting traffic. Use mode = inline-test, for this behavior.
ips =
    mode = tap,
    variables = default_variables,
    rules = [[ 
    include $RULE_PATH/snort3-community.rules
    include $RULE_PATH/snort3-malware-backdoor.rules
    include $RULE_PATH/snort3-policy-multimedia.rules
    include $RULE_PATH/snort3-protocol-services.rules
    include $RULE_PATH/snort3-policy-social.rules

Memory and CPU usage will proportionally increase as the number of rules increases. Be sure to check system usage with a utility like top or htop.

1. Define the interface pair or device pair on which to listen in /etc/config/snort (for example eth0:eth1).

2. Change mode = tap in the ips = section of /etc/snort/snort.lua to mode = inline,.

3. Add the following under the ips = section of /etc/snort/snort.lua:

daq = {
  module_dirs = {
  modules = {
      name = 'afpacket',
      mode = 'inline',
      action_override = 'drop',
      variables = {

4. Edit /etc/init.d/snort and append a -Q to the procd_set_param command like so to enable Inline mode which will trigger drop rules:

procd_set_param command $PROG -q --daq-dir /usr/lib/daq/ -i "$interface" -c "$config_name" -A "$alert_module" -Q

This section only applies to users running development snapshots post 07-Dec-2022! This version of the package is much compartmentalized and simplified in its setup compared to the older package.

There are several config files:

  • /etc/config/snort is the OpenWrt daemon config file holding some runtime options.
  • /etc/snort/homenet.lua contains definitions for several key variables.
  • /etc/snort/local.lua contains all other modules and options.

1. Edit /etc/snort/homenet.lua and redefine HOME_NET and EXTERNAL_NET, for example:

HOME_NET = [[ ]]

2. Edit /etc/snort/local.lua to setup options unique to your use case of snort. The defaults included should be sane for the role of IDS (alert only), but users may easily uncomment some options therein to use IPS (drop) mode. See the comments in the file. Be sure to add the following line in the ips = section if running in IPS mode: action_override = 'drop',

3. Install or symlink rules to /etc/snort/rules/snort.rules edit optionally edit /etc/snort/local.lua to define extra rules files if not using unified 'snort.rules'

Validate the config file by running the following:

For the stable release ONLY

snort -c /etc/snort/snort.lua --daq-dir /usr/lib/daq -T

For the development release ONLY

snort -c /etc/snort/snort.lua --tweaks local -T

Start the daemon and optionally enable it to run at boot:

/etc/init.d/snort start
/etc/init.d/snort enable

The OpenWrt package writes alerts to the syslog by default. Query like so:

# logread -e snort
Mon Nov 28 09:55:23 2022 snort: [1:254:16] "PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority" [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} ->
Mon Nov 28 13:09:16 2022 snort: [1:29456:3] "PROTOCOL-ICMP Unusual PING detected" [Classification: Information Leak] [Priority: 2] {ICMP} ->
Mon Nov 28 13:09:17 2022 snort: [1:29456:3] "PROTOCOL-ICMP Unusual PING detected" [Classification: Information Leak] [Priority: 2] {ICMP} ->
Mon Nov 28 13:09:18 2022 snort: [1:29456:3] "PROTOCOL-ICMP Unusual PING detected" [Classification: Information Leak] [Priority: 2] {ICMP} ->
Mon Nov 28 13:09:19 2022 snort: [1:29456:3] "PROTOCOL-ICMP Unusual PING detected" [Classification: Information Leak] [Priority: 2] {ICMP} ->
  • Look up log entries by keyword in the snort database.
  • Linux installation/configuration guide written by Yaser Mansour. It is targeted at Oracle Linux 8 but concepts are not distro-specific.
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2023/05/02 06:15
  • by darksky2