Thursday, December 11, 2014

Introducing Snort 3.0

Over the past year our development team has led two lives. 

One life was spent maintaining the code base of Snort, which secures most of the Internet with well over 5 million downloads.  Snort has not only become the standard in intrusion detection, but the Snort rules language is used by network researchers to communicate with each other to detect bad traffic.  Weve been releasing new features into the code base all along to push the envelope of detection farther and faster.

The other life initially emerged back in 2005 with the conceptual introduction of Snort 3.0. Marty Roesch, the original author of Snort and the founder of Sourcefire, started to rethink the concepts and architecture of Snort.  This resulted in a beta release of what we now call SnortSP, or the Snort Security Platform.  Some of the ideas in the original SnortSP project have made their way into the main code base of Snort over the past few releases.  Reloading without restarting, OpenAppId, gzip decompression, IP blacklisting, etc.    However, there were ideas that weve been playing with that we couldnt fold into the current code base without a complete rewrite. 

So thats what weve done.

We took Martys initial rethinking and expanded beyond that, testing different concepts of multithreading, detection, interaction, programmatic interfaces, etc. This all now culminates in the alpha release of project Snort++, which will become version Snort 3.0.

This Alpha release is for you to play with.  Its for you to break, its for you to test and get back to us about.  We need you to break it; we want you to break it. This is not ready for production and should not be used for production, so that gives us the full freedom to work with our community to make Snort 3.0 as strong as possible.

Over the development of the project well be rolling out new blog posts, white papers, webinars, documents with updates, and code all for you to test and use.  We plan on releasing often and early.  Some fantastic new features are in this new version of Snort.  Ill list a few here, and we'll expand on all of these in the next few months.

  • User-friendly design
    • We wanted to make it as easy as possible for people to learn and run Snort that means no more configuring memory, ports, arguments, etc. 
    • Built-in Documentation
    • Built-in configuration
    • Error and Multi error support
    • Verification of configuration on startup (no more having to run -T for test mode)
  • Simpler rule language
    • Were making it simpler to write rules.
    • Sticky buffers
    • Custom http buffers
    • Auto-Detection of all protocols
  • Command Line Shell
    • Secured to localhost
    • Allows someone to reload a configuration
    • Allows you to pause and resume detection
  • Multithreaded and Multi-core
    • All new design for multithreading, maintaining a single persistent configuration for many threads.

This is just a start, we have even more code and ideas we are going to build into this! Well be releasing consistently with new features and code over that same amount of time, and due to popular demand, our code will be public, hosted on Github. Were excited to hear what you have to say about it and working with you as we move the ball forward.  Please stay tuned to the Snort Blog, Snort's Twitter account, and of course the Snort 3.0 webpage on!

Please read on to Russ's Blog post about how to download it, set it up, and get the alpha working!


  1. Can i link to database without barnyard2?

    1. That functionality has been removed and handed over to the barnyard2 folks.

    2. The 2nd alpha will have async events that facilitate loggers like database feeds w/o the performance impact. We don't plan to implement a database logger, but once the framework is complete, that would be good project.

  2. I wanted to save the 'Unified2 file' such as abc, u2, etc.
    However, when I started the Snort(eg : snort -i interface_name -c /usr/local/etc/snort/snort.lua), an error occurred!!
    ( the error says : FATAL: can't init /usr/local/etc/snort/snort.lua: /usr/local/etc/snort/snort.lua:22: module 'snort_config' not found:)

    On the other hand, the error did not occur when I changed my command (snort-v -i interface_name).
    Plz help me

    1. I suggest that you address your question to the appropriate Snort mailing list found here:

  3. Is there a projected GA release date for 3.0?

    1. Mike, thanks for asking. Not yet. We're in our third alpha (if you are keeping track with the releases), but no set date on GA yet.