> For the complete documentation index, see [llms.txt](https://blog.securescape.cc/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://blog.securescape.cc/drafts/ds/security-operations/intrusion-detection-and-prevention/snort/snort-basics.md).
# Snort Basics
## Introduction to Snort
> Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users.
>
> Snort can be deployed inline to stop these packets, as well. Snort has three primary uses: As a packet sniffer like tcpdump, as a packet logger — which is useful for network traffic debugging, or it can be used as a full-blown network intrusion prevention system. Snort can be downloaded and configured for personal and business use alike.
## Setup
I will be using a Proxmox container running Debian 11 for this guide, though I have set up Snort using Windows 10 before - there's just more steps to it.
#### Topology
This is a very simplified layout of my proxmox homelab that I'll be using for this chapter and the next. If you'd like to follow along then I'm using a **Debian 11** container for the IDS and SIEM, then the rest are different OS's. You can create VLANs but for the sake of simplicity I won't be showing that here.
{% hint style="info" %}
For Proxmox users: Use the Turnkey-Core template otherwise this will NOT work.
{% endhint %}
{% embed url="" %}
## Installation
{% embed url="" %}
We can use this script to install Snort3 onto our Debian Container
```bash
#!/bin/bash
# Small script to install Snort on Debian 11. Run as sudo
# Optional Packages are not included
sudo apt install -y gcc build-essential libpcre3-dev zlib1g-dev libluajit-5.1-dev libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev bison flex libdnet autoconf libtool pkg-config
# Installing LibDAQ
mkdir ~/snort_src
cd ~/snort_src
git clone https://github.com/snort3/libdaq.git
cd libdaq
./bootstrap
./configure --prefix=/usr/local/lib/daq_s3
sudo make install
cat /etc/ld.so.conf.d/libdaq3.conf /usr/local/lib/daq_s3/lib/
sudo ldconfig
# Building Snort
cd ~/snort_src
git clone https://github.com/snort3/snort3.git
export my_path='/opt/snort'
export PKG_CONFIG='/opt/snort'
mkdir -p $my_path
cd snort3
./configure_cmake.sh --prefix=$my_path
cd build
make -j $(nproc)
make install
# Check if install is correct
echo "If you see a piggy, hit Ctrl+C"
$mypath/snort/bin/snort -V
$mypath/snort/bin/snort --daq-listbas
```
## Configuring Rules
### Using Oinkcode and PulledPork to get the latest rules
### Adding rules to snort.conf
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://blog.securescape.cc/drafts/ds/security-operations/intrusion-detection-and-prevention/snort/snort-basics.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.