How to test Snort configuration

Snort configuration tests catch Lua, rule, and DAQ problems before a sensor starts reading traffic. The test belongs after edits to /usr/local/etc/snort/snort.lua, rule-file changes, or capture-flag updates so the running process is not restarted with a broken policy.

Snort 3 validates a supplied Lua configuration with -c and can include a separate rules file with -R. The -T flag tells Snort to parse and report on the current configuration, then exit before packet processing begins.

Use the same rule files and DAQ or interface options that the live sensor will use. The final validation line proves the files parse and the rules compile; a packet replay or short live run is still needed to prove alert output and packet capture.

Related: How to enable a Snort ruleset
Related: How to create a Snort systemd service

Steps to test Snort configuration:

  1. Run the baseline configuration test. 
    $ sudo snort -c /usr/local/etc/snort/snort.lua -T
--------------------------------------------------
o")~   Snort++ 3.12.2.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
##### snipped #####
rule counts
       total rules loaded: 219
               text rules: 219
            option chains: 219
            chain headers: 1
##### snipped #####
pcap DAQ configured to passive.
 
Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

    Use -q only for automation that checks the exit status, because it suppresses the normal validation transcript.

  2. Repeat the test with all warnings enabled while changing Lua files or rules. 
    $ sudo snort --warn-all -c /usr/local/etc/snort/snort.lua -T
WARNING: /usr/local/etc/snort/snort.lua: appid: app_detector_dir not configured; no support for appids in rules.
##### snipped #####
Snort successfully validated the configuration (with 1 warnings).
o")~   Snort exiting

    --warn-all expands warning coverage for configuration, symbols, rules, flowbits, DAQ, plugins, scripts, hosts, and variables.

  3. Test an existing local rule file with -R before adding it to the persistent policy. 
    $ sudo snort -c /usr/local/etc/snort/snort.lua \
    -R /usr/local/etc/snort/rules/local.rules -T
Loading rule args:
Loading /usr/local/etc/snort/rules/local.rules:
Finished /usr/local/etc/snort/rules/local.rules:
##### snipped #####
rule counts
       total rules loaded: 220
               text rules: 220
            option chains: 220
            chain headers: 2
##### snipped #####
Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

    A one-rule local file increases the loaded rule count by one. A larger ruleset should change the count by the number of enabled rules that compile successfully.

    Related: How to create a local Snort rule

  4. Validate the DAQ and interface flags used by the final run command. 
    $ sudo snort --warn-all -c /usr/local/etc/snort/snort.lua \
    -R /usr/local/etc/snort/rules/local.rules \
    --daq pcap -i eth0 -T
WARNING: /usr/local/etc/snort/snort.lua: appid: app_detector_dir not configured; no support for appids in rules.
##### snipped #####
pcap DAQ configured to passive.
 
Snort successfully validated the configuration (with 1 warnings).
o")~   Snort exiting

    Replace eth0 with the sensor interface that Snort will use. Use the validated DAQ flags again when building a service unit or a runbook command.
    Related: How to check Snort DAQ modules

  5. Fix the first fatal error before retesting. 
    $ sudo snort -c /usr/local/etc/snort/snort.lua \
    -R /usr/local/etc/snort/rules/local.rules -T
ERROR: /usr/local/etc/snort/rules/local.rules:1 unable to open rules file '/usr/local/etc/snort/rules/local.rules': No such file or directory
FATAL: see prior 1 errors (0 warnings)
Fatal Error, Quitting..

    Do not restart a Snort service after a fatal parse error. Keep the running sensor on the last known-working configuration until -T completes successfully.