How to install Snort on Ubuntu

Snort 3 on Ubuntu needs a matching packet acquisition layer before it can inspect live interfaces or replay packet captures. When the Ubuntu repositories do not provide a current Snort 3 package, building LibDAQ 3 and Snort from source keeps the binary, default Lua configuration, and DAQ modules on the same release line.

The upstream install path builds LibDAQ first, then builds Snort with configure_cmake.sh. APT supplies the compiler, build tools, LuaJIT, packet-capture, regex, compression, OpenSSL, and hardware locality libraries, while the Snort source tree installs under /usr/local.

The installed sensor should report a Snort++ version, show DAQ version 3.x, list DAQ modules such as afpacket and pcap, and validate /usr/local/etc/snort/snort.lua before local rules or a service unit are added.

1. Refresh the package index.

   $ sudo apt update

2. Install the build tools and libraries required by LibDAQ and Snort 3.

   $ sudo apt install --assume-yes \
       build-essential git autoconf automake libtool pkg-config \
       cmake make g++ flex libfl-dev bison \
       libpcap-dev libpcre2-dev libluajit-5.1-dev \
       libssl-dev zlib1g-dev libhwloc-dev liblzma-dev libunwind-dev \
       libdumbnet-dev uuid-dev ca-certificates

   Ubuntu 26.04 exposes libdaq-dev for the older DAQ 2 line, so LibDAQ 3 is built from the upstream source tree for Snort 3.

3. Clone the LibDAQ 3 source tree.

   $ cd /usr/local/src
   $ sudo git clone --depth=1 https://github.com/snort3/libdaq.git

4. Build and install LibDAQ 3.

   $ cd /usr/local/src/libdaq
   $ sudo ./bootstrap
   $ sudo ./configure --prefix=/usr/local
   $ sudo make -j"$(nproc)"
   $ sudo make install
   $ sudo ldconfig

   ldconfig refreshes the dynamic linker cache so the later Snort build can resolve the newly installed DAQ libraries.

5. Clone the Snort 3 source tree.

   $ cd /usr/local/src
   $ sudo git clone --depth=1 https://github.com/snort3/snort3.git

   Use a release tarball from the Snort download page instead of a Git checkout when the host must stay on a fixed release.

6. Build and install Snort 3.

   $ cd /usr/local/src/snort3
   $ sudo ./configure_cmake.sh --prefix=/usr/local
   $ cd build
   $ sudo make -j"$(nproc)"
   $ sudo make install
   $ sudo ldconfig

7. Confirm that the installed binary reports Snort 3 and LibDAQ 3.

   $ snort -V
    
      ,,_     -*> Snort++ <*-
     o"  )~   Version 3.12.2.0
      ''''    By Martin Roesch & The Snort Team
              Using DAQ version 3.0.27
              Using libpcap version 1.10.6
              Using OpenSSL 3.5.5

   Patch versions change over time. The important install signal is a Snort++ version line paired with DAQ version 3.x.

8. Check that DAQ modules are visible to Snort.

   $ snort --daq-list
   Available DAQ modules:
   afpacket(v7): live inline multi unpriv
   ##### snipped #####
   pcap(v4): readback live multi unpriv
   ##### snipped #####
   savefile(v1): readback multi unpriv
   trace(v1): inline unpriv wrapper

   Related: How to check Snort DAQ modules

9. Create the runtime log directory used by later live runs and service units.

   $ sudo install -d -m 0755 -o root -g root /var/log/snort

10. Validate the default Snort configuration.

    $ sudo snort -c /usr/local/etc/snort/snort.lua -T
    --------------------------------------------------
    o")~   Snort++ 3.12.2.0
    --------------------------------------------------
    Loading /usr/local/etc/snort/snort.lua:
    ##### snipped #####
    pcap DAQ configured to passive.
     
    Snort successfully validated the configuration (with 0 warnings).
    o")~   Snort exiting

    Use -q only for automation that checks the exit code, because it suppresses the validation transcript.
    Related: How to test Snort configuration