Snort configuration tests catch Lua, rule, and DAQ problems before a sensor starts reading traffic. The test belongs after edits to /usr/local/etc/snort/snort.lua, rule-file changes, or capture-flag updates so the running process is not restarted with a broken policy.
Snort 3 validates a supplied Lua configuration with -c and can include a separate rules file with -R. The -T flag tells Snort to parse and report on the current configuration, then exit before packet processing begins.
Use the same rule files and DAQ or interface options that the live sensor will use. The final validation line proves the files parse and the rules compile; a packet replay or short live run is still needed to prove alert output and packet capture.
Related: How to enable a Snort ruleset
Related: How to create a Snort systemd service
Steps to test Snort configuration:
- Run the baseline configuration test.
$ sudo snort -c /usr/local/etc/snort/snort.lua -T -------------------------------------------------- o")~ Snort++ 3.12.2.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: ##### snipped ##### rule counts total rules loaded: 219 text rules: 219 option chains: 219 chain headers: 1 ##### snipped ##### pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting
Use -q only for automation that checks the exit status, because it suppresses the normal validation transcript.
- Repeat the test with all warnings enabled while changing Lua files or rules.
$ sudo snort --warn-all -c /usr/local/etc/snort/snort.lua -T WARNING: /usr/local/etc/snort/snort.lua: appid: app_detector_dir not configured; no support for appids in rules. ##### snipped ##### Snort successfully validated the configuration (with 1 warnings). o")~ Snort exiting
--warn-all expands warning coverage for configuration, symbols, rules, flowbits, DAQ, plugins, scripts, hosts, and variables.
- Test an existing local rule file with -R before adding it to the persistent policy.
$ sudo snort -c /usr/local/etc/snort/snort.lua \ -R /usr/local/etc/snort/rules/local.rules -T Loading rule args: Loading /usr/local/etc/snort/rules/local.rules: Finished /usr/local/etc/snort/rules/local.rules: ##### snipped ##### rule counts total rules loaded: 220 text rules: 220 option chains: 220 chain headers: 2 ##### snipped ##### Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting
A one-rule local file increases the loaded rule count by one. A larger ruleset should change the count by the number of enabled rules that compile successfully.
Related: How to create a local Snort rule
- Validate the DAQ and interface flags used by the final run command.
$ sudo snort --warn-all -c /usr/local/etc/snort/snort.lua \ -R /usr/local/etc/snort/rules/local.rules \ --daq pcap -i eth0 -T WARNING: /usr/local/etc/snort/snort.lua: appid: app_detector_dir not configured; no support for appids in rules. ##### snipped ##### pcap DAQ configured to passive. Snort successfully validated the configuration (with 1 warnings). o")~ Snort exiting
Replace eth0 with the sensor interface that Snort will use. Use the validated DAQ flags again when building a service unit or a runbook command.
Related: How to check Snort DAQ modules - Fix the first fatal error before retesting.
$ sudo snort -c /usr/local/etc/snort/snort.lua \ -R /usr/local/etc/snort/rules/local.rules -T ERROR: /usr/local/etc/snort/rules/local.rules:1 unable to open rules file '/usr/local/etc/snort/rules/local.rules': No such file or directory FATAL: see prior 1 errors (0 warnings) Fatal Error, Quitting..
Do not restart a Snort service after a fatal parse error. Keep the running sensor on the last known-working configuration until -T completes successfully.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
