Raspberry Pi4 | Snort | Should I install?

I noticed that Snort was part of a RP4 community build and was wondering if I should install this package.

Intrusion prevention and detection certainly seems like something I should be running, but I'm a bit put off by the first line in the configuration guide:

Setting up SNORT is complex. With snort for openwrt you will need to test and probe your way through some of the config running

Is this something I can just 'set and forget'?

for users with average skills... snort2 is more reliable / simple if available...

the snort3 included in the custom build you mention is modified and experimental... ( for medium/advanced users )...

there were recent bumps to snort3 that may have improved it's out of the box workability... but I have not tested since these commits...

likely not, ids by definition conflicts with that philosophy...

note: if you wish to install 'official' snort/s on the custom build please first remove the modified service files;

rm /etc/config/snort; rm /etc/init.d/snort; opkg remove snort3

I've installed SNORT and downloaded the community file to


I edited the snort.conf file according to the guide, but I'm receiving an error relating to section 7 of the config file - i.e. site specific rules

I initially received an error because the local.rules folder wasn't found. I manually created the folder.

I'm now receiving an error for etc/snort/rules/app-detect.rules:

ERROR: .//etc/snort/rules/app-detect.rules(0) Unable to open rules file ".//etc/snort/rules/app-detect.rules": No such file or directory.

Fatal Error, Quitting..

Should these folders have been created automatically as part of the install process? Has something gone wrong? Do I need to manually create them or comment them all out in the snort.conf file?

if you are using the community method... you should seek support in the community thread...

otherwise try start fresh again...

and re-install...

afair... on the official version... no they are not created with snort3 (just the blank folder i think)

I installed 2.9.17-2

I then followed this guide:

  1. Download your rules from www.snort.org and move them to the router.

  2. set “ ipvar HOME_NET ” to your Home network

  3. set the rule paths “var RULE_PATH” to your explicit path

  4. set the Shared Object rule path “var SO_RULE_PATH” to your explicit path

  5. set the Preprocessor Rule path “var PREPROC_RULE_PATH” to your explicit path

  6. set the White List path “var WHITE_LIST_PATH” to your explicit path. Create the path or comment this out

  7. set the Black List path “var Black_LIST_PATH” to your explicit path. Create the path or comment this out

  8. set “dynamicpreprocessor directory” to “/usr/lib/snort_dynamicpreprocessor/”

  9. set “dynamicengine” to “/usr/lib/snort_dynamicengine/libsf_engine.so”

  10. comment out“dynamicdetection directory /usr/lib/snort_dynamicrules” Not working with current install

  11. uncomment “output alert_syslog: LOG_AUTH LOG_ALERT”

  12. (optional)add local.rules and/or community file to RULE_PATH

  13. (optional)add “include $RULE_PATH/local.rules ” and/or “include $RULE_PATH/community.rules” below “# site specific rules”

  14. make/add threshold.conf to /etc/snort/

Then I ran this command:

snort -c "snort.conf" -i "lo" --daq-dir /usr/lib/daq

1 Like

great so looks like you are running with normal snort...

like I said not easy... but alot of help on the internet...

good luck!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.