Snort 3 a complete rewrite, aims high

[Correction] A multithreaded, multi-core engine should greatly improve throughput. A more powerful shell interface, more user-friendly design and simpler rule language make it more accessible.

In a league with Linux, Apache, PHP and other foundational free and open source software, Snort has become (to quote them about themselves) "...the standard in intrusion detection ... [and] ... the standard in which network researchers communicate to each other to detect bad traffic."

Read this

10 top security threats of 2014 (so far)

The top security threats of 2014 include equal parts old mistakes, new adversaries, innocent human nature and the evils that people do.

Read More

Snort was originally created by Martin Roesch, who went on to found Sourcefire, which builds network security appliances based on Snort. Sourcefire was acquired by Cisco in July 2013. Roesch is now Vice President/Chief Architect of Cisco's Security Business Group.

On Thursday announced Snort 3.0 and released an alpha version of it. (The current version of Snort is

The announcement says that Snort 3.0 is the realization of a project called "SnortSP" (the Snort Security Platform) begun by Roesch in 2005. It was a reachitecturing of Snort to make it easier to use and more powerful. This required a complete rewrite, a project known internally as "Snort++". Many of these features have made their way into the current generation of Snort, such as reloading without restarting, OpenAppId, gzip decompression and IP blacklisting.

Snort 3 has a multithreaded/multi-core engine which maintains a single persistent configuration. Today even inexpensive, low power processors have multiple cores, so this change extend the reach of Snort and make it more powerful on cheaper hardware. (I have always thought it should be somehow integrated into common consumer Internet routers, but the interface isn't quite that friendly yet.)


Key components in Snort 3 are pluggable. This means that they can be more easily replaced by third parties. The system now autodetects services, so no more configuring memory, ports, arguments, etc. It auto-generates reference documentation. It verifies its configuration on startup. The command line shell is secured to localhost and adds new capabilities.The rule language is simpler and includes auto-detection of all protocols.

Work on Snort 3 began a long, long time ago. In fact, in April 2009, long before this alpha version was released, a beta was released, as described by Roesch on his long-dormant Security Sauce blog. Read the entries from that time and you can see some of the problems that must have led to the long hiatus in the project and the decision to resort to a complete rewrite.

Particularly because it is such a basic rewrite, Snort 3 requires relentless, brutal testing, to which all are invited. The alpha version just released is definitely not for production use. The source code for the project is hosted publicly on Github. Further developer discussion is on the Snort Developers mailing list.

[Correction on December 15: An earlier version of this article misstated Martin Roesch's title. ]