How to Install & Configure Snort on FreeBSD?

In January of 2021, SNORT® Intrusion Prevention System, the world's top open source intrusion prevention system, officially launched Snort 3. Snort 3 is a thorough update that contains changes and new capabilities resulting in greater speed, quicker processing, improved network scalability, and more than 200 plugins allowing users to establish a customized network setup.

In addition to boosting detection robustness and granularity, Snort 3 introduces several innovations that simplify rule writing and standardize rule syntax.

There are many benefits to upgrading to Snort 3:

Support for multiple threads for packet processing, which frees up more RAM for packet processing
New syntax and parser for rules.
Access to more than 200 plugins
Rewritten TCP handling.
Improved shared object rules, including the ability to create rules for zero-day vulnerabilities
Utilization of a common configuration and attribute table.
New performance presentation
New rule comments and remarks that are included in the actual regulation

FreeBSD is an OS that powers contemporary servers, PCs, and embedded systems. It has been continuously developed by a wide community for over thirty years. FreeBSD is the platform of choice for many of the busiest websites and most widespread embedded networking and storage devices because of its sophisticated networking, security, and storage capabilities.

To protect the mission-critical FreeBSD systems against a variety of cyber attacks, especially server-side attacks, administrators need to install and configure the Snort intrusion detection and prevention system.

You may quickly transform your FreeBSD server into a powerful next-generation firewall. To do this, you must take the following steps:

Install and configure the PF firewall to run your FreeBSD server as a packet filtering firewall.
Configure and install Zenarmor for web filtering and application control.
Install and configure Snort to detect and prevent network intrusions.

This guide explains how to install and set up Snort 3 on a FreeBSD 13 server.

Get Started with Zenarmor Today For Free

How to Install and Configure Snort 3 on FreeBSD 13?

You can easily install and configure Snort 3 intrusion detection and prevention software on your FreeBSD 13 system by following the steps given below.

Preparing the FreeBSD 13 system
Installing Snort 3 Required Dependencies
Installing Snort 3 Optional Dependencies
Installing Snort 3 From Source Code
Installing Snort 3 Extra Plugins for Additional Capabilities

1. Preparing the FreeBSD 13 system

You must ensure that the operating system and all installed packages are current by running the next commands given below. Depending on available updates, a restart may be needed.
```
freebsd-update fetch
freebsd-update install
pkg update
reboot
```
Some dependencies of Snort 3 will be installed from the source. Create a folder to contain the source code and change your location by running the following command:
```
mkdir ~/snort_src && cd ~/snort_src
```
To install git and basic compilation tools(flex, bison, gcc, and cmake) from the repository, run the following command:
```
pkg install git flex bison gcc cmake
```

2. Installing Snort 3 Required Dependencies

Required dependencies for Snort 3 are installed from both the FreeBSD repository and the source code of packages. This is because certain packages are not included in the repository, or if they do exist, they may be outdated.

Install the packages dnet (libdnet), hwloc (hwloc), OpenSSL (openssl), pkgconfig (pkgconf), zlib (part of the base OS), pcre (pcre), and lua(luajit and lua51) from the FreeBSD repository by running the next command:
```
pkg install libdnet libpcap hwloc pcre openssl luajit lua51 pkgconf
```
To install PCAP (1.10.1) from the FreeBSD repository, run the next command:
```
pkg install libpcap
```
Alternatively, you may install the latest PCAP version from the source by running the next commands:
```
fetch https://www.tcpdump.org/release/libpcap-1.10.1.tar.gz
tar xf libpcap-1.10.1.tar.gz && cd libpcap-1.10.1
./configure
make && make install
```

Download and install the latest Snort DAQ by running the following commands:

wget https://github.com/snort3/libdaq/archive/refs/tags/v3.0.9.tar.gz
tar xf v3.0.9.tar.gz && cd libdaq-3.0.9
pkg install autoconf automake libtool
./bootstrap
./configure
make
make install

3. Installing Snort 3 Optional Dependencies

Optional Snort dependencies include of lzma (lzlib), hyperscan (hyperscan), cpputest (cpputest), flattbuffers (flatbuffers), safec, uuid (e2fsprogs-libuuid), iconv (libiconv), and tcmalloc (google-perftools). The majority of requirements may be found in the FreeBSD repository. Both installation techniques are covered in this tutorial.

Lzma: For decompression of SWF and PDF files, Lzma is used. This was exploited by the http inspect preprocessor in Snort 2.9.x. Snort 3 needs lzma version >= 5.1.2. The lzma library was installed alongside lzlib during the installation of the necessary dependencies.
Uuid: Uuid is a library for creating and processing Universally Unique Identifiers for tagging and identifying networked objects.
Hyperscan: In contrast to Linux distributions, hyperscan is accessible in the FreeBSD repository. Installing it from a repository should minimize installation and maintenance time.
tcmalloc: tcmalloc is a library developed by Google (PerfTools) to improve thread memory management.

To install the optional Snort3 dependencies from the repository run the next command:

pkg install hyperscan cpputest flatbuffers libiconv lzlib e2fsprogs-libuuid google-perftools

The package safec will still be installed from the source since it is not available in the repository.

Safec is hosted on Sourceforge, and some of the mirrors associated with the direct download link may be inoperable. If the download is taking longer than anticipated, you should move to a different mirror. Currently, safec compilation on FreeBSD may fail and provide an error. This error may be ignored, and installation can continue without installing safec. To download and install safec, run the following commands:
```
cd ~/snort_src
fetch https://downloads.sourceforge.net/project/safeclib/libsafec-10052013.tar.gz
tar xf libsafec-10052013.tar.gz && cd libsafec-10052013
./configure
make && make install
```

4. Installing Snort 3 From Source Code

After installing all requirements, you can set up Snort 3 IPS on your FreeBSD by following the next steps:

To clone the Snort 3 repository from GitHub, run the next command:

cd ~/snort_src
git clone https://github.com/snort3/snort3.git
cd snort3

To compile Snort with tcmalloc support by passing the --enable-tcmalloc argument to the configure command, you may run the following command:
```
./configure_cmake.sh --prefix=/usr/local/snort --enable-tcmalloc
```
To proceed with installing Snort 3 on FreeBSD 13, run the next commands:
```
cd build/
make
make install
```
This takes approximately half an hour, depending on your hardware. Snort is now installed under /usr/local/.

To verify that Snort 3 binary is referencing the expected libraries, run the following command:

ldd /usr/local/snort/bin/snort

You should see output similar to the following:

/usr/local/snort/bin/snort:
libdaq.so.3 => /usr/local/lib/libdaq.so.3 (0x8007c3000)
libdnet.so.1 => /usr/local/lib/libdnet.so.1 (0x8009c9000)
libthr.so.3 => /lib/libthr.so.3 (0x8009dd000)
libhwloc.so.5 => /usr/local/lib/libhwloc.so.5 (0x800a0a000)
libluajit-5.1.so.2 => /usr/local/lib/libluajit-5.1.so.2 (0x800a3e000)
libcrypto.so.11 => /usr/local/lib/libcrypto.so.11 (0x800ac6000)
libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x800dbc000)
libpcre.so.1 => /usr/local/lib/libpcre.so.1 (0x800e17000)
libz.so.6 => /lib/libz.so.6 (0x800ebb000)
libhs.so.5 => /usr/local/lib/libhs.so.5 (0x800ed7000)
libiconv.so.2 => /usr/local/lib/libiconv.so.2 (0x801338000)
libunwind.so.8 => /usr/local/lib/libunwind.so.8 (0x801437000)
liblzma.so.5 => /usr/lib/liblzma.so.5 (0x801451000)
libuuid.so.1 => /usr/local/lib/libuuid.so.1 (0x80147d000)
libtcmalloc.so.4 => /usr/local/lib/libtcmalloc.so.4 (0x801484000)
libc++.so.1 => /usr/lib/libc++.so.1 (0x80167a000)
libcxxrt.so.1 => /lib/libcxxrt.so.1 (0x80174c000)
libm.so.5 => /lib/libm.so.5 (0x80176f000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x8017a2000)
libc.so.7 => /lib/libc.so.7 (0x8017bb000)
libdl.so.1 => /usr/lib/libdl.so.1 (0x801bcc000)
libpciaccess.so.0 => /usr/local/lib/libpciaccess.so.0 (0x801bd0000)
libxml2.so.2 => /usr/local/lib/libxml2.so.2 (0x801bda000)
libibverbs.so.1 => /lib/libibverbs.so.1 (0x801d75000)
libmd.so.6 => /lib/libmd.so.6 (0x801d87000)
libexecinfo.so.1 => /usr/lib/libexecinfo.so.1 (0x801da5000)
libelf.so.2 => /lib/libelf.so.2 (0x801dab000)

To verify that Snort runs correctly, we pass the snort executable the -V flag:

/usr/local/snort/bin/snort -V

You should see output similar to the following:

,,_ -*> Snort++ <*-
o" )~ Version 3.1.39.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.9
Using LuaJIT version 2.0.5
Using OpenSSL 1.1.1q 5 Jul 2022
Using libpcap version 1.10.1
Using PCRE version 8.45 2021-06-15
Using ZLIB version 1.2.11
Using Hyperscan version 5.4.0 2022-08-12
Using LZMA version 5.2.5

To test your Snort installation with the default configuration file, run the next command:

/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua --daq-dir /usr/local/lib/daq

You should see output similar to the following at the bottom:

Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting

5. Installing Snort 3 Extra Plugins for Additional Capabilities

Snort 3 Extras is a collection of C++ or Lua plugins that enhance the decoding, inspection, actions, and logging capabilities of Snort 3. The data_log inspector plugin is highlighted and set up throughout this document. The focus of this inspector is further upon in a subsequent section.

To clone and install Snort 3 extra plugins from GitHub, run the following commands:

cd ~/snort_src
git clone https://github.com/snort3/snort3_extra.git
cd snort3_extra
setenv PKG_CONFIG_PATH /usr/local/snort/lib/pkgconfig
./configure_cmake.sh --prefix=/usr/local/snort/extra
cd build/
make -j 8
make install

How to Configure Snort 3 on FreeBSD 13?

Snort has three configuration modes: Sniffer mode, Packet logger mode, and Network IDS mode. This section will configure Snort for Network IDS Mode.

By following the instructions in this section, you may set up Snort 3 IPS software on your Ubuntu 22.04 server with relative ease.

The primary configuration files for Snort 3 are snort_defaults.lua and snort.lua.

snort_defaults.lua: This file provides default settings for rules pathways, default networks, ports, wizards, inspectors, etc.
snort.lua: Snort's primary configuration file is snort.lua, which allows for the construction and setup of Snort inspectors (preprocessors), rules file inclusion, event filters, output, etc. The file snort.lua imports default settings for several Snort configurations from snort_defaults.lua.

There exists an extra file named file_magic.lua in the etc/snort/ directory. This file includes file IDs that have been predefined based on the hexadecimal encoding of the file's magic headers. These allow Snort to determine the file types traversing the network, if appropriate. This file is also used by the primary configuration file for Snort, snort.lua, and no changes are necessary. The configuration modifications and corresponding Snort 3 .lua files are shown below:

Configure rules, reputation, and AppID paths > snort_defaults.lua
Configure HOME_NET and EXTERNAL_NET > snort.lua
Configure ips module > snort.lua
Enable and configure reputation inspector > snort.lua
Configure AppID inspector > snort.lua
Configure file_log inspectors > snort.lua
Configure data_log inspector > snort.lua - Configure logging > snort.lua

Note that Snort inspectors and modules may be configured and customized in several ways. The minimum setups specified in this section are intended to get you started with Snort 3.

The rules, appid, and reputation lists for Snort will be kept in their appropriate directories. The rules/ directory will hold Snort rule files, the appid/ directory will house AppID detectors, and the intel/ directory will house IP blacklists and whitelists. To create snort directories run the next command:

mkdir -p /usr/local/snort/{rules,appid,intel}

You can easily complete the Snort configuration by following the steps given below:

Downloading Snort Registered Rules
Installing Snort OpenAppID
Installing IP Reputation
Editing Default Snort Configuration File
Editing Snort Configuration File
Running and Verifying the Snort 3

1. Downloading Snort Registered Rules

The primary conduit for the Snort intrusion detection and prevention engine is the ruleset. There are three types of Snort Rules:

Community Rules
Registered Rules
Subscriber Rules

Registered Snort rules will be implemented in this tutorial.

Subscribe to the Snort website via https://snort.org/users/sign_up to obtain and install the Registered Snort rules.
Login to your Sort account and obtain the Oink code by navigating to the Oink code menu.

Figure 1. Obtaining Snort Oinkcode

Click the Downloads link on the top navigation bar.

Figure 2. Downloading Registered Snort V3.0 rule

Scroll down to the Rules and copy the link address of the latest Registered Snort V3.0 rule set, such as snortrules-snapshot-31350.tar.gz.
To download the latest ruleset you may either run the next command(do not forget to replace the oinkcode pattern with your own code) or click on the latest Registered Snort V3.0 rule set on the download page then copy the file to your server.:
```
fetch 'https://www.snort.org/downloads/registered/snortrules-snapshot-31350.tar.gz?oinkcode=your_oinkcode' -o snortrules-snapshot-31350.tar.gz
```

To extract the registered rules run the following command:

tar -zxvf [snortrules-snapshot-31350](https://www.snort.org/downloads/registered/snortrules-snapshot-31350.tar.gz).tar.gz

Copy the registered rules and configuration files to the related Snort directories by running the following command:

cp rules/*.rules /usr/local/snort/rules/
cp -Rp so_rules /usr/local/snort/
cp -Rp builtins/ /usr/local/snort/
cp etc/* /usr/local/snort/etc/snort/

2. Installing Snort OpenAppID

OpenAppId is an application-centric detection language and processing module for Snort that enables users to construct, distribute, and run application and service detection. OpenAppID recognizes application layer (layer 7) traffic and enables you to design rules that act on application-layer traffic (e.g., to block Facebook or a certain VPN type) and publish traffic statistics for each recognized kind of traffic. OpenAppID is an optional feature provided by Snort; it must be activated if you desire to detect or block certain types of traffic (FTP, Twitter, etc.) or collect statistics on the quantity of data per kind of traffic detected by your Snort server.

The Application Detector Package is a collection of detectors produced by the Snort team and the community and is available for download and installation. Activate the OpenAppID detectors (traffic identification) and enable the OpenAppID metric recording by completing the procedures outlined below.

Download and extract the OpenAppID detector package by running the following command:

cd ~/snort_src/
fetch https://snort.org/downloads/openappid/26425 -o OpenAppID-26425.tgz

To extract the file run the following command:
```
tar -xzvf OpenAppID-26425.tgz
```
Move the files to the related Snort directory by running the next command:
```
mv odp/ /usr/local/snort/appid/
```

3. Installing IP Reputation

Enabling the Reputation inspector in IDS mode will issue a blacklist hit notice when a match occurs and prevent further inspection of the traffic.

To download the IP Blacklist produced by Talos and place it in the intel/ directory that was previously established run the following commands:
```
fetch https://www.talosintelligence.com/documents/ip-blacklist
mv ip-blacklist /usr/local/snort/intel/
```
To create an empty file for the IP whitelist, which will be specified with the IP blacklist in the section that follows, run the following command:
```
touch /usr/local/snort/intel/ip-whitelist
```

4. Editing Default Snort Configuration File

To be able to run the Snort 3 on your FreeBSD 13 server you should edit Snort configuration files by following the steps given below:

Edit the /usr/local/snort/etc/snort/snort_defaults.lua file. The below snapshots of the configurations show the before and after states of the configuration. The paths shown below follow the conventions mentioned at the beginning of this guide.

Default paths look like this in the original default configuration file before making changes:

-------------------------------------------------------------------
-- default paths
-------------------------------------------------------------------
-- Path to your rules files (this can be a relative path)
RULE_PATH = '../rules'
BUILTIN_RULE_PATH = '../builtin_rules'
PLUGIN_RULE_PATH = '../so_rules'
-- If you are using reputation preprocessor set these
WHITE_LIST_PATH = '../lists'
BLACK_LIST_PATH = '../lists'

snort_defaults.lua fileshould be updated as given below:

--------------------------------------------------------------------- default paths
-------------------------------------------------------------------
--Path to your rules files (this can be a relative path)
RULE_PATH = '/usr/local/snort/rules/'
BUILTIN_RULE_PATH = '/usr/local/snort/rules/builtin_rules/'
PLUGIN_RULE_PATH = '/usr/local/snort/so_rules/'
--If you are using reputation preprocessor set these
WHITE_LIST_PATH = '/usr/local/snort/intel'
BLACK_LIST_PATH = '/usr/local/snort/intel'

5. Editing Snort Configuration File

To be able to run the Snort 3 on your FreeBSD 13 server you should edit the Snort configuration file snort.lua by following the steps given below:

Edit the snort configuration file /usr/local/snort/etc/snort/snort.lua with your favorite editor, like vi or nano.
```
vi /usr/local/snort/etc/snort/snort.lua
```

Set the HOME_NET and *EXTERNAL_NET environment variables. HOME_NET must be set to the networks that will be protected by Snort, such as the WAN IP address of your Ubuntu server, or the LAN network(subnets) behind the FreeBSD server. We will set this to the IP address of the Snort 3 vtnet0 interface, 192.168.0.44/32 in our example. The EXTERNAL_NET is any network except our HOME_NET.

-------------------------------------------------------------------
--1. configure defaults
-------------------------------------------------------------------
--HOME_NET and EXTERNAL_NET must be set now
--setup the network addresses you are protecting
HOME_NET = '192.168.0.44/32'
--set up the external network addresses.
--(leave as "any" in most situations)
EXTERNAL_NET = 'any'

Within the ips module, Snort rules files (.rules) are included. Using the copied snort.lua from the Snort rules tarball, the rules are already set for inclusion. Enabling decoder and inspector alerts with the enable_built_rules option and explicitly specifying the ips policy to tap mode are thus the only necessary modifications to the ips module. The ips policy determines the operating mode of Snort (tap, inline, and inline-test).

ips =
{
mode = tap,
variables = default_variables,
--use this to enable decoder and inspector alerts
enable_builtin_rules = true,
--use include for rules files; be sure to set your path
--note that rules files can include other rules files
--include = 'snort3-community.rules',
--RULE_PATH is typically set in snort_defaults.lua
rules = [[
include $RULE_PATH/snort3-app-detect.rules
include $RULE_PATH/snort3-browser-chrome.rules
include $RULE_PATH/snort3-browser-firefox.rules
include $RULE_PATH/snort3-browser-ie.rules
include $RULE_PATH/snort3-browser-other.rules
include $RULE_PATH/snort3-browser-plugins.rules
include $RULE_PATH/snort3-browser-webkit.rules
include $RULE_PATH/snort3-server-samba.rules
include $RULE_PATH/snort3-server-webapp.rules
include $RULE_PATH/snort3-sql.rules
include $RULE_PATH/snort3-x11.rules
----
]],
}

By default, the reputation inspector is disabled (commented out). Uncomment the section and modify the -blacklist and -whitelist variables so that they link to the locations containing the IP address lists.
```
reputation = {
-- configure one or both of these, then uncomment reputation
blacklist = BLACK_LIST_PATH .. '/ip-blacklist',
whitelist = WHITE_LIST_PATH .. '/ip-whitelist'
}
```
The AppID inspector is enabled by default, however the path to the AppID package and detector is annotated. Uncomment the app detector dir and replace its value with the global AppID path previously set in snort_default.lua.
```
appid =
{
-- appid requires this to use appids in rules
app_detector_dir = APPID_PATH,
log_stats = true
}
```
The file log inspector at the end of the configuration file enables event logging. This inspector provides two Boolean choices for packet and file system time event tracking.
```
file_log = {
log_pkt_time = true,
log_sys_time = false
}
```
The data_log plugin is a passive inspector that does not affect data passing through Snort; rather, it enables the recording of extra network data inside the processing workflow of Snort 3. The Snort stores collected data in the data.log file under the defined logging directory.

To activate the data_log inspector, its definition must be included in snort.lua. The setup example below will record both HTTP request headers into the data log file and restrict the file size to 100MB before generating a new log file.
```
data_log =
{
key = 'http_request_header_event',
limit = 100
}
```
Snort 3 offers a variety of logger modules, either natively or through additional plugins. Loggers are deactivated (commented) by default. This tutorial will use the alert fast logger. Uncommenting the code for this logger and setting it to log to a file enables it. By default Snort uses '/var/log/snort' for saving log files. This is also supplied using the '-l' option during runtime.
```
alert_fast = {
file = true
}
```
Save and exit from the configuration file.
Create the log directory for Snort by running the command:
```
mkdir -p /var/log/snort
```

6. Running and Verifying the Snort 3

Setting the environment variables LUA_PATH and SNORT_LUA_PATH is necessary for running Snort. These variables indicate the locations of the lua and configuration folders under the Snort installation prefix.

To set the environment variables run the following commands:

setenv LUA_PATH /usr/local/snort/include/snort/lua/\?.lua\;\;
setenv SNORT_LUA_PATH /usr/local/snort/etc/snort

Run the Snort by entering the following command:

/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua --daq-dir /usr/local/lib/daq -i vtnet0 -l /var/log/snort --plugin-path /usr/local/snort/extra -k none

You should see an output similar to the below:

-------------------------------------------------
o")~ Snort++ 3.1.39.0
-------------------------------------------------
Loading /usr/local/snort/etc/snort/snort.lua:
Loading /usr/local/snort/etc/snort/snort_defaults.lua:
Finished /usr/local/snort/etc/snort/snort_defaults.lua:
Loading /usr/local/snort/etc/snort/file_magic.lua:
Finished /usr/local/snort/etc/snort/file_magic.lua:
ssh
hosts
host_cache
pop
so_proxy
stream_tcp
smtp
network
gtp_inspect
packets
dce_http_proxy
data_log
stream_icmp
normalizer
alerts
file_log
alert_fast
ips
stream_udp
binder
wizard
appid
search_engine
ftp_data
ftp_server
port_scan
dce_http_server
dce_smb
dce_tcp
telnet
ssl
sip
rpc_decode
netflow
http_inspect
http2_inspect
modbus
host_tracker
stream_user
stream_ip
daq
back_orifice
classifications
dnp3
active
ftp_client
decode
trace
stream
references
arp_spoof
output
process
dns
dce_udp
imap
stream_file
Finished /usr/local/snort/etc/snort/snort.lua:
Loading ips.rules:
Loading /usr/local/snort/rules/snort3-app-detect.rules:
Finished /usr/local/snort/rules/snort3-app-detect.rules:
Loading /usr/local/snort/rules/snort3-browser-chrome.rules:
Finished /usr/local/snort/rules/snort3-browser-chrome.rules:
Loading /usr/local/snort/rules/snort3-browser-firefox.rules:
Finished /usr/local/snort/rules/snort3-browser-firefox.rules:
Loading /usr/local/snort/rules/snort3-browser-ie.rules:
Finished /usr/local/snort/rules/snort3-browser-ie.rules:
Loading /usr/local/snort/rules/snort3-browser-other.rules:
Finished /usr/local/snort/rules/snort3-browser-other.rules:
Loading /usr/local/snort/rules/snort3-browser-plugins.rules:
Finished /usr/local/snort/rules/snort3-browser-plugins.rules:
Loading /usr/local/snort/rules/snort3-browser-webkit.rules:
Finished /usr/local/snort/rules/snort3-browser-webkit.rules:
Loading /usr/local/snort/rules/snort3-content-replace.rules:
Finished /usr/local/snort/rules/snort3-content-replace.rules:
Loading /usr/local/snort/rules/snort3-exploit-kit.rules:
Finished /usr/local/snort/rules/snort3-exploit-kit.rules:
Loading /usr/local/snort/rules/snort3-file-executable.rules:
Finished /usr/local/snort/rules/snort3-file-executable.rules:
Loading /usr/local/snort/rules/snort3-file-flash.rules:
Finished /usr/local/snort/rules/snort3-file-flash.rules:
Loading /usr/local/snort/rules/snort3-file-identify.rules:
Finished /usr/local/snort/rules/snort3-file-identify.rules:
Loading /usr/local/snort/rules/snort3-file-image.rules:
Finished /usr/local/snort/rules/snort3-file-image.rules:
Loading /usr/local/snort/rules/snort3-file-multimedia.rules:
Finished /usr/local/snort/rules/snort3-file-multimedia.rules:
Loading /usr/local/snort/rules/snort3-file-office.rules:
Finished /usr/local/snort/rules/snort3-file-office.rules:
Loading /usr/local/snort/rules/snort3-file-other.rules:
Finished /usr/local/snort/rules/snort3-file-other.rules:
Loading /usr/local/snort/rules/snort3-file-pdf.rules:
Finished /usr/local/snort/rules/snort3-file-pdf.rules:
Loading /usr/local/snort/rules/snort3-indicator-compromise.rules:
Finished /usr/local/snort/rules/snort3-indicator-compromise.rules:
Loading /usr/local/snort/rules/snort3-indicator-obfuscation.rules:
Finished /usr/local/snort/rules/snort3-indicator-obfuscation.rules:
Loading /usr/local/snort/rules/snort3-indicator-scan.rules:
Finished /usr/local/snort/rules/snort3-indicator-scan.rules:
Loading /usr/local/snort/rules/snort3-indicator-shellcode.rules:
Finished /usr/local/snort/rules/snort3-indicator-shellcode.rules:
Loading /usr/local/snort/rules/snort3-malware-backdoor.rules:
Finished /usr/local/snort/rules/snort3-malware-backdoor.rules:
Loading /usr/local/snort/rules/snort3-malware-cnc.rules:
Finished /usr/local/snort/rules/snort3-malware-cnc.rules:
Loading /usr/local/snort/rules/snort3-malware-other.rules:
Finished /usr/local/snort/rules/snort3-malware-other.rules:
Loading /usr/local/snort/rules/snort3-malware-tools.rules:
Finished /usr/local/snort/rules/snort3-malware-tools.rules:
Loading /usr/local/snort/rules/snort3-netbios.rules:
Finished /usr/local/snort/rules/snort3-netbios.rules:
Loading /usr/local/snort/rules/snort3-os-linux.rules:
Finished /usr/local/snort/rules/snort3-os-linux.rules:
Loading /usr/local/snort/rules/snort3-os-mobile.rules:
Finished /usr/local/snort/rules/snort3-os-mobile.rules:
Loading /usr/local/snort/rules/snort3-os-other.rules:
Finished /usr/local/snort/rules/snort3-os-other.rules:
Loading /usr/local/snort/rules/snort3-os-solaris.rules:
Finished /usr/local/snort/rules/snort3-os-solaris.rules:
Loading /usr/local/snort/rules/snort3-os-windows.rules:
Finished /usr/local/snort/rules/snort3-os-windows.rules:
Loading /usr/local/snort/rules/snort3-policy-multimedia.rules:
Finished /usr/local/snort/rules/snort3-policy-multimedia.rules:
Loading /usr/local/snort/rules/snort3-policy-other.rules:
Finished /usr/local/snort/rules/snort3-policy-other.rules:
Loading /usr/local/snort/rules/snort3-policy-social.rules:
Finished /usr/local/snort/rules/snort3-policy-social.rules:
Loading /usr/local/snort/rules/snort3-policy-spam.rules:
Finished /usr/local/snort/rules/snort3-policy-spam.rules:
Loading /usr/local/snort/rules/snort3-protocol-dns.rules:
Finished /usr/local/snort/rules/snort3-protocol-dns.rules:
Loading /usr/local/snort/rules/snort3-protocol-finger.rules:
Finished /usr/local/snort/rules/snort3-protocol-finger.rules:
Loading /usr/local/snort/rules/snort3-protocol-ftp.rules:
Finished /usr/local/snort/rules/snort3-protocol-ftp.rules:
Loading /usr/local/snort/rules/snort3-protocol-icmp.rules:
Finished /usr/local/snort/rules/snort3-protocol-icmp.rules:
Loading /usr/local/snort/rules/snort3-protocol-imap.rules:
Finished /usr/local/snort/rules/snort3-protocol-imap.rules:
Loading /usr/local/snort/rules/snort3-protocol-nntp.rules:
Finished /usr/local/snort/rules/snort3-protocol-nntp.rules:
Loading /usr/local/snort/rules/snort3-protocol-other.rules:
Finished /usr/local/snort/rules/snort3-protocol-other.rules:
Loading /usr/local/snort/rules/snort3-protocol-pop.rules:
Finished /usr/local/snort/rules/snort3-protocol-pop.rules:
Loading /usr/local/snort/rules/snort3-protocol-rpc.rules:
Finished /usr/local/snort/rules/snort3-protocol-rpc.rules:
Loading /usr/local/snort/rules/snort3-protocol-scada.rules:
Finished /usr/local/snort/rules/snort3-protocol-scada.rules:
Loading /usr/local/snort/rules/snort3-protocol-services.rules:
  -----------------
Loading /usr/local/snort/rules/snort3-x11.rules:
Finished /usr/local/snort/rules/snort3-x11.rules:
Finished ips.rules:
  --------------------------------------------------
ips policies rule stats
id loaded shared enabled file
0 44333 1 44333 /usr/local/snort/etc/snort/snort.lua
  -------------------------------------------------
rule counts
total rules loaded: 44333
duplicate rules: 1
text rules: 43709
builtin rules: 624
option chains: 44333
chain headers: 1691
flowbits: 702
flowbits not checked: 68
  --------------------------------------------------
port rule counts
tcp udp icmp ip
any 2428 379 466 293
src 1342 168 0 0
dst 5311 1017 0 0
both 109 54 0 0
total 9190 1618 466 293
  --------------------------------------------------
service rule counts to-srv to-cli
bgp: 4 0
dcerpc: 211 108
dhcp: 32 9
dnp3: 0 6
dns: 274 115
drda: 5 0
file: 73 78
ftp: 196 22
ftp-data: 160 9967
gopher: 0 1
http: 13327 13286
http2: 13327 13286
ident: 1 0
igmp: 1 1
imap: 206 10215
irc: 40 14
ircd: 9 3
java_rmi: 50 3
kerberos: 36 6
ldap: 46 6
ldp: 1 0
modbus: 34 10
mysql: 67 6
netbios-dgm: 11 11
netbios-ns: 15 5
netbios-ssn: 611 172
netware: 2 0
nntp: 2 2
ntp: 36 7
openvpn: 16 16
pop3: 165 10219
postgresql: 8 0
printer: 6 0
radius: 3 2
rdp: 10 20
rtmp: 1 4
rtp: 1 1
rtsp: 17 2
sip: 332 44
smtp: 9137 104
snmp: 48 10
ssdp: 13 0
ssh: 7 3
ssl: 200 218
sunrpc: 120 9
syslog: 4 0
teamview: 1 2
telnet: 60 15
tftp: 11 6
vnc: 1 1
vnc-server: 12 10
wins: 3 0
total: 38953 58025
  --------------------------------------------------
fast pattern groups
src: 251
dst: 802
any: 4
to_server: 99
to_client: 71
  --------------------------------------------------
search engine
instances: 1227
patterns: 109180
pattern chars: 2564091
num states: 1909306
num match states: 305706
memory scale: MB
total memory: 66.2275
pattern memory: 6.60902
match list memory: 36.4498
transition memory: 23.0189
fast pattern only: 71445
  --------------------------------------------------
pcap DAQ configured to passive.
Commencing packet processing
++ [0] vtnet0

warning

If you got an error on file_id and can not start Snort you can update file_id option by commenting the file_id = { file_rules = file_magic } line and adding

file_id=
{
rules_file = '/usr/local/snort/etc/snort/file_magic.rules',
}

in the configuration file.

How to Install and Configure Snort 3 on FreeBSD 13?​

1. Preparing the FreeBSD 13 system​

2. Installing Snort 3 Required Dependencies​

3. Installing Snort 3 Optional Dependencies​

4. Installing Snort 3 From Source Code​

5. Installing Snort 3 Extra Plugins for Additional Capabilities​

How to Configure Snort 3 on FreeBSD 13?​

1. Downloading Snort Registered Rules​

2. Installing Snort OpenAppID​

3. Installing IP Reputation​

4. Editing Default Snort Configuration File​

5. Editing Snort Configuration File​

6. Running and Verifying the Snort 3​