# Install snort with Homebrew, apk, MacPorts, Nix, apt

Flexible Network Intrusion Detection System. Version 3.12.2.0 via Homebrew; verified 2026-06-27.

## Install

```sh
sudo av install brew:snort
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install snort
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install snort
```

  Evidence: MacPorts ports tree: net/snort/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- apk (92%):

```sh
sudo apk add snort
```

  Evidence: Alpine Linux edge package indexes: snort from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz

- Nix (92%):

```sh
nix profile install nixpkgs#snort
```

  Evidence: nixpkgs package indexes: pkgs/by-name/sn/snort/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- Ubuntu apt (92%):

```sh
sudo apt install snort
```

  Evidence: Ubuntu 24.04 LTS package indexes: snort from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz

## Package facts

- **Package key:** brew:snort
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/snort>
- **Version:** 3.12.2.0
- **Source summary:** Flexible Network Intrusion Detection System
- **Homepage:** <https://www.snort.org>
- **Repository:** <https://github.com/snort3/snort3>
- **Upstream docs:** <https://docs.snort.org/rules>
- **License:** GPL-2.0-only
- **Source archive:** <https://github.com/snort3/snort3/archive/refs/tags/3.12.2.0.tar.gz>
- **Last updated:** 2026-06-27T17:38:03-04:00
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- appid_detector_builder.sh (cli)
- show_flows (cli)
- snort (cli)
- snort2lua (cli)
- u2boat (cli)
- u2spewfoo (cli)
- appid_detector_builder.sh (alias)
- show_flows (alias)
- snort (alias)
- snort2lua (alias)
- u2boat (alias)
- u2spewfoo (alias)

## Dependencies

- daq
- hwloc
- jemalloc
- libdnet
- libpcap
- luajit
- openssl@3
- pcre2
- vectorscan
- xz

## Build dependencies

- cmake
- flex
- pkgconf

## Install behavior

- Post-install hook: not defined
- Caveats: For snort to be functional, you need to update the permissions for /dev/bpf* so that they can be read by non-root users. This can be done manually using: sudo chmod o+r /dev/bpf* or you could create a startup item to do this for you.
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 3.12.2.0
- Package-manager updated: 2026-06-27
- Local data: ok
- Upstream repository: https://github.com/snort3/snort3
- info: No cached GitHub release or tag data was available.
## Project history and usage

Snort is a long-running open-source intrusion detection and prevention system whose command-line engine, rule language, and packaging history make it one of the canonical security tools in Unix and network-operations package collections.

### Project history

Snort's official GPL page carries Martin Roesch copyrights beginning in 1998, and Snort's own site describes it as an open-source IPS capable of real-time traffic analysis and packet logging. The project evolved from a packet sniffer and logger into a rule-driven network IDS/IPS with community and subscriber rules.

Snort 3, also known in the repository README as Snort++, was officially released on January 19, 2021 as version 3.1.0.0 after more than seven years of development. The official announcement describes a ground-up rework with faster rules, more user control, multi-environment support, multi-threaded packet processing, Lua configuration, pluggable components, service autodetection, sticky buffers, and autogenerated reference documentation.

### Adoption history

Snort has a package-manager footprint because it is both a classic open-source security engine and an operational dependency for labs, appliances, training environments, and production sensors. The supplied package metadata lists Homebrew, Alpine, MacPorts, Nix, and Ubuntu packaging, while Snort.org points users to source releases, GitHub code, rule downloads, setup guides, and the Snort 3 manual.

### How it is used

Snort is used as a packet sniffer, packet logger, network intrusion detection system, and inline prevention system. Snort 3 users typically build or install the engine, configure Lua files such as `snort.lua`, add rule sets, validate the configuration, then run against live interfaces or PCAP files with alert output suitable for analysts and automation.

### Why package nerds care

Package nerds care about Snort because it exercises nearly every hard part of packaging security software: libpcap/DAQ integration, LuaJIT configuration, C++ build requirements, rule data that changes independently from the engine, optional acceleration libraries, service files, sample configs, and upgrades between major rule-engine generations.

### Timeline

- 1998: Official GPL page lists Martin Roesch copyrights beginning with Snort's early releases.
- 2014: Snort 3-era copyright line begins under Cisco and affiliates in official version-output examples.
- 2021-01-19: Snort 3 version 3.1.0.0 officially released.
- 2026: Snort blog announces end-of-life for older Snort 2 and Snort 3 rule-support versions and encourages use of current Snort 3 packages.

### Related projects

- Snort is commonly discussed alongside tcpdump for packet sniffing, libpcap for capture, DAQ for packet I/O, Cisco Talos for rule development, and other IDS/IPS systems such as Suricata.

### Sources

- <https://blog.snort.org/2021/01/snort-3-officially-released.html>
- <https://blog.snort.org/2026/01/end-of-life-announcement-for-versions.html>
- <https://docs.snort.org/start/>
- <https://docs.snort.org/start/configuration>
- <https://github.com/snort3/snort3>
- <https://www.snort.org/>
- <https://www.snort.org/gpl>
- input.source_facts.package-manager


## Security Notes

broad file, network, media, or database tool signal.

- **Geiger risk:** blue / medium
- broad file, network, media, or database tool signal


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: snort.lua, snort_defaults.lua
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** snort
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - snort: normalized package name match | nixpkgs package indexes: pkgs/by-name/sn/snort/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- Ubuntu apt - snort - 2.9.20-0+deb11u1ubuntu1: normalized package name match | Ubuntu 24.04 LTS package indexes: snort from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | flexible Network Intrusion Detection System | https://www.snort.org/
- Ubuntu apt - snort-common - 2.9.20-0+deb11u1ubuntu1: normalized package name match | Ubuntu 24.04 LTS package indexes: snort-common from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | flexible Network Intrusion Detection System - common files | https://www.snort.org/
- Ubuntu apt - snort-common-libraries - 2.9.20-0+deb11u1ubuntu1: normalized package name match | Ubuntu 24.04 LTS package indexes: snort-common-libraries from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | flexible Network Intrusion Detection System - libraries | https://www.snort.org/
- Ubuntu apt - snort-doc - 2.9.20-0+deb11u1ubuntu1: normalized package name match | Ubuntu 24.04 LTS package indexes: snort-doc from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | flexible Network Intrusion Detection System - documentation | https://www.snort.org/
- Ubuntu apt - snort-rules-default - 2.9.20-0+deb11u1ubuntu1: normalized package name match | Ubuntu 24.04 LTS package indexes: snort-rules-default from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | flexible Network Intrusion Detection System - ruleset | http://www.snort.org/snort-rules/
- apk - snort - 3.9.2.0-r0: normalized package name match | Alpine Linux edge package indexes: snort from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | Open source network intrusion prevention and detection system | https://www.snort.org/
- apk - snort-dev - 3.9.2.0-r0: normalized package name match | Alpine Linux edge package indexes: snort-dev from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | Open source network intrusion prevention and detection system (development files) | https://www.snort.org/
- apk - snort-doc - 3.9.2.0-r0: normalized package name match | Alpine Linux edge package indexes: snort-doc from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | Open source network intrusion prevention and detection system (documentation) | https://www.snort.org/
- apk - snort-openrc - 3.9.2.0-r0: normalized package name match | Alpine Linux edge package indexes: snort-openrc from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | Open source network intrusion prevention and detection system (OpenRC init scripts) | https://www.snort.org/
- MacPorts - snort: normalized package name match | MacPorts ports tree: net/snort/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1


## Related links

- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [daq](https://www.automicvault.com/pkg/brew/daq/) - Runtime dependency declared by Homebrew.
- [hwloc](https://www.automicvault.com/pkg/brew/hwloc/) - Runtime dependency declared by Homebrew.
- [jemalloc](https://www.automicvault.com/pkg/brew/jemalloc/) - Runtime dependency declared by Homebrew.
- [libdnet](https://www.automicvault.com/pkg/brew/libdnet/) - Runtime dependency declared by Homebrew.
- [libpcap](https://www.automicvault.com/pkg/brew/libpcap/) - Runtime dependency declared by Homebrew.
- [luajit](https://www.automicvault.com/pkg/brew/luajit/) - Runtime dependency declared by Homebrew.
- [openssl@3](https://www.automicvault.com/pkg/brew/openssl-3/) - Runtime dependency declared by Homebrew.
- [pcre2](https://www.automicvault.com/pkg/brew/pcre2/) - Runtime dependency declared by Homebrew.
- [cmake](https://www.automicvault.com/pkg/brew/cmake/) - Build dependency declared by Homebrew.
- [flex](https://www.automicvault.com/pkg/brew/flex/) - Build dependency declared by Homebrew.
- [pkgconf](https://www.automicvault.com/pkg/brew/pkgconf/) - Build dependency declared by Homebrew.
- [classads](https://www.automicvault.com/pkg/brew/classads/) - Shares av.db curated category or tags: cli, scheduling, system.
- [abduco](https://www.automicvault.com/pkg/brew/abduco/) - Shares av.db curated category or tags: cli, system.
- [acl](https://www.automicvault.com/pkg/brew/acl/) - Shares av.db curated category or tags: cli, system.
- [acpica](https://www.automicvault.com/pkg/brew/acpica/) - Shares av.db curated category or tags: cli, system.
- [afio](https://www.automicvault.com/pkg/brew/afio/) - Shares av.db curated category or tags: cli, system.
- [afsctool](https://www.automicvault.com/pkg/brew/afsctool/) - Shares av.db curated category or tags: cli, system.
- [afuse](https://www.automicvault.com/pkg/brew/afuse/) - Shares av.db curated category or tags: cli, system.
- [agedu](https://www.automicvault.com/pkg/brew/agedu/) - Shares av.db curated category or tags: cli, system.
- [cfengine](https://www.automicvault.com/pkg/brew/cfengine/) - Local package facts share a topical domain. Shared terms: cli, openssl, openssl-3, pcre2, system.
- [dwarfs](https://www.automicvault.com/pkg/brew/dwarfs/) - Local package facts share a topical domain. Shared terms: cli, openssl, openssl-3, system, xz.

## Combined YAML source

View the package source record on GitHub. [combined/snort.yml](https://github.com/automic-vault/db/blob/main/combined/snort.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
