Excerpts from: http://www.snort.org/docs/FAQ.txt 2.2 How do I run snort? Run Snort in sniffer mode and make sure it can see the packets. snort -dv Then run it with the HOME_NET set appropriately for the network you're defending in your rules file. A default rules file comes with the snort distribution and is called "snort.conf" You can run this basic ruleset with the following command line: snort -A full -c snort.conf If it's all set right, make sure the interface is in promiscuous mode by running the command from another window: ifconfig -a The output from ifconfig should show if the interface is in promiscuous mode. If it's not, there should be a way to set it manually. Note that the default output mode (-A full) of snort should not be used except in very controlled environments. It is the slowest way to run snort and presents several hard to recover from problems with inode creation on filesystems. For people doing real IDS work, use something like (-A fast -b) to combine fast alert mode with tcpdump binary log files or use the unified format coupled with (see FAQ [*]). 2.3 Where are my log files located? What are they named? The default location for logs is /var/log/snort. If snort is started with "-l ", then the logs will be located in the directory specified. In the past, running Snort in daemon mode (-D) produced a file named "snort.alert". For consistency sake, this has been changed. Running Snort in both standard or daemon modes (-D) will produce a file named "alert". Note the log file naming convention changed between 1.8 and 1.9. That funny alphanumeric soup at the end of the new names is a UNIX timestamp. This helps avoid file conflicts. 2.4 Why does snort complain about /var/log/snort? It requires this directory to log alerts to it. Try running the command: mkdir -p /var/log/snort Make sure the logging directory is owned by the user snort is running as.