IF RUNNING THR TROJAN LIST New: (everyone not using the trojan or under 6000 rules) config detection: search-method ac-nq search-optimize max-pattern-len 20 no_stream_inserts New: (everyone including the trojan rules or over 6000 rules) config detection: search-method ac-nq split-any-any search-optimize max-pattern-len 20 no_stream_inserts I've been working on this for a few weeks now and wanted to release what I have. I have decreased latency (ping) on my network about 20%. Maybe someone with a fast connection can check to see if it increases throughput. Unfortunately, my connection is < 50mbps. Here is an updated /etc/snort/snort_bridge.conf or you can even copy/paste in the GUI: snort_bridge.conf You then want to create a folder/directory in /usr/lib/snort_dynamicpreprocessor and name it Disabled. Move these into Disabled: libsf_smtp_preproc.so.0.0.0 libsf_smtp_preproc.so.0 libsf_smtp_preproc.so libsf_sip_preproc.so.0.0.0 libsf_sip_preproc.so.0 libsf_sip_preproc.so libsf_sdf_preproc.so.0.0.0 libsf_sdf_preproc.so.0 libsf_sdf_preproc.so libsf_reputation_preproc.so.0.0.0 libsf_reputation_preproc.so.0 libsf_reputation_preproc.so libsf_pop_preproc.so.0.0.0 libsf_pop_preproc.so.0 libsf_pop_preproc.so libsf_modbus_preproc.so.0.0.0 libsf_modbus_preproc.so.0 libsf_modbus_preproc.so libsf_imap_preproc.so.0.0.0 libsf_imap_preproc.so.0 libsf_imap_preproc.so libsf_gtp_preproc.so.0.0.0 libsf_gtp_preproc.so.0 libsf_gtp_preproc.so libsf_dnp3_preproc.so.0.0.0 libsf_dnp3_preproc.so.0 libsf_dnp3_preproc.so What all of this does is turn off preprocessors that are not used. Snort has to cycle packets through all of the preprocessors, so the more you have the longer it takes to process. Itus had preprocessors on that we're not even needed or used. I've also increased the stream5 queue and cache. When these are exceeded the stream has to be flushed out. This is one of the reasons people we're having their internet stop, the stream5 errors in their logs. You would think that you should just increase these to a large amount but the trick is to increase it to only what is needed otherwise you'll INCREASE latency. I used the largest that I saw on my network over the last few weeks. I have not had snort restart in weeks now. The performance optimization for the rules pattern matcher and the 64k log size rotation is also in there. There will be more to come as testing and time allows as well as the router mode. Enjoy!