snort 2.9.9.0.2 config files check

Hi user8446

can you please check these snort and snort7 config files to see is i have made any mistake because i release the new fw_upgrade update with the new snort package ( did not inclue snort8.conf)
my concerns i have is with snort 7 /8 in router mode with the trogen list enabled should it be

config detection: search-method ac-split search-optimize max-pattern-len 18  no_stream_inserts

or

config detection: search-method ac-nq split-any-any search-optimize max-pattern-len 18 no_stream_inserts


I have included both files if you could look over and let me know if all is correct or your suggestions

also which lines need to be commented out for each conf file

include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules




snort7.conf

snort_bridge.conf

The new snort version seem to work ok but on installing it deletes file
/use/lib/daq/daq_nfq.so because it's obsolete

yet without it snort does not work i copied the file back and all working fine again, do you know of a way to configure snort to work without the file, as i believe that snort now has ngq built in and does not use the library file?

Thanks

Roadrunnere42

 

You want
config detection: search-method ac-nq split-any-any search-optimize max-pattern-len 18 no_stream_inserts

Good catch on noticing that the NFQ packet acquisition module is gone. The developer that did the upgrade was working off of the bridge mode image which uses AFPACKET instead so he didn't include it. You just have to add it back in. I remember Itus saying NFQ was faster for router mode and AFPACKET was faster for bridge mode in their testing.
Have you noticed anything else in router? I've only been using bridge but it's rock solid with no reboots, errors, issues, nothing.