Not being able to run the Trojan rules in the update script and performance increase SOLUTION

If you uncomment the trojan rules in the update script, snort will go into a crash loop. It's an out of memory error. As configured, you can only run somewhere in the 6k range of rules. The solution is to reconfigure the pattern matching engine snort uses. In your snort config find this line to read:

Bridge:
config detection: search-method ac-nq split-any-any search-optimize max-pattern-len 20 no_stream_inserts

Router:
config detection: search-method ac-split search-optimize max-pattern-len 20 no_stream_inserts

This is a memory optimization option that splits your rules in the pattern matching engine into 2 sets. If you do not plan on running more than 6k rules you don't need the memory optimization. Only add the   no_stream_inserts    at the end as this will give you a performance increase. I'm currently running 8,629 rules with 36% RAM free. The trojan category has all of the ransomware, rat's, and exploit kits in there which is very important. Also, continue to tune your ruleset and eliminate what you don't need.

Thank you for this find...

So you're saying if you *do* want to run the _trojan rules then you *do* need to change the line and you *do* add the no_stream_inserts to the end of the "config detection" in the snort.conf file?

my original entry is:
config detection: search-method ac-split search-optimize max-pattern-len 20

If I want to run the trojan rules and optimize the speed could I do this with your recommended edits?
config detection: search-method ac-nq split-any-any search-optimize max-pattern-len 20 no_stream_inserts

TIA

Are you sure you're looking at the right conf file? There are a bunch of test ones left lying around. For bridge, it's /etc/snort/snort_bridge.conf or via the GUI (Router is snort7.conf & snort8.conf). It should have been:

Old:
config detection: search-method ac-nq search-optimize max-pattern-len 20


Everyone should add the no_stream_inserts as this is a speed optimization. Only if you plan on adding the trojan rules or more than 6000 rules do you need the memory optimization which adds the split-any-any.


New: (everyone not using the trojan or under 6000 rules)
config detection: search-method ac-nq search-optimize max-pattern-len 20 no_stream_inserts


New: (everyone including the trojan rules or over 6000 rules)
config detection: search-method ac-nq split-any-any search-optimize max-pattern-len 20 no_stream_inserts

Hi
i'm running in router mode with over 6000 rules so should my new line read

New: (everyone including the trojan rules or over 6000 rules)
config detection: search-method ac-nq split-any-any search-optimize max-pattern-len 20 no_stream_inserts


roadrunner42

Yes but in router mode you need to change both snort7 and snort8 conf files