Login  Register

Not being able to run the Trojan rules in the update script and performance increase SOLUTION

Previous Topic
 
classic Classic list List threaded Threaded
5 messages Options Options
Embed post
Permalink
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Not being able to run the Trojan rules in the update script and performance increase SOLUTION

user8446
Administrator
288 posts
This post was updated on Mar 06, 2016; 2:36pm.
If you uncomment the trojan rules in the update script, snort will go into a crash loop. It's an out of memory error. As configured, you can only run somewhere in the 6k range of rules. The solution is to reconfigure the pattern matching engine snort uses. In your snort config find this line to read:

Bridge:
config detection: search-method ac-nq split-any-any search-optimize max-pattern-len 20 no_stream_inserts

Router:
config detection: search-method ac-split search-optimize max-pattern-len 20 no_stream_inserts

This is a memory optimization option that splits your rules in the pattern matching engine into 2 sets. If you do not plan on running more than 6k rules you don't need the memory optimization. Only add the   no_stream_inserts    at the end as this will give you a performance increase. I'm currently running 8,629 rules with 36% RAM free. The trojan category has all of the ransomware, rat's, and exploit kits in there which is very important. Also, continue to tune your ruleset and eliminate what you don't need.
Running the latest OpenWrt stable release
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Not being able to run the Trojan rules in the update script and performance increase SOLUTION

Wisiwyg
87 posts
Thank you for this find...

So you're saying if you *do* want to run the _trojan rules then you *do* need to change the line and you *do* add the no_stream_inserts to the end of the "config detection" in the snort.conf file?

my original entry is:
config detection: search-method ac-split search-optimize max-pattern-len 20

If I want to run the trojan rules and optimize the speed could I do this with your recommended edits?
config detection: search-method ac-nq split-any-any search-optimize max-pattern-len 20 no_stream_inserts

TIA
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Not being able to run the Trojan rules in the update script and performance increase SOLUTION

user8446
Administrator
288 posts
This post was updated on Mar 07, 2016; 5:13pm.
Are you sure you're looking at the right conf file? There are a bunch of test ones left lying around. For bridge, it's /etc/snort/snort_bridge.conf or via the GUI (Router is snort7.conf & snort8.conf). It should have been:

Old:
config detection: search-method ac-nq search-optimize max-pattern-len 20


Everyone should add the no_stream_inserts as this is a speed optimization. Only if you plan on adding the trojan rules or more than 6000 rules do you need the memory optimization which adds the split-any-any.


New: (everyone not using the trojan or under 6000 rules)
config detection: search-method ac-nq search-optimize max-pattern-len 20 no_stream_inserts


New: (everyone including the trojan rules or over 6000 rules)
config detection: search-method ac-nq split-any-any search-optimize max-pattern-len 20 no_stream_inserts
Running the latest OpenWrt stable release
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Not being able to run the Trojan rules in the update script and performance increase SOLUTION

Roadrunnere42
262 posts
Hi
i'm running in router mode with over 6000 rules so should my new line read

New: (everyone including the trojan rules or over 6000 rules)
config detection: search-method ac-nq split-any-any search-optimize max-pattern-len 20 no_stream_inserts


roadrunner42
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Not being able to run the Trojan rules in the update script and performance increase SOLUTION

user8446
Administrator
288 posts
Yes but in router mode you need to change both snort7 and snort8 conf files
Running the latest OpenWrt stable release