Posted by user8446 on Mar 06, 2016; 6:24am
URL: https://itus.accessinnov.com/Not-being-able-to-run-the-Trojan-rules-in-the-update-script-and-performance-increase-SOLUTION-tp304.html

If you uncomment the trojan rules in the update script, snort will go into a crash loop. It's an out of memory error. As configured, you can only run somewhere in the 6k range of rules. The solution is to reconfigure the pattern matching engine snort uses. In your snort config find this line to read:

Bridge:
config detection: search-method ac-nq split-any-any search-optimize max-pattern-len 20 no_stream_inserts

Router:
config detection: search-method ac-split search-optimize max-pattern-len 20 no_stream_inserts

This is a memory optimization option that splits your rules in the pattern matching engine into 2 sets. If you do not plan on running more than 6k rules you don't need the memory optimization. Only add the   no_stream_inserts    at the end as this will give you a performance increase. I'm currently running 8,629 rules with 36% RAM free. The trojan category has all of the ransomware, rat's, and exploit kits in there which is very important. Also, continue to tune your ruleset and eliminate what you don't need.