Posted by user8446 on Mar 07, 2016; 4:37pm
URL: https://itus.accessinnov.com/Not-being-able-to-run-the-Trojan-rules-in-the-update-script-and-performance-increase-SOLUTION-tp304p325.html

Are you sure you're looking at the right conf file? There are a bunch of test ones left lying around. For bridge, it's /etc/snort/snort_bridge.conf or via the GUI (Router is snort7.conf & snort8.conf). It should have been:

Old:
config detection: search-method ac-nq search-optimize max-pattern-len 20


Everyone should add the no_stream_inserts as this is a speed optimization. Only if you plan on adding the trojan rules or more than 6000 rules do you need the memory optimization which adds the split-any-any.


New: (everyone not using the trojan or under 6000 rules)
config detection: search-method ac-nq search-optimize max-pattern-len 20 no_stream_inserts


New: (everyone including the trojan rules or over 6000 rules)
config detection: search-method ac-nq split-any-any search-optimize max-pattern-len 20 no_stream_inserts