Snort mailing list archives
Bug in classification.config parsing?
From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
Date: Tue, 11 Dec 2001 10:47:04 +0100
Hi, I found a strange behaviour when updating classification.config. I get errors saying Dec 11 10:29:02 ids01 snort[19990]: WARNING /etc/snort/rules/classification.config(17): Duplicate classification "suspicious-filename-detect"found, ignoring this line Dec 11 10:29:02 ids01 snort[19990]: WARNING /etc/snort/rules/classification.config(18): Duplicate classification "suspicious-login"found, ignoring this line Dec 11 10:29:02 ids01 snortd: snort startup succeeded Dec 11 10:29:02 ids01 snort[19990]: ERROR /etc/snort/rules/ftp.rules(5) => Bad Priority setting "suspicious-filename-detect" Dec 11 10:29:02 ids01 snort[19990]: ERROR /etc/snort/rules/ftp.rules(6) => Bad Priority setting "suspicious-filename-detect" Dec 11 10:29:02 ids01 snort[19990]: ERROR /etc/snort/rules/ftp.rules(24) => Bad Priority setting "suspicious-login" Dec 11 10:29:02 ids01 snort[19990]: ERROR /etc/snort/rules/ftp.rules(25) => Bad Priority setting "suspicious-login" Dec 11 10:29:02 ids01 snort[19990]: ERROR /etc/snort/rules/ftp.rules(26) => Bad Priority setting "suspicious-login" Dec 11 10:29:02 ids01 snort[19990]: ERROR /etc/snort/rules/ftp.rules(28) => Bad Priority setting "suspicious-login" Dec 11 10:29:02 ids01 snort[19990]: ERROR /etc/snort/rules/ftp.rules(29) => Bad Priority setting "suspicious-login" Dec 11 10:29:02 ids01 snort[19990]: ERROR /etc/snort/rules/ftp.rules(30) => Bad Priority setting "suspicious-login" Dec 11 10:29:02 ids01 snort[19990]: ERROR /etc/snort/rules/telnet.rules(5) => Bad Priority setting "suspicious-login" Dec 11 10:29:02 ids01 snort[19990]: ERROR /etc/snort/rules/telnet.rules(6) => Bad Priority setting "suspicious-login" Dec 11 10:29:03 ids01 snort[19990]: Snort initialization completed successfully, Snort running The corresponding classification.config looks like this: [snip] config classification: suspicious,suspicious miscellaneous traffic,1 config classification: suspicious-filename-detect,A suspicious filename was detected,2 config classification: suspicious-login,An attempted login using a suspicious username was detected,2 [snip] When using the following order it works as expected: [snip] config classification: suspicious-filename-detect,A suspicious filename was detected,2 config classification: suspicious-login,An attempted login using a suspicious username was detected,2 config classification: suspicious,suspicious miscellaneous traffic,1 [snip] Since I'm still on snort 1.8.1 on RedHat Linux 7.0 this may already be fixed in 1.8.3. Please accept my apologies if that's the case. Ciao, Sandro _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Bug in classification.config parsing? Poppi, Sandro (Dec 11)
- Disable local logging Frank Reid (Dec 11)
- Re: Disable local logging Guillaume (Dec 11)
- Re: Disable local logging Erek Adams (Dec 11)
- RE: Disable local logging Frank Reid (Dec 11)
- Re: Disable local logging Martin Roesch (Dec 11)
- RE: Disable local logging Frank Reid (Dec 11)
- RE: Disable local logging Frank Reid (Dec 12)
- RE: Disable local logging Frank Reid (Dec 13)
- Re: Disable local logging Martin Roesch (Dec 13)
- RE: Disable local logging Frank Reid (Dec 13)
- Disable local logging Frank Reid (Dec 11)