Snort mailing list archives
RE: Problem: Unknown ClassType
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Wed, 22 Oct 2003 11:47:36 -0500
-----Original Message----- From: Cluett, Russell [mailto:russell.cluett () eds com] Sent: Wednesday, October 22, 2003 10:01 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Problem: Unknown ClassType I'm having a problem when starting Snort on a Linux box, it bonks on loading rules, i.e. ERROR: /snort/rules/exploit.rules(8) => UnknownClassType: shellcode-detect Fatal Error, Quitting..
Hi Russell. :-) The error you're getting is telling you that at least one of the rules in exploit.rules uses "classtype:shellcode-detect", but that classtype is not defined for snort. There is a file that comes with snort, named "classification.config", that defines all the classtypes for snort. If your classtype is missing from that config file, snort will generate the error you are seeing and exit fatally. (So, if you decide to make up your own classtypes, make sure you add a line to that file to define them, or you'll get this same error.) However, shellcode-detect is a legitimate classtype in the more recent versions of snort, so I'm not sure why you would get this error, unless you're using an older version of snort but the current ruleset. You point to the classification.config file in the snort.conf file, like this: include /path/to/your/snort/classification.config which is usually in the same directory as all the rules files. I would first make sure you have that line in the snort.conf file and that it's pointing to the right location, and then I would look at the classification.config file to make sure that it includes this line, literally: config classification: shellcode-detect,Executable code was detected,1 I wonder which version of snort you're using? And what OS you're using? I suspect that if you fix this error, you're going to run in to more just like it because your classification.config file is "out of sync" with your ruleset. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problem: Unknown ClassType Cluett, Russell (Oct 22)
- Re: Problem: Unknown ClassType Jeffrey Pricher (Oct 22)
- <Possible follow-ups>
- RE: Problem: Unknown ClassType Schmehl, Paul L (Oct 22)