RE: Problem: Unknown ClassType

["Schmehl, Paul L" <pauls () utdallas edu>]

> -----Original Message-----
> From: Cluett, Russell [mailto:russell.cluett () eds com] 
> Sent: Wednesday, October 22, 2003 10:01 AM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Problem: Unknown ClassType
>
> I'm having a problem when starting Snort on a Linux box, it 
> bonks on loading rules, i.e.
>
> ERROR: /snort/rules/exploit.rules(8) => UnknownClassType: 
> shellcode-detect Fatal Error, Quitting..

Hi Russell.  :-)

The error you're getting is telling you that at least one of the rules
in exploit.rules uses "classtype:shellcode-detect", but that classtype
is not defined for snort.  There is a file that comes with snort, named
"classification.config", that defines all the classtypes for snort.  If
your classtype is missing from that config file, snort will generate the
error you are seeing and exit fatally.  (So, if you decide to make up
your own classtypes, make sure you add a line to that file to define
them, or you'll get this same error.)

However, shellcode-detect is a legitimate classtype in the more recent
versions of snort, so I'm not sure why you would get this error, unless
you're using an older version of snort but the current ruleset.

You point to the classification.config file in the snort.conf file, like
this:
include /path/to/your/snort/classification.config

which is usually in the same directory as all the rules files.  I would
first make sure you have that line in the snort.conf file and that it's
pointing to the right location, and then I would look at the
classification.config file to make sure that it includes this line,
literally:
config classification: shellcode-detect,Executable code was detected,1

I wonder which version of snort you're using?  And what OS you're using?
I suspect that if you fix this error, you're going to run in to more
just like it because your classification.config file is "out of sync"
with your ruleset.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/  


-------------------------------------------------------
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users