Snort mailing list archives
Re: Unknown ClassType: trojan-activity
From: "Smith, Edward" <esmith () intacct com>
Date: Mon, 14 Jan 2013 22:00:03 +0000
I did not notice that the rules were designed for the different versions. Since I am running CentOS 5, I was unable to get the latest to work, but I figured upgrading rules was fine. Is there a way to get a new set of rules for the older versions of snort? Thanks. From: Joel Esler [mailto:jesler () sourcefire com] Sent: Monday, January 14, 2013 1:52 PM To: Smith, Edward Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Unknown ClassType: trojan-activity Looks like your classification.config file may be missing or out of date. That being said, am I reading this right that you are running Snort 2.9.1 with a Snort 2.9.4.0 ruleset? -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jan 14, 2013, at 4:08 PM, "Smith, Edward" <esmith () intacct com<mailto:esmith () intacct com>> wrote: Hello, I have been looking around and have not found anything that seems to answer this, so sorry if this has been addressed. I am upgrading from snort 2.9.0 to 2.9.1, which I figured would be rather trivial. However, I also upgraded to the newest ruleset 2905 to 2940 and I am getting the following error: Reputation config: WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor disabled +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ERROR: /etc/snort/rules/blacklist.rules(318) Unknown ClassType: trojan-activity Fatal Error, Quitting.. Here is the offending entry, but this is the same error for every trojan-activity error. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious User-Agent ErrCode - W32/Fujacks.htm"; flow:established,to_server; content:"User-Agent|3A| ErrCode"; fast_pattern:only; nocase; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=141161<http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=141161>; reference:url,www.virustotal.com/latest-report.html?resource=f9dc0803ea4634256eae73b2db61a3c5<http://www.virustotal.com/latest-report.html?resource=f9dc0803ea4634256eae73b2db61a3c5>; classtype:trojan-activity; sid:18247; rev:4;) Strange thing is that I am using the same entries in my blacklist as before, and those worked fine with trojan-activity. Is there something that has disabled my ability to check for these kinds of attacks? Any help here is appreciated. Ed Smith esmith () intacct com<mailto:esmith () intacct com> ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122412_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122412
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Unknown ClassType: trojan-activity Smith, Edward (Jan 14)
- Re: Unknown ClassType: trojan-activity Joel Esler (Jan 14)
- Re: Unknown ClassType: trojan-activity Smith, Edward (Jan 14)
- Re: Unknown ClassType: trojan-activity Joel Esler (Jan 14)
- Re: Unknown ClassType: trojan-activity Smith, Edward (Jan 14)
- Re: Unknown ClassType: trojan-activity Joel Esler (Jan 14)