Snort mailing list archives
Re: Error app-detect.rules (18) Unknown ClassType:
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 12 Mar 2013 12:30:00 -0400
On Mar 12, 2013, at 11:47 AM, waldo kitty <wkitty42 () windstream net> wrote:
On 3/11/2013 21:29, Jim Turner wrote:I have found that if I # all of the site specific rules, that I can commence packet processing. I can also enable rules one at a time, and as long as I don't enable the wrong rules, I am able to start as well. Is the problem with the rules that I downloaded after installing? I am running 2.9.4.1, but since I downloaded the free rules, they appear to be a month old. Would I get past my problem if I subscribe and get the latest rule set?the problem is your classification file... it does not contain the classification used in the rules that are causing snort to fall over... what is the classification of the rule (18) in app-detect.rules?? does this classification exist in your classification.conf file?? NOTE1: i do not know if the (18) indicates line 18 in the file OR if it indicates the 18th rule (enabled or disabled) OR if it indicates the 18th enabled rule... NOTE2: in my app-detect.rules file, line 18 is the first one that is enabled. the classification on that rule is web-application-attack. web-application-attack is specifically listed in the classification file under the heading #NEW CLASSIFICATIONS the SID for that rule is 25358 revision 1 that's 1:25358 in GID:SID format or 1:25358:1 in GID:SID:REV format. it sounds like your classification file is old and not updated...
Here's the problem with your configuration Jim: # Reputation preprocessor. For more information see README.reputation preprocessor reputation: \ memcap 500, \ priority whitelist, \ nested_ip inner, \ # whitelist $WHITE_LIST_PATH\white_list.rules, # blacklist $BLACK_LIST_PATH\black_list.rules ################################################### # Step #6: Configure output plugins # For more information, see Snort Manual, Configuring Snort - Output Modules ################################################### # unified2 # Recommended for most installs # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types # Additional configuration for specific types of installs # output alert_unified2: filename snort.alert, limit 128, nostamp # output log_unified2: filename snort.log, limit 128, nostamp # syslog # output alert_syslog: LOG_AUTH LOG_ALERT # pcap # output log_tcpdump: tcpdump.log # metadata reference data. do not modify these lines include classification.config include reference.config -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Error app-detect.rules (18) Unknown ClassType: Jim Turner (Mar 11)
- Re: Error app-detect.rules (18) Unknown ClassType: Jim Turner (Mar 11)
- Re: Error app-detect.rules (18) Unknown ClassType: waldo kitty (Mar 12)
- Re: Error app-detect.rules (18) Unknown ClassType: Joel Esler (Mar 12)
- Re: Error app-detect.rules (18) Unknown ClassType: waldo kitty (Mar 12)
- Re: Error app-detect.rules (18) Unknown ClassType: Jim Turner (Mar 11)