[Snort-users] Unknown ClassType: trojan-activity

Smith, Edward esmith at ...15250...
Mon Jan 14 16:08:48 EST 2013


Hello,

I have been looking around and have not found anything that seems to answer this, so sorry if this has been addressed.
I am upgrading from snort 2.9.0 to 2.9.1, which I figured would be rather trivial.  However, I also upgraded to the newest ruleset 2905 to 2940 and I am getting the following error:


Reputation config:
    WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor disabled

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: /etc/snort/rules/blacklist.rules(318) Unknown ClassType: trojan-activity
Fatal Error, Quitting..

Here is the offending entry, but this is the same error for every  trojan-activity error.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious User-Agent ErrCode - W32/Fujacks.htm"; flow:established,to_server; content:"User-Agent|3A| ErrCode"; fast_pattern:only; nocase; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=141161; reference:url,www.virustotal.com/latest-report.html?resource=f9dc0803ea4634256eae73b2db61a3c5; classtype:trojan-activity; sid:18247; rev:4;)

Strange thing is that I am using the same entries in my blacklist as before, and those worked fine with trojan-activity.  Is there something that has disabled my ability to check for these kinds of attacks?   Any help here is appreciated.

Ed Smith
esmith at ...15250...


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130114/edc2193d/attachment.html>


More information about the Snort-users mailing list