[Snort-users] Unknown ClassType: trojan-activity

Joel Esler jesler at ...1935...
Mon Jan 14 17:07:09 EST 2013

No, 2.9.0 is pretty old at this point (at least a couple years), and we don't support it anymore 

However, see if this helps:


Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

On Jan 14, 2013, at 5:00 PM, "Smith, Edward" <esmith at ...15250...> wrote:

> I did not notice that the rules were designed for the different versions.  Since I am running CentOS 5, I was unable to get the latest to work, but I figured upgrading rules was fine.  Is there a way to get a new set of rules for the older versions of snort?  Thanks.
> From: Joel Esler [mailto:jesler at ...1935...] 
> Sent: Monday, January 14, 2013 1:52 PM
> To: Smith, Edward
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Unknown ClassType: trojan-activity
> Looks like your classification.config file may be missing or out of date.
> That being said, am I reading this right that you are running Snort 2.9.1 with a Snort ruleset?
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
> On Jan 14, 2013, at 4:08 PM, "Smith, Edward" <esmith at ...15250...> wrote:
> Hello,
> I have been looking around and have not found anything that seems to answer this, so sorry if this has been addressed.
> I am upgrading from snort 2.9.0 to 2.9.1, which I figured would be rather trivial.  However, I also upgraded to the newest ruleset 2905 to 2940 and I am getting the following error:
> Reputation config:
>     WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor disabled
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> ERROR: /etc/snort/rules/blacklist.rules(318) Unknown ClassType: trojan-activity
> Fatal Error, Quitting..
> Here is the offending entry, but this is the same error for every  trojan-activity error.
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious User-Agent ErrCode - W32/Fujacks.htm"; flow:established,to_server; content:"User-Agent|3A| ErrCode"; fast_pattern:only; nocase; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=141161; reference:url,www.virustotal.com/latest-report.html?resource=f9dc0803ea4634256eae73b2db61a3c5; classtype:trojan-activity; sid:18247; rev:4;)
> Strange thing is that I am using the same entries in my blacklist as before, and those worked fine with trojan-activity.  Is there something that has disabled my ability to check for these kinds of attacks?   Any help here is appreciated.
> Ed Smith
> esmith at ...15250...
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. SALE $99.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122412_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130114/537eb74a/attachment.html>

More information about the Snort-users mailing list