[Snort-users] Error app-detect.rules (18) Unknown ClassType:

waldo kitty wkitty42 at ...14940...
Tue Mar 12 11:47:34 EDT 2013


On 3/11/2013 21:29, Jim Turner wrote:
> I have found that if I # all of the site specific rules, that I can commence
> packet processing.
> I can also enable rules one at a time, and as long as I don't enable the wrong
> rules, I am able to start as well.
> Is the problem with the rules that I downloaded after installing? I am running
> 2.9.4.1, but since I downloaded the free rules, they appear to be a month old.
> Would I get past my problem if I subscribe and get the latest rule set?

the problem is your classification file... it does not contain the 
classification used in the rules that are causing snort to fall over...

what is the classification of the rule (18) in app-detect.rules??

does this classification exist in your classification.conf file??


NOTE1: i do not know if the (18) indicates line 18 in the file OR
        if it indicates the 18th rule (enabled or disabled) OR
        if it indicates the 18th enabled rule...

NOTE2: in my app-detect.rules file, line 18 is the first one that is enabled.
        the classification on that rule is web-application-attack.
        web-application-attack is specifically listed in the classification file
          under the heading #NEW CLASSIFICATIONS
        the SID for that rule is 25358 revision 1
        that's 1:25358 in GID:SID format or 1:25358:1 in GID:SID:REV format.

it sounds like your classification file is old and not updated...




More information about the Snort-users mailing list