[Snort-users] Error app-detect.rules (18) Unknown ClassType:

Joel Esler jesler at ...1935...
Tue Mar 12 12:30:00 EDT 2013


On Mar 12, 2013, at 11:47 AM, waldo kitty <wkitty42 at ...14940...> wrote:
> On 3/11/2013 21:29, Jim Turner wrote:
>> I have found that if I # all of the site specific rules, that I can commence
>> packet processing.
>> I can also enable rules one at a time, and as long as I don't enable the wrong
>> rules, I am able to start as well.
>> Is the problem with the rules that I downloaded after installing? I am running
>> 2.9.4.1, but since I downloaded the free rules, they appear to be a month old.
>> Would I get past my problem if I subscribe and get the latest rule set?
> 
> the problem is your classification file... it does not contain the 
> classification used in the rules that are causing snort to fall over...
> 
> what is the classification of the rule (18) in app-detect.rules??
> 
> does this classification exist in your classification.conf file??
> 
> 
> NOTE1: i do not know if the (18) indicates line 18 in the file OR
>        if it indicates the 18th rule (enabled or disabled) OR
>        if it indicates the 18th enabled rule...
> 
> NOTE2: in my app-detect.rules file, line 18 is the first one that is enabled.
>        the classification on that rule is web-application-attack.
>        web-application-attack is specifically listed in the classification file
>          under the heading #NEW CLASSIFICATIONS
>        the SID for that rule is 25358 revision 1
>        that's 1:25358 in GID:SID format or 1:25358:1 in GID:SID:REV format.
> 
> it sounds like your classification file is old and not updated...



Here's the problem with your configuration Jim:

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
   memcap 500, \
   priority whitelist, \
   nested_ip inner, \
   # whitelist $WHITE_LIST_PATH\white_list.rules,
   # blacklist $BLACK_LIST_PATH\black_list.rules

###################################################
# Step #6: Configure output plugins
# For more information, see Snort Manual, Configuring Snort - Output Modules
###################################################

# unified2
# Recommended for most installs
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types

# Additional configuration for specific types of installs
# output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp

# syslog
# output alert_syslog: LOG_AUTH LOG_ALERT

# pcap
# output log_tcpdump: tcpdump.log

# metadata reference data.  do not modify these lines
include classification.config
include reference.config


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130312/5d6c73c4/attachment.html>


More information about the Snort-users mailing list