[Snort-users] ERROR: ../rules/blacklist.rules(22) Unknown ClassType: trojan-activity

waldo kitty wkitty42 at ...14940...
Fri Apr 11 15:15:13 EDT 2014

On 4/11/2014 2:16 PM, Rameez Qureshi wrote:
> That clears things up, I have went to the blacklist rule
> I'm not sure as to why is throwing up that error and when commenting out one
> rule and going onto the next gives me the same error

ummm... the blacklist file should not have /any/ rules it in... the blacklist 
and whitelist files contain only IP numbers...

now, i suspect that you are running into a defect that was discussed some months 
ago... that defect being that the black_list.rules and blacklist.rules files 
names are too similar and they confuse folks...

at that time i suggested that the reputation processor's black_list.rules and 
white_list.rules files default to (eg:) RPP_white.rule and RPP_black.rule or 
similar... something very different so that they do not get confused with the 
rules files containing actual text rules...

in your snort.conf, you have the following...

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
    memcap 500, \
    priority whitelist, \
    nested_ip inner, \
#   whitelist $WHITE_LIST_PATH/white_list.rules, \
#   blacklist $BLACK_LIST_PATH/black_list.rules

and further down you have the following...

include $RULE_PATH/blacklist.rules

this appears to indicate that the naming conflict i speak of above is NOT what 
is biting you... it does, instead, point to your classification.conf file not 
being in the proper place...

so, with all of that said, have you placed your classification.conf and 
reference.conf files in /etc/ with your snort.conf file?

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

More information about the Snort-users mailing list