[Snort-users] ERROR: ../rules/blacklist.rules(22) Unknown ClassType: trojan-activity
wkitty42 at ...14940...
Fri Apr 11 15:15:13 EDT 2014
On 4/11/2014 2:16 PM, Rameez Qureshi wrote:
> That clears things up, I have went to the blacklist rule
> I'm not sure as to why is throwing up that error and when commenting out one
> rule and going onto the next gives me the same error
ummm... the blacklist file should not have /any/ rules it in... the blacklist
and whitelist files contain only IP numbers...
now, i suspect that you are running into a defect that was discussed some months
ago... that defect being that the black_list.rules and blacklist.rules files
names are too similar and they confuse folks...
at that time i suggested that the reputation processor's black_list.rules and
white_list.rules files default to (eg:) RPP_white.rule and RPP_black.rule or
similar... something very different so that they do not get confused with the
rules files containing actual text rules...
in your snort.conf, you have the following...
# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
memcap 500, \
priority whitelist, \
nested_ip inner, \
# whitelist $WHITE_LIST_PATH/white_list.rules, \
# blacklist $BLACK_LIST_PATH/black_list.rules
and further down you have the following...
this appears to indicate that the naming conflict i speak of above is NOT what
is biting you... it does, instead, point to your classification.conf file not
being in the proper place...
so, with all of that said, have you placed your classification.conf and
reference.conf files in /etc/ with your snort.conf file?
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
More information about the Snort-users