[Snort-users] Classtype Map Error

Sujit Ghosal thesujit at gmail.com
Thu May 17 03:18:46 EDT 2018


Hi Albert,
      The file is in /etc/snort/classification.config

I've explicitly set the permission of the file to be 777. Still no luck. :(

Compilation test command that I am passing:
$sudo -c /etc/snort/snort.conf -T


The error looks something like:
------------------------------------------------------------------
ERROR: /etc/snort/preproc_rules/preprocessor.rules(1) Unknown ClassType:
not-suspicious
ERROR: /etc/snort/preproc_rules/decoder.rules(1) Unknown ClassType:
protocol-command-decode


My "snort.conf" file content looks something like:
--------------------------------------------------------------------------------
# metadata reference data.  do not modify these lines
include classification.config
include reference.config

include $RULE_PATH/custom.rules
#include $RULE_PATH/app-detect.rules

# decoder and preprocessor event rules
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules


-Sujit



On Tue, May 15, 2018 at 9:35 PM, Al Lewis (allewi) <allewi at cisco.com> wrote:

> Hello,
>
>
>
> Where is the include for the file set to point to within your config file?
>
>
>
> What is the class type you are using?
>
>
>
>
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> Cisco Systems Inc.
>
> Email: allewi at cisco.com
>
>
>
> *From: *Snort-users <snort-users-bounces at lists.snort.org> on behalf of
> Sujit Ghosal via Snort-users <snort-users at lists.snort.org>
> *Reply-To: *Sujit Ghosal <thesujit at gmail.com>
> *Date: *Tuesday, May 15, 2018 at 10:51 AM
> *To: *"snort-users at lists.snort.org" <snort-users at lists.snort.org>
> *Subject: *[Snort-users] Classtype Map Error
>
>
>
> Hey All,
>
>     I've installed snort v2.9.11.1 (source installation) on my Ubuntu box
> and it got through successfully without any errors. Now I placed some
> custom rules inside "/etc/snort/rules/custom.rules" and placed some valid
> rules into it. And I've "only" enabled custom.rules and disabled the rest.
>
>
>
> Now when I try to validate (#snort -c /etc/snort/snort.conf -T --daq dump)
> whether snort is unable to compile my rules and it throws an error saying:
>
> ERROR: /etc/snort/rules/custom.rules(2) Unknown ClassType: attempted-user
>
>
>
> NOTE: I am quite sure that I've placed classification.config and
> reference.config inside /etc/snort (chmod explicitly to 777 as well for
> both the files). Wandering why it still throws, "unknown classtype". But
> when I remove the classtype parameter from those rules it all works fine
> without any error.
>
>
>
> Any idea where things might be going wrong?
>
>
>
>
>
> Regards,
>
> Sujit
>
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180517/9b942853/attachment.html>


More information about the Snort-users mailing list