Snort mailing list archives

Bug in classification.config parsing?

From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
Date: Tue, 11 Dec 2001 10:47:04 +0100

Hi,

I found a strange behaviour when updating classification.config. I get
errors saying

Dec 11 10:29:02 ids01 snort[19990]: WARNING
/etc/snort/rules/classification.config(17): Duplicate classification
"suspicious-filename-detect"found, ignoring this line
Dec 11 10:29:02 ids01 snort[19990]: WARNING
/etc/snort/rules/classification.config(18): Duplicate classification
"suspicious-login"found, ignoring this line
Dec 11 10:29:02 ids01 snortd: snort startup succeeded
Dec 11 10:29:02 ids01 snort[19990]: ERROR /etc/snort/rules/ftp.rules(5) =>
Bad Priority setting "suspicious-filename-detect"
Dec 11 10:29:02 ids01 snort[19990]: ERROR /etc/snort/rules/ftp.rules(6) =>
Bad Priority setting "suspicious-filename-detect"
Dec 11 10:29:02 ids01 snort[19990]: ERROR /etc/snort/rules/ftp.rules(24) =>
Bad Priority setting "suspicious-login"
Dec 11 10:29:02 ids01 snort[19990]: ERROR /etc/snort/rules/ftp.rules(25) =>
Bad Priority setting "suspicious-login"
Dec 11 10:29:02 ids01 snort[19990]: ERROR /etc/snort/rules/ftp.rules(26) =>
Bad Priority setting "suspicious-login"
Dec 11 10:29:02 ids01 snort[19990]: ERROR /etc/snort/rules/ftp.rules(28) =>
Bad Priority setting "suspicious-login"
Dec 11 10:29:02 ids01 snort[19990]: ERROR /etc/snort/rules/ftp.rules(29) =>
Bad Priority setting "suspicious-login"
Dec 11 10:29:02 ids01 snort[19990]: ERROR /etc/snort/rules/ftp.rules(30) =>
Bad Priority setting "suspicious-login"
Dec 11 10:29:02 ids01 snort[19990]: ERROR /etc/snort/rules/telnet.rules(5)
=> Bad Priority setting "suspicious-login"
Dec 11 10:29:02 ids01 snort[19990]: ERROR /etc/snort/rules/telnet.rules(6)
=> Bad Priority setting "suspicious-login"
Dec 11 10:29:03 ids01 snort[19990]: Snort initialization completed
successfully, Snort running

The corresponding classification.config looks like this:

[snip]
config classification: suspicious,suspicious miscellaneous traffic,1
config classification: suspicious-filename-detect,A suspicious filename was
detected,2
config classification: suspicious-login,An attempted login using a
suspicious username was detected,2
[snip]

When using the following order it works as expected:

[snip]
config classification: suspicious-filename-detect,A suspicious filename was
detected,2
config classification: suspicious-login,An attempted login using a
suspicious username was detected,2
config classification: suspicious,suspicious miscellaneous traffic,1
[snip]

Since I'm still on snort 1.8.1 on RedHat Linux 7.0 this may already be fixed
in 1.8.3. Please accept my apologies if that's the case.

Ciao,
Sandro

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Bug in classification.config parsing? Poppi, Sandro (Dec 11)
- Disable local logging Frank Reid (Dec 11)
  - Re: Disable local logging Guillaume (Dec 11)
  - Re: Disable local logging Erek Adams (Dec 11)
    - RE: Disable local logging Frank Reid (Dec 11)
  - Re: Disable local logging Martin Roesch (Dec 11)
    - RE: Disable local logging Frank Reid (Dec 11)
    - RE: Disable local logging Frank Reid (Dec 12)
    - RE: Disable local logging Frank Reid (Dec 13)
    - Re: Disable local logging Martin Roesch (Dec 13)
    - RE: Disable local logging Frank Reid (Dec 13)

(Thread continues...)