Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ERROR: ../rules/blacklist.rules(22) Unknown ClassType: trojan-activity

From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 11 Apr 2014 15:15:13 -0400
On 4/11/2014 2:16 PM, Rameez Qureshi wrote:

That clears things up, I have went to the blacklist rule

I'm not sure as to why is throwing up that error and when commenting out one
rule and going onto the next gives me the same error


ummm... the blacklist file should not have /any/ rules it in... the blacklist 
and whitelist files contain only IP numbers...

now, i suspect that you are running into a defect that was discussed some months 
ago... that defect being that the black_list.rules and blacklist.rules files 
names are too similar and they confuse folks...

at that time i suggested that the reputation processor's black_list.rules and 
white_list.rules files default to (eg:) RPP_white.rule and RPP_black.rule or 
similar... something very different so that they do not get confused with the 
rules files containing actual text rules...

in your snort.conf, you have the following...

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
    memcap 500, \
    priority whitelist, \
    nested_ip inner, \
#   whitelist $WHITE_LIST_PATH/white_list.rules, \
#   blacklist $BLACK_LIST_PATH/black_list.rules

and further down you have the following...

include $RULE_PATH/blacklist.rules

this appears to indicate that the naming conflict i speak of above is NOT what 
is biting you... it does, instead, point to your classification.conf file not 
being in the proper place...

so, with all of that said, have you placed your classification.conf and 
reference.conf files in /etc/ with your snort.conf file?

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: