Re: Having trouble editing the configuration file for Windows

[Trevor Thompson <trevthom18 () gmail com>]

Through following the advice given by Michael I the first error that
inquired about, but I am now encountering a new type of error.

"ERROR: C:\snort\rules\file-identify.rules(22) Unknown ClassType:
misc-activity"

I've done some googling to see exactly what the problem is, but I cannot
seem to find someone who has encountered the exact error that I'm facing
now. This link describes a similar situation a recommends that the cause of
the problem is the classification.config file:

http://comments.gmane.org/gmane.comp.security.ids.snort.general/43598

However, I examined the contents of this file and couldn't find any
problems with it. I'll post the file so you all can see it.

config classification: shellcode-detect,Executable Code was Detected,1
config classification: string-detect,A Suspicious String was Detected,3
config classification: suspicious-filename-detect,A Suspicious Filename was
Detected,2
config classification: suspicious-login,An Attempted Login Using a
Suspicious Username was Detected,2
config classification: system-call-detect,A System Call was Detected,2
config classification: tcp-connection,A TCP Connection was Detected,4
config classification: trojan-activity,A Network Trojan was Detected, 1
config classification: unusual-client-port-connection,A Client was Using an
Unusual Port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service
Attack,2
config classification: non-standard-protocol,Detection of a Non-Standard
Protocol or Event,2
config classification: protocol-command-decode,Generic Protocol Command
Decode,3
config classification: web-application-activity,Access to a Potentially
Vulnerable Web Application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: inappropriate-content,Inappropriate Content was
Detected,1
config classification: policy-violation,Potential Corporate Privacy
Violation,1
config classification: default-login-attempt,Attempt to Login By a Default
Username and Password,2
config classification: sdf,Sensitive Data was Transmitted Across the
Network,2
config classification: file-format,Known malicious file or file based
exploit,1
config classification: malware-cnc,Known malware command and control
traffic,1
config classification: client-side-exploit,Known client side exploit
attempt,1

Again, any help you all can provide would be appreciated.



On Wed, Jul 23, 2014 at 7:12 PM, waldo kitty <wkitty42 () windstream net>
wrote:

> On 7/23/2014 5:13 PM, Trevor Thompson wrote:
> > # path to dynamic preprocessor libraries
> > dynamicpreprocessor directory
> C:\Snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll
> > # path to base preprocessor engine
> > dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
> >
> > # path to dynamic rules libraries
> > dynamicdetection directory C:\Snort\lib\snort_dynamicengine\sf_engine.dll
> >
> > "ERROR: c:\snort\etc\snort.conf(243) Could not stat dynamic module path
> > "C:\Snort\lib\snort\dynamic_
> > preprocessor\sf_dcerpc.dll": No such file or directory"
>
> the error seems to be pretty straight forward... does sf_dcerpc.dll exists
> in
> the named directory?? did you move it to the new directory from where it
> originally exists when you changed the path?
>
> > I've been following a tutorial that told me to change the path's to the
> > different dynamic library files in this manner, but the program still
> will not
> > compile correctly.
>
> compiling is a lot different than running... you can tell snort where to
> find
> the above files in the snort.conf so compiling shouldn't be part of the
> problem
> in this case...
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         Please *keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!