Snort mailing list archives
Re: Classtype Map Error
From: Sujit Ghosal via Snort-users <snort-users () lists snort org>
Date: Thu, 17 May 2018 12:48:46 +0530
Hi Albert,
The file is in /etc/snort/classification.config
I've explicitly set the permission of the file to be 777. Still no luck. :(
Compilation test command that I am passing:
$sudo -c /etc/snort/snort.conf -T
The error looks something like:
------------------------------------------------------------------
ERROR: /etc/snort/preproc_rules/preprocessor.rules(1) Unknown ClassType:
not-suspicious
ERROR: /etc/snort/preproc_rules/decoder.rules(1) Unknown ClassType:
protocol-command-decode
My "snort.conf" file content looks something like:
--------------------------------------------------------------------------------
# metadata reference data. do not modify these lines
include classification.config
include reference.config
include $RULE_PATH/custom.rules
#include $RULE_PATH/app-detect.rules
# decoder and preprocessor event rules
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
-Sujit
On Tue, May 15, 2018 at 9:35 PM, Al Lewis (allewi) <allewi () cisco com> wrote:
Hello,
Where is the include for the file set to point to within your config file?
What is the class type you are using?
*Albert Lewis*
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com
*From: *Snort-users <snort-users-bounces () lists snort org> on behalf of
Sujit Ghosal via Snort-users <snort-users () lists snort org>
*Reply-To: *Sujit Ghosal <thesujit () gmail com>
*Date: *Tuesday, May 15, 2018 at 10:51 AM
*To: *"snort-users () lists snort org" <snort-users () lists snort org>
*Subject: *[Snort-users] Classtype Map Error
Hey All,
I've installed snort v2.9.11.1 (source installation) on my Ubuntu box
and it got through successfully without any errors. Now I placed some
custom rules inside "/etc/snort/rules/custom.rules" and placed some valid
rules into it. And I've "only" enabled custom.rules and disabled the rest.
Now when I try to validate (#snort -c /etc/snort/snort.conf -T --daq dump)
whether snort is unable to compile my rules and it throws an error saying:
ERROR: /etc/snort/rules/custom.rules(2) Unknown ClassType: attempted-user
NOTE: I am quite sure that I've placed classification.config and
reference.config inside /etc/snort (chmod explicitly to 777 as well for
both the files). Wandering why it still throws, "unknown classtype". But
when I remove the classtype parameter from those rules it all works fine
without any error.
Any idea where things might be going wrong?
Regards,
Sujit
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Classtype Map Error Sujit Ghosal via Snort-users (May 15)
- Re: Classtype Map Error Al Lewis (allewi) via Snort-users (May 16)
- Re: Classtype Map Error Sujit Ghosal via Snort-users (May 17)
- Re: Classtype Map Error wkitty42 (May 18)
- Re: Classtype Map Error Sujit Ghosal via Snort-users (May 17)
- Re: Classtype Map Error Al Lewis (allewi) via Snort-users (May 16)