Re: Snort rules error out

[Nick Moore <nmoore () sourcefire com>]

Also, I notice that you have torules instead of sorules in your path. While it may not have caused this error, it be an 
issue later.

Sent from a typo-prone mobile

Nick Moore
Sourcefire SE
708-336-9041

On Apr 8, 2012, at 8:08, Alex Kirk <akirk () sourcefire com> wrote:

> Check that you've not got an incomplete line somewhere above that in your snort.conf. I've seen odd issues like this 
> happen if you've got a line with a trailing " \ " on it, making Snort read further lines improperly and generally 
> screwing things up.
>
> On Fri, Apr 6, 2012 at 9:06 AM, Rusty Shacklefurd <idssecurityteam () gmail com> wrote:
> Hello All,
>
> I am new to this discuss/mailing list but have been having a reoccurring issue with getting snort to process the 
> rules that are being run.  I have a standard configuration using Snort version 2.9.2.1 and the registered rules pack 
> set for that version as well.  Each time I run snort with the -T switch to test the configuration I get an error that 
> looks like this:
> "ERROR: /filepath/torules/rules/attack-responses.rules(27) Unknown ClassType: bad-unknown"
>
> For clarity I can tell you that the include classifications.config statement is present in my snort.conf file and 
> that when I look at the classification.config file I can see that a bad-known config classification that reads as 
> follows:
> "config classification: bad-unknown, Potentially Bad Traffic, 2"
>
> When I try to comment out the attack-response.rules line in the snort.conf file the next rule on the list 
> (backdoor.rules) errors out in the same fashion.  Commenting out all the rules isn't a viable option for me.  Any 
> ideas as to why my classifications file isn't being read by the config and transferred into ClassTypes for the rules?
>
> ------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
> -- 
> Alex Kirk
> AEGIS Program Lead
> Sourcefire Vulnerability Research Team
> +1-410-423-1937
> alex.kirk () sourcefire com
> ------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!