Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Error app-detect.rules (18) Unknown ClassType:

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 12 Mar 2013 12:30:00 -0400
On Mar 12, 2013, at 11:47 AM, waldo kitty <wkitty42 () windstream net> wrote:

On 3/11/2013 21:29, Jim Turner wrote:

I have found that if I # all of the site specific rules, that I can commence
packet processing.
I can also enable rules one at a time, and as long as I don't enable the wrong
rules, I am able to start as well.
Is the problem with the rules that I downloaded after installing? I am running
2.9.4.1, but since I downloaded the free rules, they appear to be a month old.
Would I get past my problem if I subscribe and get the latest rule set?


the problem is your classification file... it does not contain the 
classification used in the rules that are causing snort to fall over...

what is the classification of the rule (18) in app-detect.rules??

does this classification exist in your classification.conf file??


NOTE1: i do not know if the (18) indicates line 18 in the file OR
       if it indicates the 18th rule (enabled or disabled) OR
       if it indicates the 18th enabled rule...

NOTE2: in my app-detect.rules file, line 18 is the first one that is enabled.
       the classification on that rule is web-application-attack.
       web-application-attack is specifically listed in the classification file
         under the heading #NEW CLASSIFICATIONS
       the SID for that rule is 25358 revision 1
       that's 1:25358 in GID:SID format or 1:25358:1 in GID:SID:REV format.

it sounds like your classification file is old and not updated...




Here's the problem with your configuration Jim:

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
   memcap 500, \
   priority whitelist, \
   nested_ip inner, \
   # whitelist $WHITE_LIST_PATH\white_list.rules,
   # blacklist $BLACK_LIST_PATH\black_list.rules

###################################################
# Step #6: Configure output plugins
# For more information, see Snort Manual, Configuring Snort - Output Modules
###################################################

# unified2
# Recommended for most installs
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types

# Additional configuration for specific types of installs
# output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp

# syslog
# output alert_syslog: LOG_AUTH LOG_ALERT

# pcap
# output log_tcpdump: tcpdump.log

# metadata reference data.  do not modify these lines
include classification.config
include reference.config


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: