Snort mailing list archives

Re: Unknown Class Type.

From: wkitty42 () windstream net
Date: Sun, 11 Jun 2017 06:13:36 -0400

On 06/10/2017 12:10 AM, Dionne Queen via Snort-users wrote:

I was  able to run Snort alerts with no problems last week. However, when I
tried to run one of the rules from the categories, I keep getting the message
"Unknown Class type: trojan-activity"


*i am reposting my on-list response to your first plea from last month...*


On 05/21/2017 06:58 AM, Dionne Queen wrote:
> Hello,
> I installed Snort via Windows and tried to its alerts.
> I received the following Error msg:

> ERROR: c:\Snort\rules\app-detect.rules(33) Unknown ClassType:web-application-attack

>
> Any advice on how to get rid of this?

your classification.config file is out of date or at least doesn't contain thatclassification type... here's mine which is a combination of the Talos andEmerging Threats classifications... watch for wordwrap... every non-comment linestarts with "config"...



----->8 snip 8<-----
# $Id$
# The following includes information for prioritizing rules
#
# Each classification includes a shortname, a description, and a default
# priority for that classification.
#
# This allows alerts to be classified and prioritized.  You can specify
# what priority each classification has.  Any rule can override the default
# priority for that rule.
#
# Here are a few example rules:
#
#   alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow";
#       dsize: > 128; classtype:attempted-admin; priority:10;
#
#   alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
#             content:"expn root"; nocase; classtype:attempted-recon;)
#
# The first rule will set its type to "attempted-admin" and override
# the default priority for that type to 10.
#
# The second rule set its type to "attempted-recon" and set its
# priority to the default for that type.
#

#
# config classification:shortname,short description,priority
#

config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1

# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3

config classification: suspicious-filename-detect,A suspicious filename wasdetected,2config classification: suspicious-login,An attempted login using a suspicioususername was detected,2

config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1

config classification: unusual-client-port-connection,A client was using anunusual port,2

config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2

config classification: non-standard-protocol,Detection of a non-standardprotocol or event,2

config classification: protocol-command-decode,Generic Protocol Command Decode,3

config classification: web-application-activity,access to a potentiallyvulnerable web application,2

config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: inappropriate-content,Inappropriate Content was Detected,1
config classification: policy-violation,Potential Corporate Privacy Violation,1

config classification: default-login-attempt,Attempt to login by a defaultusername and password,2

config classification: sdf,Senstive Data,2
config classification: file-format,Known malicious file or file based exploit,1
config classification: malware-cnc,Known malware command and control traffic,1
config classification: client-side-exploit,Known client side exploit attempt,1
----->8 snip 8<-----


--
 NOTE: No off-list assistance is given without prior approval.
       *Please keep mailing list traffic on the list unless*
       *a signed and pre-paid contract is in effect with us.*

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Unknown Class Type. Dionne Queen via Snort-users (Jun 09)
- Fw: Unknown Class Type. Dionne Queen via Snort-users (Jun 10)
- Re: Unknown Class Type. wkitty42 (Jun 11)