Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Error app-detect.rules (18) Unknown ClassType:

From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 12 Mar 2013 10:47:34 -0500
On 3/11/2013 21:29, Jim Turner wrote:

I have found that if I # all of the site specific rules, that I can commence
packet processing.
I can also enable rules one at a time, and as long as I don't enable the wrong
rules, I am able to start as well.
Is the problem with the rules that I downloaded after installing? I am running
2.9.4.1, but since I downloaded the free rules, they appear to be a month old.
Would I get past my problem if I subscribe and get the latest rule set?


the problem is your classification file... it does not contain the 
classification used in the rules that are causing snort to fall over...

what is the classification of the rule (18) in app-detect.rules??

does this classification exist in your classification.conf file??


NOTE1: i do not know if the (18) indicates line 18 in the file OR
        if it indicates the 18th rule (enabled or disabled) OR
        if it indicates the 18th enabled rule...

NOTE2: in my app-detect.rules file, line 18 is the first one that is enabled.
        the classification on that rule is web-application-attack.
        web-application-attack is specifically listed in the classification file
          under the heading #NEW CLASSIFICATIONS
        the SID for that rule is 25358 revision 1
        that's 1:25358 in GID:SID format or 1:25358:1 in GID:SID:REV format.

it sounds like your classification file is old and not updated...

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: