Snort failing to start after latest rules update



  • After the latest automatic rules update on 04/04/2014 Snort is failing to start with this error:
    "snort.rules(9) Unknown ClassType: unsuccessful-user"

    I have been running the latest version of Snort for many weeks without any errors like this being thrown.  Is this a known ruleset problem or Snort problem?



  • @madscientist159:

    After the latest automatic rules update on 04/04/2014 Snort is failing to start with this error:
    "snort.rules(9) Unknown ClassType: unsuccessful-user"

    I have been running the latest version of Snort for many weeks without any errors like this being thrown.  Is this a known ruleset problem or Snort problem?

    That would be a rules problem.  What that error literally means is there is no entry in the classification.config file for the type "unsuccessful-user". The classification.config file comes down as part of the rules update package.  Which types of rules are you using:  Snort VRT, Emerging Threats, Snort GPLv2 Community or some combination of these?

    Bill



  • @bmeeks:

    @madscientist159:

    After the latest automatic rules update on 04/04/2014 Snort is failing to start with this error:
    "snort.rules(9) Unknown ClassType: unsuccessful-user"

    I have been running the latest version of Snort for many weeks without any errors like this being thrown.  Is this a known ruleset problem or Snort problem?

    That would be a rules problem.  What that error literally means is there is no entry in the classification.config file for the type "unsuccessful-user". The classification.config file comes down as part of the rules update package.  Which types of rules are you using:  Snort VRT, Emerging Threats, Snort GPLv2 Community or some combination of these?

    Bill

    Snort GPLv2 Community and Emerging Threats:
    EMERGING THREATS RULES  –>  25dc6a2c4441fd03150cf13b36d1affc
    SNORT GPLv2 COMMUNITY RULES  -->  48017199d5294952577dc22e8c3948be

    Strange that no one else is noticing this if the rules are the problem.  This knocked Snort offline immediately afer the automated rule update.

    Thanks!



  • Never mind.  It seems that if the disk usage is high enough (> 102% ?) Snort will sliently fail. :-[

    I am using NanoBSD, so I was a bit surprised by this.  I take it the Snort rules are not kept in tmpfs?



  • @madscientist159:

    Never mind.  It seems that if the disk usage is high enough (> 102% ?) Snort will sliently fail. :-[

    I am using NanoBSD, so I was a bit surprised by this.  I take it the Snort rules are not kept in tmpfs?
    [/quote]

    The rules are written to /usr/local/etc/snort (if on a 2.0.x machine) and to /usr/pbi/snort-arch/etc/snort on a 2.1 machine.  If there is not enough free disk space, bad things can certainly happen.


Log in to reply