Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort failing to start after latest rules update

    Scheduled Pinned Locked Moved pfSense Packages
    5 Posts 2 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      madscientist159
      last edited by

      After the latest automatic rules update on 04/04/2014 Snort is failing to start with this error:
      "snort.rules(9) Unknown ClassType: unsuccessful-user"

      I have been running the latest version of Snort for many weeks without any errors like this being thrown.  Is this a known ruleset problem or Snort problem?

      Don't let the low karma fool you…wading into a politically charged discussion tends to be a bad idea...

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @madscientist159:

        After the latest automatic rules update on 04/04/2014 Snort is failing to start with this error:
        "snort.rules(9) Unknown ClassType: unsuccessful-user"

        I have been running the latest version of Snort for many weeks without any errors like this being thrown.  Is this a known ruleset problem or Snort problem?

        That would be a rules problem.  What that error literally means is there is no entry in the classification.config file for the type "unsuccessful-user". The classification.config file comes down as part of the rules update package.  Which types of rules are you using:  Snort VRT, Emerging Threats, Snort GPLv2 Community or some combination of these?

        Bill

        1 Reply Last reply Reply Quote 0
        • M
          madscientist159
          last edited by

          @bmeeks:

          @madscientist159:

          After the latest automatic rules update on 04/04/2014 Snort is failing to start with this error:
          "snort.rules(9) Unknown ClassType: unsuccessful-user"

          I have been running the latest version of Snort for many weeks without any errors like this being thrown.  Is this a known ruleset problem or Snort problem?

          That would be a rules problem.  What that error literally means is there is no entry in the classification.config file for the type "unsuccessful-user". The classification.config file comes down as part of the rules update package.  Which types of rules are you using:  Snort VRT, Emerging Threats, Snort GPLv2 Community or some combination of these?

          Bill

          Snort GPLv2 Community and Emerging Threats:
          EMERGING THREATS RULES  –>  25dc6a2c4441fd03150cf13b36d1affc
          SNORT GPLv2 COMMUNITY RULES  -->  48017199d5294952577dc22e8c3948be

          Strange that no one else is noticing this if the rules are the problem.  This knocked Snort offline immediately afer the automated rule update.

          Thanks!

          Don't let the low karma fool you…wading into a politically charged discussion tends to be a bad idea...

          1 Reply Last reply Reply Quote 0
          • M
            madscientist159
            last edited by

            Never mind.  It seems that if the disk usage is high enough (> 102% ?) Snort will sliently fail. :-[

            I am using NanoBSD, so I was a bit surprised by this.  I take it the Snort rules are not kept in tmpfs?

            Don't let the low karma fool you…wading into a politically charged discussion tends to be a bad idea...

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @madscientist159:

              Never mind.  It seems that if the disk usage is high enough (> 102% ?) Snort will sliently fail. :-[

              I am using NanoBSD, so I was a bit surprised by this.  I take it the Snort rules are not kept in tmpfs?
              [/quote]

              The rules are written to /usr/local/etc/snort (if on a 2.0.x machine) and to /usr/pbi/snort-arch/etc/snort on a 2.1 machine.  If there is not enough free disk space, bad things can certainly happen.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.