Snort failing to start after latest rules update

madscientist159

After the latest automatic rules update on 04/04/2014 Snort is failing to start with this error:
"snort.rules(9) Unknown ClassType: unsuccessful-user"

I have been running the latest version of Snort for many weeks without any errors like this being thrown.  Is this a known ruleset problem or Snort problem?

bmeeks

@madscientist159:

After the latest automatic rules update on 04/04/2014 Snort is failing to start with this error:
"snort.rules(9) Unknown ClassType: unsuccessful-user"

I have been running the latest version of Snort for many weeks without any errors like this being thrown.  Is this a known ruleset problem or Snort problem?

That would be a rules problem.  What that error literally means is there is no entry in the classification.config file for the type "unsuccessful-user". The classification.config file comes down as part of the rules update package.  Which types of rules are you using:  Snort VRT, Emerging Threats, Snort GPLv2 Community or some combination of these?

Bill

madscientist159

@bmeeks:

@madscientist159:

After the latest automatic rules update on 04/04/2014 Snort is failing to start with this error:
"snort.rules(9) Unknown ClassType: unsuccessful-user"

I have been running the latest version of Snort for many weeks without any errors like this being thrown.  Is this a known ruleset problem or Snort problem?

That would be a rules problem.  What that error literally means is there is no entry in the classification.config file for the type "unsuccessful-user". The classification.config file comes down as part of the rules update package.  Which types of rules are you using:  Snort VRT, Emerging Threats, Snort GPLv2 Community or some combination of these?

Bill

Snort GPLv2 Community and Emerging Threats:
EMERGING THREATS RULES  –>  25dc6a2c4441fd03150cf13b36d1affc
SNORT GPLv2 COMMUNITY RULES  -->  48017199d5294952577dc22e8c3948be

Strange that no one else is noticing this if the rules are the problem.  This knocked Snort offline immediately afer the automated rule update.

Thanks!

madscientist159

Never mind.  It seems that if the disk usage is high enough (> 102% ?) Snort will sliently fail. :-[

I am using NanoBSD, so I was a bit surprised by this.  I take it the Snort rules are not kept in tmpfs?

bmeeks

@madscientist159:

Never mind.  It seems that if the disk usage is high enough (> 102% ?) Snort will sliently fail. :-[

I am using NanoBSD, so I was a bit surprised by this.  I take it the Snort rules are not kept in tmpfs?
[/quote]

The rules are written to /usr/local/etc/snort (if on a 2.0.x machine) and to /usr/pbi/snort-arch/etc/snort on a 2.1 machine.  If there is not enough free disk space, bad things can certainly happen.