3. Snort failing to start after latest rules update

Snort failing to start after latest rules update

  • M

    After the latest automatic rules update on 04/04/2014 Snort is failing to start with this error:
    "snort.rules(9) Unknown ClassType: unsuccessful-user"

    I have been running the latest version of Snort for many weeks without any errors like this being thrown.  Is this a known ruleset problem or Snort problem?

    0

  • @madscientist159:

    After the latest automatic rules update on 04/04/2014 Snort is failing to start with this error:
    "snort.rules(9) Unknown ClassType: unsuccessful-user"

    I have been running the latest version of Snort for many weeks without any errors like this being thrown.  Is this a known ruleset problem or Snort problem?

    That would be a rules problem.  What that error literally means is there is no entry in the classification.config file for the type "unsuccessful-user". The classification.config file comes down as part of the rules update package.  Which types of rules are you using:  Snort VRT, Emerging Threats, Snort GPLv2 Community or some combination of these?

    Bill

    0
  • M

    @bmeeks:

    @madscientist159:

    After the latest automatic rules update on 04/04/2014 Snort is failing to start with this error:
    "snort.rules(9) Unknown ClassType: unsuccessful-user"

    I have been running the latest version of Snort for many weeks without any errors like this being thrown.  Is this a known ruleset problem or Snort problem?

    That would be a rules problem.  What that error literally means is there is no entry in the classification.config file for the type "unsuccessful-user". The classification.config file comes down as part of the rules update package.  Which types of rules are you using:  Snort VRT, Emerging Threats, Snort GPLv2 Community or some combination of these?

    Bill

    Snort GPLv2 Community and Emerging Threats:
    EMERGING THREATS RULES  –>  25dc6a2c4441fd03150cf13b36d1affc
    SNORT GPLv2 COMMUNITY RULES  -->  48017199d5294952577dc22e8c3948be

    Strange that no one else is noticing this if the rules are the problem.  This knocked Snort offline immediately afer the automated rule update.

    Thanks!

    0
  • M

    Never mind.  It seems that if the disk usage is high enough (> 102% ?) Snort will sliently fail. :-[

    I am using NanoBSD, so I was a bit surprised by this.  I take it the Snort rules are not kept in tmpfs?

    0

  • @madscientist159:

    Never mind.  It seems that if the disk usage is high enough (> 102% ?) Snort will sliently fail. :-[

    I am using NanoBSD, so I was a bit surprised by this.  I take it the Snort rules are not kept in tmpfs?
    [/quote]

    The rules are written to /usr/local/etc/snort (if on a 2.0.x machine) and to /usr/pbi/snort-arch/etc/snort on a 2.1 machine.  If there is not enough free disk space, bad things can certainly happen.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy