Snort failing to start after latest rules update
-
After the latest automatic rules update on 04/04/2014 Snort is failing to start with this error:
"snort.rules(9) Unknown ClassType: unsuccessful-user"I have been running the latest version of Snort for many weeks without any errors like this being thrown. Is this a known ruleset problem or Snort problem?
-
After the latest automatic rules update on 04/04/2014 Snort is failing to start with this error:
"snort.rules(9) Unknown ClassType: unsuccessful-user"I have been running the latest version of Snort for many weeks without any errors like this being thrown. Is this a known ruleset problem or Snort problem?
That would be a rules problem. What that error literally means is there is no entry in the classification.config file for the type "unsuccessful-user". The classification.config file comes down as part of the rules update package. Which types of rules are you using: Snort VRT, Emerging Threats, Snort GPLv2 Community or some combination of these?
Bill
-
After the latest automatic rules update on 04/04/2014 Snort is failing to start with this error:
"snort.rules(9) Unknown ClassType: unsuccessful-user"I have been running the latest version of Snort for many weeks without any errors like this being thrown. Is this a known ruleset problem or Snort problem?
That would be a rules problem. What that error literally means is there is no entry in the classification.config file for the type "unsuccessful-user". The classification.config file comes down as part of the rules update package. Which types of rules are you using: Snort VRT, Emerging Threats, Snort GPLv2 Community or some combination of these?
Bill
Snort GPLv2 Community and Emerging Threats:
EMERGING THREATS RULES –> 25dc6a2c4441fd03150cf13b36d1affc
SNORT GPLv2 COMMUNITY RULES --> 48017199d5294952577dc22e8c3948beStrange that no one else is noticing this if the rules are the problem. This knocked Snort offline immediately afer the automated rule update.
Thanks!
-
Never mind. It seems that if the disk usage is high enough (> 102% ?) Snort will sliently fail. :-[
I am using NanoBSD, so I was a bit surprised by this. I take it the Snort rules are not kept in tmpfs?
-
Never mind. It seems that if the disk usage is high enough (> 102% ?) Snort will sliently fail. :-[
I am using NanoBSD, so I was a bit surprised by this. I take it the Snort rules are not kept in tmpfs?
[/quote]The rules are written to /usr/local/etc/snort (if on a 2.0.x machine) and to /usr/pbi/snort-arch/etc/snort on a 2.1 machine. If there is not enough free disk space, bad things can certainly happen.