You Are Here : Forums Sunday, July 06, 2008
     
Activeworx.org Forums
 
  Forum  IDS Policy Mana...  IDS Policy Mana...  Classification.config keeps corrupting
Previous Previous
 
Next Next
New Post 10/27/2007 12:41 AM
  paulr
21 posts
9th Level Poster


Classification.config keeps corrupting 
Hi,

I'm using 2.1.0.17 of the IDS Policy Manager SA and have an issue that keeps blowing up my Snort sensors.

I've tried some tricks but it keeps doing the same thing. It overwrites the classification.config file with a nearly empty one which Snort then grunts at.

This is what it keeps uploading:

[root@sensor rules]# cat /etc/snort/classification.config
####################################################
# http://www.activeworx.org Snort Ruleset
# IDS Policy Manager 2.1
# Classification Config


I have a backup copy I have to keep manually copying over the truncated uploaded one. I tried replacing the one on my workstation with a good copy but it still uploads the bad copy.

I'm not quite sure why this is?

Any ideas? We are in great need of tuning rules right at the moment. :-)

Thanks.
 
New Post 10/27/2007 6:17 PM
  Jeff Dell
219 posts
www.activeworx.com
1st Level Poster


Re: Classification.config keeps corrupting 

I am willing to bet that you didn't load up the classifications when you iinitialized your policy within IDSPM. One way to tell is click on the Classifications tree node for the policy. Do you see classification details? if not, you will need to initialize the policy with a new default policy or initialize it with an existing policy where all of the rules and .conf files including classifications.conf are in the same directory.

 

Cheers,

Jeff
 
New Post 11/1/2007 1:28 AM
  paulr
21 posts
9th Level Poster


Re: Classification.config keeps corrupting 
Thanks! I only saw it looking for snort.conf. This time I copied the whole directory of my sensor and pointed it there and it worked.

Now I have a new problem though. Snort worked the first time I pushed the policy but now I get this every time:


+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: ***Src PortVar Lookup failed on 'HTTP_SERVERS'
Fatal Error, Quitting..
[root@sensor-2.8]#


Any ideas? I don't see anything wrong in the config this time and only enabled and disabled some rules in the Policy Manager.

This is Snort 2.8 with SA 2.2.0.20 now.

Thanks!
 
New Post 11/1/2007 1:38 AM
  paulr
21 posts
9th Level Poster


Re: Classification.config keeps corrupting 
Duh. GIGO.

I remembered I built a custom rule in the GUI and of all things it let me pick HTTP_SERVERS instead of HTTP_PORTS in the drop-down...

Boy, it's not very smart. ;-)
 
New Post 11/1/2007 1:24 PM
  Jeff Dell
219 posts
www.activeworx.com
1st Level Poster


Re: Classification.config keeps corrupting 
That does brings up a very valid point. before version 2.8 variables were the same for ports, ip and anything you want. But in version 2.8 variables for ports have to be defined as portvar. It does need to be smarter to only allow portvar variables for ports when using v2.8 or newer. Thanks for pointing this out.

Cheers,
Jeff
 
New Post 11/22/2007 8:42 AM
  Krot
1 posts
No Ranking


Re: Classification.config keeps corrupting 

Hi
I have problem like that with "include classification.config" option in configuration file.
In this option path to “classification.config” is not absolute. And when starting snort, he can't find this file.
I tried to change string "include classification.config" to "include /etc/snort/classification.config".

After this, snort starting successfully.

 
 Page 1 of 1
Previous Previous
 
Next Next
  Forum  IDS Policy Mana...  IDS Policy Mana...  Classification.config keeps corrupting
 
 
Copyright 2000-2007 by Activeworx, Inc.
All trademarks and copyrights on this page are owned by their respective owners.