Snort 3.2.9.1_12 Suppression List Error
-
Im trying to add an alert to the suppression list and I get this error:
The following input errors were detected: Suppress List 'wansuppress_5718cd2549663' is defined for this interface, but it could not be found!
Happens when trying to add any alert to the suppression list by any method: Source IP, Destination IP or SID.
Edit to Add: I should also say I just updated Snort from the last version to this current update of 3.2.9.1_12
-
Im trying to add an alert to the suppression list and I get this error:
The following input errors were detected: Suppress List 'wansuppress_5718cd2549663' is defined for this interface, but it could not be found!
Happens when trying to add any alert to the suppression list by any method: Source IP, Destination IP or SID.
Edit to Add: I should also say I just updated Snort from the last version to this current update of 3.2.9.1_12
First question: was this working prior to the upgrade to version 3.2.9.1_12 of the package? Had you added suppress list entries successfully since you have been on the 2.3 version of pfSense?
Next, go to the INTERFACE SETTINGS tab and see which Suppress List is actually selected and showing in the drop-down selector. See what other choices appear in the drop-down. If you see the list from the error message, select it and save the change using the button at the bottom of the page.
Post back here if things do not get sorted out.
Bill
-
First question: was this working prior to the upgrade to version 3.2.9.1_12 of the package?
Yes
Had you added suppress list entries successfully since you have been on the 2.3 version of pfSense?
I had added some as for testing, and subsequently removed them. There were none in the list at the time of upgrade.
Next, go to the INTERFACE SETTINGS tab and see which Suppress List is actually selected and showing in the drop-down selector. See what other choices appear in the drop-down.
Nothing appeared in the drop down except "default".
I ended up going through the tabs and saving even if not changing settings. I stopped/restarted the service as well as the Snort WAN Interface. I also uninstalled Squid which I wasn't using at the moment.
In the end it started working again, not sure exactly which thing got it going but something did. I've since suppressed by IP on a couple of alerts and they added to that same list fine. So it seems to be working now.
-
There was a bug in the Suppress List code early on immediately after the initial Bootstrap version of the package was released. It was eventually fixed, but it is possible it caused some junk to be left behind in your configuration.
Bill