Suppress list defined, but could not be found
-
I was looking at services / snort / alerts and clicked on the + of SID for the most recent alert. An error message was displayed saying that the suppress list was defined, but could not be found. It's the same for any of the alerts. Any idea what is causing this problem and how to fix this? I don't recall ever creating a suppress list. A screen capture of the error is attached.
-
Anyone?
-
At some point in time you may have clicked on an icon to suppress an alert and an automatic suppress list was created. That filename is indicative of an automatic list being created at some point in time. The list could have gotten lost during a config.xml restore or something. Not sure how it go killed, but it apparently did.
You will have to manually fix the problem by hand-editing the config.xml file. As this is dangerous, make sure you do a config backup first!
1. Use DIAGNOSTICS > EDIT FILE and navigate to /conf and open the file config.xml.
2. Scroll down the file and find the XML element for the suppress list on the WAN. This will be down in the <snortglobal>section –
<suppresslistname>FalsePositiveSuppressionRules</suppresslistname>
The name of your list will be different from the "FalsePositiveSuppressionRules" show above. For yours, the list name will match the one shown in your posted error message image. Delete the entire line including the two <suppresslist>tag delimters. Save the change.
That should allow you to create a new suppress list by clicking the icons on the ALERTS tab.
Bill</suppresslist></snortglobal>
-
Thank you very much! That fixed the problem. I really appreciate your helpful reply.
I have no idea how the auto-generated suppress list "disappeared" (or whatever). There are two people who could have done that and neither of us did, at least, not to our knowledge. The update from 2.3.3.x to 2.3.4 did not go smoothly, so perhaps something happened to it then.
Anyway, it's fixed.
-
This has happened a handful of times to a few users. I guess I need to add a manual "fix-it" button to the code. The GUI code stores the name of the suppress list in the tag I provided, but the actual list contents are stored in a different set of tags. So what happened in your case is the contents were missing in the other set of tags. You can have multiple suppress lists defined, but of course a given interface can only use one at the time. So the _<suppresslistname></suppresslistname>_tag is used to store which suppress list contents to use for the interface from that other tag's list of suppress list contents. The tag for your WAN was pointing to a contents list that was not actually present in that other section.
Bill