SURICATA / SIDmgmt / unable to delete SID Mods List
-
I'm trying to delete a SID Mods List, but I'm getting the message:
This SID Mods List is currently assigned to an interface and cannot be deleted until the assignment is removed.
I'm sure the list is not in use (Interface SID Management List Assignments), I even removed all list assignments, saved, and tried again, same result. -
found the solution.
I had previously enabled blocking on the interface (Block Offenders: Checking this option will automatically block hosts that generate a Suricata alert.) and created and enabled the list. I than disabled blocking on the interface, without changing the assignments in the SID management.
In SID management, the assignment changed to 'not applicable', so I assumed the list I wanted to delete was not in use.
By enabling blocking again, the SID management now showed the list was in use. I changed the assignment to 'none' and was now able to delete the list.
Finally, I disabled blocking on the specified interface
Everything back to normal... -
Yeah, that's a quirk in the logic. Sort of an edge case in a way. The logic for the DROP SID assignment list first checks that blocking is enabled and then checks if the mode is "IPS Inline" or "Block Drops Only". Only if those conditions are true will the drop-down get populated with the currently selected list. When the conditional evalutates to FALSE, then the list is set to "Not Applicable" on the assumption that without the proper blocking mode enabled there is no point to selecting a DROP SID list.
In your case, by turning off blocking before removing the list, it tripped up the conditional test. I can improve that by not triggering the "you can't delete this list" message when the proper blocking mode is not enabled on the interface. I will put that in my bug list for Suricata to address in a future update. Thanks for the report and especially for the follow-up giving the solution.
