Unable to create Suppression Lists



  • Hello all  :)

    Im new to pfsense,  but love it so far.  But i do have some problems with SNORT.

    I have it working fine,  but then i get alot of "http_inspect" alerts.  I read about this,  and get the point of making Suppression Lists.  The problem is just …that it wont allow me to  :(

    I go into "Suppress" press "Add new list" fill it out like this:

    Name:  whitelist,  and write in this:  suppress gen_id 119, sig_id 31

    Press save  ...and nothing happens  :o

    Im using:

    PfSense 2.1.2 and Snort 2.9.6.0 pkg v3.0.5.  I also have pfblocker installed,  but not configured or activated yet.

    Can anyone help me with this?  I not sure if im missing something here,  but at least i dont think so,  i have deinstalled snort completely and tried all over,  same result.



  • You have to restart the interface for the suppression list to work



  • I know  :)

    But the problem is that the list ive created doesnt even show,  when i hit save,  the main windows if empty  :(

    Anyone have any idea what to do about this?  Everything else is working alright



  • Ok,  found a solution  :)

    As i could not create a suppression list manually,  i marked one to the suppression list in Auto flowbit rules.  Then i could edit that one and add my own.

    maybe its just the way it works,  but im new to this,  so found it weird  :P



  • @webnik:

    Ok,  found a solution  :)

    As i could not create a suppression list manually,  i marked one to the suppression list in Auto flowbit rules.  Then i could edit that one and add my own.

    maybe its just the way it works,  but im new to this,  so found it weird  :P

    I will check into this.  Sounds like maybe a bug got introduced.  You should be able to create a save a new list.  There were quite a few under-the-cover changes to the code for saving the configuration to improve security.  It's possible one of the changes inadvertently broke the new list creation.

    Bill



  • SAME HERE

    i supress one of the alert then i edit the supress list


  • Moderator

    I already had two suppress lists which are working but I can confirm that I can't create any additional suppress list with the "+" icon.



  • @BBcan17:

    I already had two suppress lists which are working but I can confirm that I can't create any additional suppress list with the "+" icon.

    OK.  I will fix this.  I already need to bump the displayed version number from 3.0.5 to 3.0.6 due to the OpenSSL patch that was applied while I was away.  I will put together the fix for this and take a look at some of the other bugs over the next couple of days.  I will post a Pull Request with the updates soon.

    Bill



  • Found this bug and fixed it.  Will be submitting a Pull Request containing this fix in the next day or two.  Sorry for the issue.  It was caused by the "hardening code" added to improve security around configuration change post backs.  I had tested editing existing lists after the change, but skipped over creating a new one from scratch.  That was my bad.

    Sorry,
    Bill



  • I am having the same problem, cannot write/save a suppress list since upgrading to 2.1.2 - any status on the fix?  Should we uninstall, reinstall something?



  • @shaker242:

    I am having the same problem, cannot write/save a suppress list since upgrading to 2.1.2 - any status on the fix?  Should we uninstall, reinstall something?

    The fix for this is posted in Pull Request #648 posted on Github here:  https://github.com/pfsense/pfsense-packages/pull/648

    It has been waiting for the pfSense Core Team to approve and merge for nearly two weeks.

    Bill



  • Thanks, I'll keep an eye open for it.



  • @shaker242:

    Thanks, I'll keep an eye open for it.

    The code was merged today. take a look.



  • @marcelloc:

    The code was merged today. take a look.

    I just did a package reinstall and that completely solved the inability to create a suppression file.  Thanks!



  • @fmaxwell:

    @marcelloc:

    The code was merged today. take a look.

    I just did a package reinstall and that completely solved the inability to create a suppression file.  Thanks!

    You're welcome!  Sorry about the bug.  It was totally my fault.  In adding some additional security for configuration changes, I accidentally broke saving a new list… :-[

    Bill