Bug #14496
closed
FATAL ERROR: /usr/local/etc/snort/snort_11005_mvneta1/snort.conf(405) Please activate arpspoof before trying to use arpspoof_detect_host.
100%
Description
Hello fellow redmine team can you please help I am getting some weird bug errors. I have apr spoof detection enabled in LAN preprocs however It won't enable.
I have added in all the MAC-IP-Pairs and after activated the arpspoof however the system disables with this error. Please see attached.
Files
| Screenshot 2023-06-21 at 9.52.29 AM.png (133 KB) Screenshot 2023-06-21 at 9.52.29 AM.png | Error | ||
| Screenshot 2023-06-21 at 9.42.23 AM.png (74.3 KB) Screenshot 2023-06-21 at 9.42.23 AM.png | I have this enabled |
Updated by Bill Meeks about 2 years ago
I am unable to replicate this issue. I installed the latest 2.7.0-BETA of CE on a virtual machine, enabled the ARP Spoof preprocessor, then stopped and restarted Snort without incident.
Verify your snort.conf file for the interface includes this line:
# ARP Spoof preprocessor #
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.20.1 00:0c:29:38:9f:f1
I don't have a pfSense Plus test virtual machine, but the Snort package is identical on the two pfSense versions and thus I would not anticipate any problems when duplicating issues across the two platforms.
The only variable here that is different is the SG-2100 uses an ARM CPU while I have only Intel-based machines to test against. But I really don't think the CPU difference is material here.
Updated by Jonathan Lee about 2 years ago
I had to enable unicast Arp checks for the error to stop. After that it never returned. I was under the impression that it could function with just the MAC-ip pairing but it needed both options enabled.
Updated by Bill Meeks about 2 years ago
The code used to generate the snort.conf file for an interface should validate one of the ARP preprocessor options is enabled before writing the config section containing the MAC/IP Address pairs to the snort.conf file. The presence of the MAC-IP pairings without a corresponding line enabling the preprocessor itself will cause the FATAL ERROR exit.
I will add this additional validation check to the next Snort GUI update.
Updated by Bill Meeks about 2 years ago
A fix for this issue has been submitted in Pull Request 1269: https://github.com/pfsense/FreeBSD-ports/pull/1269. This issue can be marked Resolved when the pull request is merged.
Updated by Jim Pingle about 2 years ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
PR Merged
Updated by Jonathan Lee about 2 years ago
Thanks for all you do, I appreciate you.
Updated by Jonathan Lee almost 2 years ago
This error has returned for some reason