pfSense » pfSense Packages

I am unable to replicate this issue. I installed the latest 2.7.0-BETA of CE on a virtual machine, enabled the ARP Spoof preprocessor, then stopped and restarted Snort without incident.

Verify your snort.conf file for the interface includes this line:

# ARP Spoof preprocessor #
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.20.1 00:0c:29:38:9f:f1

I don't have a pfSense Plus test virtual machine, but the Snort package is identical on the two pfSense versions and thus I would not anticipate any problems when duplicating issues across the two platforms.

The only variable here that is different is the SG-2100 uses an ARM CPU while I have only Intel-based machines to test against. But I really don't think the CPU difference is material here.

I had to enable unicast Arp checks for the error to stop. After that it never returned. I was under the impression that it could function with just the MAC-ip pairing but it needed both options enabled.

The code used to generate the snort.conf file for an interface should validate one of the ARP preprocessor options is enabled before writing the config section containing the MAC/IP Address pairs to the snort.conf file. The presence of the MAC-IP pairings without a corresponding line enabling the preprocessor itself will cause the FATAL ERROR exit.

I will add this additional validation check to the next Snort GUI update.

A fix for this issue has been submitted in Pull Request 1269: https://github.com/pfsense/FreeBSD-ports/pull/1269. This issue can be marked Resolved when the pull request is merged.

Thanks for all you do, I appreciate you.

This error has returned for some reason