[Snort-devel] Re: Snort delivered with HenWen 1.2 may not be Airport compatible with Mac OS X 10.2.1

Nick Zitzmann dreamless at ...1522...
Wed Sep 25 00:35:03 EDT 2002

On Tuesday, September 24, 2002, at 07:22  PM, Mike and Lynn Card wrote:

> I just wanted to inform you all that tonight I finally got to the root 
> of a problem I have been having under Mac OS X 10.2.1. It turns out 
> that if the Snort NIDS that is shipped with HenWen 1.2 is running, an 
> Airport (802.11b) connection will not wake up properly from sleep. The 
> only thing that will restore the connection is to (a) restart the 
> computer or (b) stop the NIDS.
> I have no idea why this is so, I have been using HenWen (and thus 
> Snort) under Mac OS X 10.1.x for some time with no problem.
> The problem here may be in the HenWen software rather than Snort 
> itself, but I figured I would notify both the Snort community and the 
> HenWen author

I really think you've jumped the gun here. Sometimes reporting bugs 
really does the community a favor, but when you get the source of the 
problem wrong, you're not doing anyone a favor. (And sometimes it is 
easy to get the source wrong.) This is not my bug, and this is not 
Sourcefire's bug, I can already tell you that. I'm pretty sure the 
problem lies somewhere between the OS X Pcap implementation (the 
library that Snort uses to read network traffic) and the AirPort device 

Let me explain. Ever since Mac OS X shipped, it has included a really 
solid, stable 10/100/1000BaseT Ethernet driver. The rest of the 
physical network interface drivers, including AirPort, PPP, etc. have 
been either very flakey or unstable. In 10.0 the PPP driver would 
randomly cause kernel panics. In 10.1 the PPP driver tended to quit 
working after a while, and after someone fixed that bug, another one 
popped up where closing Pcap after the PPP interface had closed up 
caused a kernel panic. In the past I've heard of all sorts of weird 
problems people have had with Pcap and the AirPort drivers. I hoped 
that many of these network drivers would have stablized in Darwin 6.0, 
which comes with OS X 10.2. Apparently they haven't. <sigh>

Here's a possible resolution: If you haven't tried it already, you 
should try disabling promiscuous mode and see if it makes a difference. 
Promiscuous mode, when enabled, makes a change in the kernel that 
causes it to listen for all types of traffic, not just traffic that's 
sent or routed through your link. Promiscuous mode is on by default in 
HenWen since it is also Snort's default. However, it can cause all 
sorts of problems on wi-fi networks, privacy being one of them (you 
probably wouldn't want someone running a sniffer on a public wi-fi 
network you're using, for example). You can turn it off in HenWen by 
unchecking the box in the Network tab. Also, if you have Snort set to 
launch at startup, you should run the command again.

If turning off promiscuous mode does not make a difference, then let me 
know off-list and I will file a bug report with Apple.

Sorry to bother the rest of the list, but I had to set the record 
straight... <8*)

Nick Zitzmann
ICQ: 22305512
AIM/iChat: dragonsdontsleep

Check out my software page: http://dreamless.home.attbi.com/

More information about the Snort-devel mailing list