[Snort-devel] Re: Snort delivered with HenWen 1.2 may not be Airport compatible with Mac OS X 10.2.1
dreamless at ...1522...
Wed Sep 25 00:35:03 EDT 2002
On Tuesday, September 24, 2002, at 07:22 PM, Mike and Lynn Card wrote:
> I just wanted to inform you all that tonight I finally got to the root
> of a problem I have been having under Mac OS X 10.2.1. It turns out
> that if the Snort NIDS that is shipped with HenWen 1.2 is running, an
> Airport (802.11b) connection will not wake up properly from sleep. The
> only thing that will restore the connection is to (a) restart the
> computer or (b) stop the NIDS.
> I have no idea why this is so, I have been using HenWen (and thus
> Snort) under Mac OS X 10.1.x for some time with no problem.
> The problem here may be in the HenWen software rather than Snort
> itself, but I figured I would notify both the Snort community and the
> HenWen author
I really think you've jumped the gun here. Sometimes reporting bugs
really does the community a favor, but when you get the source of the
problem wrong, you're not doing anyone a favor. (And sometimes it is
easy to get the source wrong.) This is not my bug, and this is not
Sourcefire's bug, I can already tell you that. I'm pretty sure the
problem lies somewhere between the OS X Pcap implementation (the
library that Snort uses to read network traffic) and the AirPort device
Let me explain. Ever since Mac OS X shipped, it has included a really
solid, stable 10/100/1000BaseT Ethernet driver. The rest of the
physical network interface drivers, including AirPort, PPP, etc. have
been either very flakey or unstable. In 10.0 the PPP driver would
randomly cause kernel panics. In 10.1 the PPP driver tended to quit
working after a while, and after someone fixed that bug, another one
popped up where closing Pcap after the PPP interface had closed up
caused a kernel panic. In the past I've heard of all sorts of weird
problems people have had with Pcap and the AirPort drivers. I hoped
that many of these network drivers would have stablized in Darwin 6.0,
which comes with OS X 10.2. Apparently they haven't. <sigh>
Here's a possible resolution: If you haven't tried it already, you
should try disabling promiscuous mode and see if it makes a difference.
Promiscuous mode, when enabled, makes a change in the kernel that
causes it to listen for all types of traffic, not just traffic that's
sent or routed through your link. Promiscuous mode is on by default in
HenWen since it is also Snort's default. However, it can cause all
sorts of problems on wi-fi networks, privacy being one of them (you
probably wouldn't want someone running a sniffer on a public wi-fi
network you're using, for example). You can turn it off in HenWen by
unchecking the box in the Network tab. Also, if you have Snort set to
launch at startup, you should run the command again.
If turning off promiscuous mode does not make a difference, then let me
know off-list and I will file a bug report with Apple.
Sorry to bother the rest of the list, but I had to set the record
Check out my software page: http://dreamless.home.attbi.com/
More information about the Snort-devel