[Snort-devel] Re: Snort delivered with HenWen 1.2 may not be Airport compatible with Mac OS X 10.2.1
Mike and Lynn Card
thehouseofcards at ...512...
Wed Sep 25 05:36:01 EDT 2002
I deselected "Promiscuous" mode as you suggested and that fixed the
problem. Sorry to bother you or the list, but this really had the look
& feel of an OS lib change that HenWen/Snort needed to "catch up" with.
I have an iMac that is connected to the Airport base station's Ethernet
LAN port, and the iMac is running the exact same OS and the same
version of HenWen/Snort.
For some reason, when I put the iMac to sleep, its Ethernet connection
will recover after a second or two even if HenWen/Snort is in
promiscuous mode. IE will initially be unable to load a Web page, but
you can see the connection recover and then everything is OK. It's
weird as I would have expected an Airport connection to behave exactly
like an Ethernet connection as far as this kind of thing goes.
Anyway, thanks very much for your help!
On Wednesday, September 25, 2002, at 03:34 AM, Nick Zitzmann wrote:
> On Tuesday, September 24, 2002, at 07:22 PM, Mike and Lynn Card wrote:
>> I just wanted to inform you all that tonight I finally got to the
>> root of a problem I have been having under Mac OS X 10.2.1. It turns
>> out that if the Snort NIDS that is shipped with HenWen 1.2 is
>> running, an Airport (802.11b) connection will not wake up properly
>> from sleep. The only thing that will restore the connection is to (a)
>> restart the computer or (b) stop the NIDS.
>> I have no idea why this is so, I have been using HenWen (and thus
>> Snort) under Mac OS X 10.1.x for some time with no problem.
>> The problem here may be in the HenWen software rather than Snort
>> itself, but I figured I would notify both the Snort community and the
>> HenWen author
> I really think you've jumped the gun here. Sometimes reporting bugs
> really does the community a favor, but when you get the source of the
> problem wrong, you're not doing anyone a favor. (And sometimes it is
> easy to get the source wrong.) This is not my bug, and this is not
> Sourcefire's bug, I can already tell you that. I'm pretty sure the
> problem lies somewhere between the OS X Pcap implementation (the
> library that Snort uses to read network traffic) and the AirPort
> device driver.
> Let me explain. Ever since Mac OS X shipped, it has included a really
> solid, stable 10/100/1000BaseT Ethernet driver. The rest of the
> physical network interface drivers, including AirPort, PPP, etc. have
> been either very flakey or unstable. In 10.0 the PPP driver would
> randomly cause kernel panics. In 10.1 the PPP driver tended to quit
> working after a while, and after someone fixed that bug, another one
> popped up where closing Pcap after the PPP interface had closed up
> caused a kernel panic. In the past I've heard of all sorts of weird
> problems people have had with Pcap and the AirPort drivers. I hoped
> that many of these network drivers would have stablized in Darwin 6.0,
> which comes with OS X 10.2. Apparently they haven't. <sigh>
> Here's a possible resolution: If you haven't tried it already, you
> should try disabling promiscuous mode and see if it makes a
> difference. Promiscuous mode, when enabled, makes a change in the
> kernel that causes it to listen for all types of traffic, not just
> traffic that's sent or routed through your link. Promiscuous mode is
> on by default in HenWen since it is also Snort's default. However, it
> can cause all sorts of problems on wi-fi networks, privacy being one
> of them (you probably wouldn't want someone running a sniffer on a
> public wi-fi network you're using, for example). You can turn it off
> in HenWen by unchecking the box in the Network tab. Also, if you have
> Snort set to launch at startup, you should run the command again.
> If turning off promiscuous mode does not make a difference, then let
> me know off-list and I will file a bug report with Apple.
> Sorry to bother the rest of the list, but I had to set the record
> straight... <8*)
> Nick Zitzmann
> ICQ: 22305512
> AIM/iChat: dragonsdontsleep
> Check out my software page: http://dreamless.home.attbi.com/
More information about the Snort-devel