[Snort-devel] Re: Snort delivered with HenWen 1.2 may not be Airport compatible with Mac OS X 10.2.1

Mike and Lynn Card thehouseofcards at ...512...
Wed Sep 25 05:36:01 EDT 2002

Hey Nick-

I deselected "Promiscuous" mode as you suggested and that fixed the 
problem. Sorry to bother you or the list, but this really had the look 
& feel of an OS lib change that HenWen/Snort needed to "catch up" with. 
I have an iMac that is connected to the Airport base station's Ethernet 
LAN port, and the iMac is running the exact same OS and the same 
version of HenWen/Snort.

For some reason, when I put the iMac to sleep, its Ethernet connection 
will recover after a second or two even if HenWen/Snort is in 
promiscuous mode. IE will initially be unable to load a Web page, but 
you can see the connection recover and then everything is OK. It's 
weird as I would have expected an Airport connection to behave exactly 
like an Ethernet connection as far as this kind of thing goes.

Anyway, thanks very much for your help!

- Mike

On Wednesday, September 25, 2002, at 03:34 AM, Nick Zitzmann wrote:

> On Tuesday, September 24, 2002, at 07:22  PM, Mike and Lynn Card wrote:
>> I just wanted to inform you all that tonight I finally got to the 
>> root of a problem I have been having under Mac OS X 10.2.1. It turns 
>> out that if the Snort NIDS that is shipped with HenWen 1.2 is 
>> running, an Airport (802.11b) connection will not wake up properly 
>> from sleep. The only thing that will restore the connection is to (a) 
>> restart the computer or (b) stop the NIDS.
>> I have no idea why this is so, I have been using HenWen (and thus 
>> Snort) under Mac OS X 10.1.x for some time with no problem.
>> The problem here may be in the HenWen software rather than Snort 
>> itself, but I figured I would notify both the Snort community and the 
>> HenWen author
> I really think you've jumped the gun here. Sometimes reporting bugs 
> really does the community a favor, but when you get the source of the 
> problem wrong, you're not doing anyone a favor. (And sometimes it is 
> easy to get the source wrong.) This is not my bug, and this is not 
> Sourcefire's bug, I can already tell you that. I'm pretty sure the 
> problem lies somewhere between the OS X Pcap implementation (the 
> library that Snort uses to read network traffic) and the AirPort 
> device driver.
> Let me explain. Ever since Mac OS X shipped, it has included a really 
> solid, stable 10/100/1000BaseT Ethernet driver. The rest of the 
> physical network interface drivers, including AirPort, PPP, etc. have 
> been either very flakey or unstable. In 10.0 the PPP driver would 
> randomly cause kernel panics. In 10.1 the PPP driver tended to quit 
> working after a while, and after someone fixed that bug, another one 
> popped up where closing Pcap after the PPP interface had closed up 
> caused a kernel panic. In the past I've heard of all sorts of weird 
> problems people have had with Pcap and the AirPort drivers. I hoped 
> that many of these network drivers would have stablized in Darwin 6.0, 
> which comes with OS X 10.2. Apparently they haven't. <sigh>
> Here's a possible resolution: If you haven't tried it already, you 
> should try disabling promiscuous mode and see if it makes a 
> difference. Promiscuous mode, when enabled, makes a change in the 
> kernel that causes it to listen for all types of traffic, not just 
> traffic that's sent or routed through your link. Promiscuous mode is 
> on by default in HenWen since it is also Snort's default. However, it 
> can cause all sorts of problems on wi-fi networks, privacy being one 
> of them (you probably wouldn't want someone running a sniffer on a 
> public wi-fi network you're using, for example). You can turn it off 
> in HenWen by unchecking the box in the Network tab. Also, if you have 
> Snort set to launch at startup, you should run the command again.
> If turning off promiscuous mode does not make a difference, then let 
> me know off-list and I will file a bug report with Apple.
> Sorry to bother the rest of the list, but I had to set the record 
> straight... <8*)
> Nick Zitzmann
> ICQ: 22305512
> AIM/iChat: dragonsdontsleep
> Check out my software page: http://dreamless.home.attbi.com/

More information about the Snort-devel mailing list