snort.conf resetting itself?

I just upgraded my SLES9 box to SP2. In doing so, snort (which is one of the main uses of this machine) was upgraded to version 2.3.2 - Although I wasn't happy that I had to rewrite the .conf file to suit the needs of the newer version, I figured I'd go ahead and just do it.

Now, every night at 4am, snort dies - and when I check it out in the morning, I find that the following line in snort.conf has been altered:

from:
var HOME_NET [list of my custom home nets, not as simple as just one subnet]

to:
var HOME_NET $eth0_Address


This is what causes snort to die - since $eth0 does not resolve, and I use eth1 as my sniffer port anyway.

Of course with it dying at 4am, It's easy to assume that it's something in cron.daily that is causing this to happen -

so, I grepped every file in /etc/cron.daily for "snort.conf" or just "snort" and nothing was found. I have not modified anything in the cron.daily and everything is "stock" as provided by SLES.

I even tried setting the permissions on snort.conf so that even root does not have accesss to write to it - Yet this still occurs, and in the morning, I find the datestamp to be set to todays date, and the permissions back to rw-r----

Any thoughts?

LVL 12
Heem14Asked:
Who is Participating?
 
edkim80Commented:
are you sure that $eth0 is causing the crash?  I started looking around and it seems that cron.daily has a script 5snort that emails notifications to you.  Some people have said that this tries to restart snort and crashes...  Is there a restart line in 5snort?  Maybe you could try moving that script out of cron.daily for a test?
0
 
edkim80Commented:
strange... there shouldn't be anything in cron that edits .conf files but what you can try to do is change the file attributes, as opposed to just it's permissions.

chattr +iu snort.conf

this will make the file immutable (unchangable even to the root account) and undeletable, again even to the root account.  The only way to regain access is to chattr -iu snort.conf

you can view file attributes with the command
lsattr
0
 
Heem14Author Commented:
ok. I've done this. Monday morning I'll know if this worked - and hopefully what ever was causing it to change will now throw an error due to the immutable status of the file.
0
 
Heem14Author Commented:
Sigh, Making it immutable had no effect. The file was still changed this morning, and snort dead.

0
 
Heem14Author Commented:
I have actually found the problem.

It was in logrotate.d - and you are correct in that it tries to restart snort - and that is the cause of the crash - but, the reason it refuses to restart is due to the $eth0 change. I have since commented out this part of logrotate, and all is working well.

Thanks for you help.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.