snort.conf resetting itself?

Posted on 2006-03-24
Medium Priority
Last Modified: 2010-04-20
I just upgraded my SLES9 box to SP2. In doing so, snort (which is one of the main uses of this machine) was upgraded to version 2.3.2 - Although I wasn't happy that I had to rewrite the .conf file to suit the needs of the newer version, I figured I'd go ahead and just do it.

Now, every night at 4am, snort dies - and when I check it out in the morning, I find that the following line in snort.conf has been altered:

var HOME_NET [list of my custom home nets, not as simple as just one subnet]

var HOME_NET $eth0_Address

This is what causes snort to die - since $eth0 does not resolve, and I use eth1 as my sniffer port anyway.

Of course with it dying at 4am, It's easy to assume that it's something in cron.daily that is causing this to happen -

so, I grepped every file in /etc/cron.daily for "snort.conf" or just "snort" and nothing was found. I have not modified anything in the cron.daily and everything is "stock" as provided by SLES.

I even tried setting the permissions on snort.conf so that even root does not have accesss to write to it - Yet this still occurs, and in the morning, I find the datestamp to be set to todays date, and the permissions back to rw-r----

Any thoughts?

Question by:Heem14
  • 3
  • 2

Expert Comment

ID: 16284659
strange... there shouldn't be anything in cron that edits .conf files but what you can try to do is change the file attributes, as opposed to just it's permissions.

chattr +iu snort.conf

this will make the file immutable (unchangable even to the root account) and undeletable, again even to the root account.  The only way to regain access is to chattr -iu snort.conf

you can view file attributes with the command
LVL 12

Author Comment

ID: 16284715
ok. I've done this. Monday morning I'll know if this worked - and hopefully what ever was causing it to change will now throw an error due to the immutable status of the file.
LVL 12

Author Comment

ID: 16300637
Sigh, Making it immutable had no effect. The file was still changed this morning, and snort dead.


Accepted Solution

edkim80 earned 2000 total points
ID: 16313555
are you sure that $eth0 is causing the crash?  I started looking around and it seems that cron.daily has a script 5snort that emails notifications to you.  Some people have said that this tries to restart snort and crashes...  Is there a restart line in 5snort?  Maybe you could try moving that script out of cron.daily for a test?
LVL 12

Author Comment

ID: 16313615
I have actually found the problem.

It was in logrotate.d - and you are correct in that it tries to restart snort - and that is the cause of the crash - but, the reason it refuses to restart is due to the $eth0 change. I have since commented out this part of logrotate, and all is working well.

Thanks for you help.


Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses
Course of the Month13 days, 9 hours left to enroll

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question