snort.conf resetting itself?

I just upgraded my SLES9 box to SP2. In doing so, snort (which is one of the main uses of this machine) was upgraded to version 2.3.2 - Although I wasn't happy that I had to rewrite the .conf file to suit the needs of the newer version, I figured I'd go ahead and just do it.

Now, every night at 4am, snort dies - and when I check it out in the morning, I find that the following line in snort.conf has been altered:

from:
var HOME_NET [list of my custom home nets, not as simple as just one subnet]

to:
var HOME_NET $eth0_Address


This is what causes snort to die - since $eth0 does not resolve, and I use eth1 as my sniffer port anyway.

Of course with it dying at 4am, It's easy to assume that it's something in cron.daily that is causing this to happen -

so, I grepped every file in /etc/cron.daily for "snort.conf" or just "snort" and nothing was found. I have not modified anything in the cron.daily and everything is "stock" as provided by SLES.

I even tried setting the permissions on snort.conf so that even root does not have accesss to write to it - Yet this still occurs, and in the morning, I find the datestamp to be set to todays date, and the permissions back to rw-r----

Any thoughts?

LVL 12
Heem14Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

edkim80Commented:
strange... there shouldn't be anything in cron that edits .conf files but what you can try to do is change the file attributes, as opposed to just it's permissions.

chattr +iu snort.conf

this will make the file immutable (unchangable even to the root account) and undeletable, again even to the root account.  The only way to regain access is to chattr -iu snort.conf

you can view file attributes with the command
lsattr
Heem14Author Commented:
ok. I've done this. Monday morning I'll know if this worked - and hopefully what ever was causing it to change will now throw an error due to the immutable status of the file.
Heem14Author Commented:
Sigh, Making it immutable had no effect. The file was still changed this morning, and snort dead.

edkim80Commented:
are you sure that $eth0 is causing the crash?  I started looking around and it seems that cron.daily has a script 5snort that emails notifications to you.  Some people have said that this tries to restart snort and crashes...  Is there a restart line in 5snort?  Maybe you could try moving that script out of cron.daily for a test?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Heem14Author Commented:
I have actually found the problem.

It was in logrotate.d - and you are correct in that it tries to restart snort - and that is the cause of the crash - but, the reason it refuses to restart is due to the $eth0 change. I have since commented out this part of logrotate, and all is working well.

Thanks for you help.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.