I just upgraded my SLES9 box to SP2. In doing so, snort (which is one of the main uses of this machine) was upgraded to version 2.3.2 - Although I wasn't happy that I had to rewrite the .conf file to suit the needs of the newer version, I figured I'd go ahead and just do it.
Now, every night at 4am, snort dies - and when I check it out in the morning, I find that the following line in snort.conf has been altered:
var HOME_NET [list of my custom home nets, not as simple as just one subnet]
var HOME_NET $eth0_Address
This is what causes snort to die - since $eth0 does not resolve, and I use eth1 as my sniffer port anyway.
Of course with it dying at 4am, It's easy to assume that it's something in cron.daily that is causing this to happen -
so, I grepped every file in /etc/cron.daily for "snort.conf" or just "snort" and nothing was found. I have not modified anything in the cron.daily and everything is "stock" as provided by SLES.
I even tried setting the permissions on snort.conf so that even root does not have accesss to write to it - Yet this still occurs, and in the morning, I find the datestamp to be set to todays date, and the permissions back to rw-r----