Heem14
asked on
snort.conf resetting itself?
I just upgraded my SLES9 box to SP2. In doing so, snort (which is one of the main uses of this machine) was upgraded to version 2.3.2 - Although I wasn't happy that I had to rewrite the .conf file to suit the needs of the newer version, I figured I'd go ahead and just do it.
Now, every night at 4am, snort dies - and when I check it out in the morning, I find that the following line in snort.conf has been altered:
from:
var HOME_NET [list of my custom home nets, not as simple as just one subnet]
to:
var HOME_NET $eth0_Address
This is what causes snort to die - since $eth0 does not resolve, and I use eth1 as my sniffer port anyway.
Of course with it dying at 4am, It's easy to assume that it's something in cron.daily that is causing this to happen -
so, I grepped every file in /etc/cron.daily for "snort.conf" or just "snort" and nothing was found. I have not modified anything in the cron.daily and everything is "stock" as provided by SLES.
I even tried setting the permissions on snort.conf so that even root does not have accesss to write to it - Yet this still occurs, and in the morning, I find the datestamp to be set to todays date, and the permissions back to rw-r----
Any thoughts?
Now, every night at 4am, snort dies - and when I check it out in the morning, I find that the following line in snort.conf has been altered:
from:
var HOME_NET [list of my custom home nets, not as simple as just one subnet]
to:
var HOME_NET $eth0_Address
This is what causes snort to die - since $eth0 does not resolve, and I use eth1 as my sniffer port anyway.
Of course with it dying at 4am, It's easy to assume that it's something in cron.daily that is causing this to happen -
so, I grepped every file in /etc/cron.daily for "snort.conf" or just "snort" and nothing was found. I have not modified anything in the cron.daily and everything is "stock" as provided by SLES.
I even tried setting the permissions on snort.conf so that even root does not have accesss to write to it - Yet this still occurs, and in the morning, I find the datestamp to be set to todays date, and the permissions back to rw-r----
Any thoughts?
ASKER
ok. I've done this. Monday morning I'll know if this worked - and hopefully what ever was causing it to change will now throw an error due to the immutable status of the file.
ASKER
Sigh, Making it immutable had no effect. The file was still changed this morning, and snort dead.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have actually found the problem.
It was in logrotate.d - and you are correct in that it tries to restart snort - and that is the cause of the crash - but, the reason it refuses to restart is due to the $eth0 change. I have since commented out this part of logrotate, and all is working well.
Thanks for you help.
It was in logrotate.d - and you are correct in that it tries to restart snort - and that is the cause of the crash - but, the reason it refuses to restart is due to the $eth0 change. I have since commented out this part of logrotate, and all is working well.
Thanks for you help.
chattr +iu snort.conf
this will make the file immutable (unchangable even to the root account) and undeletable, again even to the root account. The only way to regain access is to chattr -iu snort.conf
you can view file attributes with the command
lsattr