SNORT Alerts Log Actions Download "Unsupported Archive File or Corrupted Archive File"

pslinn · Oct 28, 2019, 11:21 PM

After downloading the SNORT Alert Log Actions file, I have tried to open it. I get the following error message:
"Unsupported Archive File or Corrupted Archive File". I am using a GZip and TAR file extractor.

Has someone else come across this?

Regards.

bmeeks · Oct 29, 2019, 2:22 AM

It is most likely a versioning problem with your GZip or TAR extractor. I just downloaded my alerts file as a *.tar.gz archive and opened it just fine using WinRAR 5.71.

I assume you are using the current version of the Snort package?

pslinn · Oct 29, 2019, 10:37 PM

Thanks. I have also used WinRAR 5.7.1 with no luck. I just noticed I am getting the following crash report. I am wondering if this is the issue. Any ideas on how to address the crash report?

Crash report begins. Anonymous machine information:

amd64
11.2-RELEASE-p10
FreeBSD 11.2-RELEASE-p10 #9 4a2bfdce133(RELENG_2_4_4): Wed May 15 18:54:42 EDT 2019 root@buildbot1-nyi.netgate.com:/build/ce-crossbuild-244/obj/amd64/ZfGpH5cd/build/ce-crossbuild-244/pfSense/tmp/FreeBSD-src/sys/pfSense

Crash report details:

PHP Errors:
[29-Oct-2019 18:26:40 America/Toronto] PHP Fatal error: Allowed memory size of 402653184 bytes exhausted (tried to allocate 208717392 bytes) in Unknown on line 0
[29-Oct-2019 18:29:38 America/Toronto] PHP Fatal error: Allowed memory size of 402653184 bytes exhausted (tried to allocate 208717832 bytes) in Unknown on line 0
[29-Oct-2019 18:31:23 America/Toronto] PHP Fatal error: Allowed memory size of 402653184 bytes exhausted (tried to allocate 208717936 bytes) in Unknown on line 0

No FreeBSD crash data found.

bmeeks · Oct 29, 2019, 11:01 PM

Yeah, that's going to be your alerts file being too large. Unfortunately there is no easy way within PHP to handle large files (reading them into strings and then writing them out in another format). Either configure the LOG MGMT settings so your alert logs are pruned to a much smaller size and rotated, or else you will have to use something like WinSCP to directly connect to the firewall and pull the files off that way. You can find the alert logs in /var/log/snort/snort_xxxxx, where xxxxx is composed of a random UUID and the physical interface name where Snort is running.

pslinn · Oct 29, 2019, 11:59 PM

Thanks very much.

bmeeks · Oct 30, 2019, 12:15 PM

The Snort, Suricata and pfBlockerNG packages all suffer to some extent from the same PHP limitation with reading in and then displaying out to the web browser large text files such as logs. The PHP process is only allocated a given amount of memory on the firewall, and it is easy to exceed that limit when you use PHP's text file read functions to pull a log file into a string, format it for correct display in the GUI, and then stream it out to the web session client (your browser). I've toyed with writing a more sophisticated function that can read sections of a file at a time, but "keeping your place" across multiple calls to the "display this in the web browser session" routine is not easy.

pslinn · Oct 30, 2019, 5:23 PM

Your assistance is fantastic. I took your advice and I am able to download the information. Thank you very much.