4. Snort Widget Error Blowing up PHP_Errors.log

Snort Widget Error Blowing up PHP_Errors.log

  • R

    Every 2-3 weeks I discover my PHP_errors.log file has blown up- jumping to 1-2GB.  It's always the same thing:

    
[01-Jul-2015 08:30:35 US/Eastern] PHP Warning:  fopen(/tmp/alert_snort15008): failed to open stream: No such file or directory in /usr/local/www/widgets/widgets/snort_alerts.widget.php on line 128
[01-Jul-2015 08:30:35 US/Eastern] PHP Warning:  fgetcsv() expects parameter 1 to be resource, boolean given in /usr/local/www/widgets/widgets/snort_alerts.widget.php on line 129
[01-Jul-2015 08:30:35 US/Eastern] PHP Warning:  fgetcsv() expects parameter 1 to be resource, boolean given in /usr/local/www/widgets/widgets/snort_alerts.widget.php on line 129
...

    Those last lines repeat a total of about 6 million times over the course of 5 minutes.  I'm not exaggerating.  That grew PHP_errors.log to 1.3GB this time.

    As the lines suggest, I do have snort installed, as well as the widget running on the main screen.  I looked at the alert log and system log to see if anything in particular happened at or around 8:30, but there's nothing at that time, and nothing around it that looks the least bit suspicious.

    Any ideas?

    0

  • Something is possibly corrupt in your alert log file.  If you can, clear the alert logs by going to the ALERTS tab and using the GUI option to clear out the alerts.  That will empty out the files.  Also be sure your time zone is set correctly.  There were some reported issues with 2.2.3 upgrades not correctly resetting time zone preferences.  Since Snort uses the local time to stamp the alert times with, if the time zone is incorrect or corrupted, that could cause this problem.

    Scratch this reply and see the one that follows…

    Bill

    0

  • Scratch my earlier reply.  I forgot how my own code works …  :-[

    The Widget code first verifies an alert log file exists for the interface, then it tails the configured number of entries from it and writes those "tailed" entries to a temp file in the [b]/tmp directory.  The code then verifies the temp file exists in /tmp and then opens it for reading.  The opening for reading is failing in your case, but the error says it's failing because the file does not exist.  However, before the open is attempted, a call is made to verify the file exists, so I really don't know what is going on in your case.

    I can add another layer of error-checking to the Widget code and will do so in the next update.

    Bill

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy