Snort Widget Error Blowing up PHP_Errors.log

reggie14

Every 2-3 weeks I discover my PHP_errors.log file has blown up- jumping to 1-2GB.  It's always the same thing:

[01-Jul-2015 08:30:35 US/Eastern] PHP Warning:  fopen(/tmp/alert_snort15008): failed to open stream: No such file or directory in /usr/local/www/widgets/widgets/snort_alerts.widget.php on line 128
[01-Jul-2015 08:30:35 US/Eastern] PHP Warning:  fgetcsv() expects parameter 1 to be resource, boolean given in /usr/local/www/widgets/widgets/snort_alerts.widget.php on line 129
[01-Jul-2015 08:30:35 US/Eastern] PHP Warning:  fgetcsv() expects parameter 1 to be resource, boolean given in /usr/local/www/widgets/widgets/snort_alerts.widget.php on line 129
...

Those last lines repeat a total of about 6 million times over the course of 5 minutes.  I'm not exaggerating.  That grew PHP_errors.log to 1.3GB this time.

As the lines suggest, I do have snort installed, as well as the widget running on the main screen.  I looked at the alert log and system log to see if anything in particular happened at or around 8:30, but there's nothing at that time, and nothing around it that looks the least bit suspicious.

Any ideas?

bmeeks

Something is possibly corrupt in your alert log file.  If you can, clear the alert logs by going to the ALERTS tab and using the GUI option to clear out the alerts.  That will empty out the files.  Also be sure your time zone is set correctly.  There were some reported issues with 2.2.3 upgrades not correctly resetting time zone preferences.  Since Snort uses the local time to stamp the alert times with, if the time zone is incorrect or corrupted, that could cause this problem.

Scratch this reply and see the one that follows…

Bill

bmeeks

Scratch my earlier reply.  I forgot how my own code works …  :-[

The Widget code first verifies an alert log file exists for the interface, then it tails the configured number of entries from it and writes those "tailed" entries to a temp file in the [b]/tmp directory.  The code then verifies the temp file exists in /tmp and then opens it for reading.  The opening for reading is failing in your case, but the error says it's failing because the file does not exist.  However, before the open is attempted, a call is made to verify the file exists, so I really don't know what is going on in your case.

I can add another layer of error-checking to the Widget code and will do so in the next update.

Bill