PHP Fatal Error: memory exhausted

dlaprade

Hardware

Motherboard:

Supermicro X11SCL-IF ( Dual GbE LAN with Intel i210-AT )

CPU:

Intel Xeon E-2136 ( 6 core x 2 hardware threads )

RAM:

32 gb ECC ( validated with memtest )

Rules (Snort)
Current rules

• All ET Open rules
• All Snort Text Rules
• Almost all Snort SO Rules
• Snort OPENAPI rules: openappid-hacktools.rules

I did try to change any rules to get the error, I was attempting to view the Active rules section.

DaddyGo

@dlaprade said in PHP Fatal Error: memory exhausted:

X11SCL-IF

Serious hardware (X11SCL-IF), I use this for pfSense. (MBD-M11SDV-4C-LN4F-O, you know Intel is vulnerable in this theme NGFW))
Have you tried to increase this?

bmeeks

You apparently have a ton of the rules selected as active. When you choose to view the "active" rules, that will try to load everything into the available PHP memory space in prelude to dumping it out as an HTML stream. There just is not enough PHP memory space allocated within pfSense to do this when attempting to load very, very large text fields. Same thing happens with log files if you let them get very large.

This is not really a bug. It's just a fundamental limitation of the underlying technology (the PHP GUI environment). Paging large text files is a bit difficult to program with PHP. All of the packages for now that have need to show text from files simply read the file into a PHP string and then dump that string out as HTML to an open session. So right now you can't view that option if you have large numbers of active rules.

If you want to view the actual contents of that selection, you will need to get to a shell prompt on the firewall and use CLI tools such as more or cat to dump the text out one screen at the time. Or you can use WinSCP to copy the file off elsewhere for viewing with other editors that can load and work with very large files. The file will be in /usr/local/etc/snort/snort_xxxxx/rules/snort.rules (where xxxxx is a combination of the physical NIC name and a UUID).

bmeeks

@dlaprade said in PHP Fatal Error: memory exhausted:

Hardware

Motherboard:

Supermicro X11SCL-IF ( Dual GbE LAN with Intel i210-AT )

CPU:

Intel Xeon E-2136 ( 6 core x 2 hardware threads )

RAM:

32 gb ECC ( validated with memtest )

Rules (Snort)
Current rules

• All ET Open rules
• All Snort Text Rules
• Almost all Snort SO Rules
• Snort OPENAPI rules: openappid-hacktools.rules

I did try to change any rules to get the error, I was attempting to view the Active rules section.

Unless you have public-facing servers behind pfSense, and a lot of differnt types of them such as DNS, mail, and web, then there is no way you need all the rules categories enabled. Blindly selecting all of the available rules categories shows inexperience with using an IDS/IPS. You need to carefully select the rules that cover the threats to your actual network environment.

If you do not have a public-facing DNS server, then why do you need to enable DNS server rules? If you don't have a public-facing mail server, then why do you need to enable the SMTP server rules? If you don't have a public-facing web server, then why would you need the web server rules?

You also show Snort installed on the WAN interface. Again, unless you have public-facing servers providing things like DNS, mail, web services, etc., then you should put Snort on the LAN and not the WAN. The WAN is going to drop all unsolicited inbound traffic by default unless you put specific pass rules on the WAN. When you run the IDS/IPS on the WAN, all internal hosts will show up in the alerts as having your WAN's pubilc IP due to NAT. This will make it very hard to determine which internal host is triggering a given rule. Snort sits between the NIC driver and the rest of the firewall, so on the WAN Snort will see your outbound traffic only after NAT is applied. Thus internal hosts will be masked by the public WAN IP due to NAT. Putting the IDS/IPS on the LAN will let you see the internal hosts in alerts with their native IP addresses.

DaddyGo

I agree with Bill, that's an awful lot of rules ...
it can help (old work, but when examined carefully, it can help with ET, for example): https://raw.githubusercontent.com/jflsakfja/suricata-rules/master/list.txt

dlaprade

Thank you, I appreciate all the information everyone has given me. I am fairly new to pfsense / firewall configurations. I need to learn more about IDS/IPS setup and configuration.

DaddyGo

Just for your info, if you’re "new" then you need to know that Bill is the maintainer of the Snort and Suricata package maintainer under thepfSense, so you got advice on the best place :-)

DaddyGo

To help:

https://forum.netgate.com/topic/143812/snort-package-4-0-inline-ips-mode-introduction-and-configuration-instructions
https://forum.netgate.com/topic/50708/suricata-snort-master-sid-disablesid-conf
https://forum.netgate.com/topic/138613/configuring-pfsense-netmap-for-suricata-inline-ips-mode-on-em-igb-interfaces

and much more.....

bmeeks

@dlaprade said in PHP Fatal Error: memory exhausted:

Thank you, I appreciate all the information everyone has given me. I am fairly new to pfsense / firewall configurations. I need to learn more about IDS/IPS setup and configuration.

Nothing wrong with being new to IDS technology. All of us were in the same boat when we started.

Google can be your research friend as you learn about IDS in general.

For pfSense setup, here is a suggestion/recommendation I posted some time back for new-to-IDS users: https://forum.netgate.com/topic/141743/best-rules-to-best-protection-in-wan-and-lan-interface/2. It offers some helpful tips for initially getting started. There are some other useful tidbits of info in the other posts within that thread if you read the entire thread.

SysyBorrow

This post is deleted!

Gertjan

This post is deleted!