Suricata Crashes with PHP Memory error
-
I loaded up Suricata and downloaded the ET Open Sourse rulessets. I enabled all rules, then went through and disabled some categories and saved. Then I went and disabled a few rules and saved and it crashed with a PHP memory error from pfSense. Ever since then if I try to start Suricata then I get a crash alert from pfSense. If I enable the interface (WAN) on suricata and try to start the service then the WAN goes down completely. I have restarted the service and the entire pfSense box but still the same. I tried increasing the Stream Memory Cap all the way up to 140MB (per this thread: https://forum.pfsense.org/index.php?topic=93926.msg521334#msg521334) with no change. I have also tried increasing the PHP memory to 640MB and 1024MB (per this thread: https://forum.pfsense.org/index.php?topic=92074.0), also no change.
My pfSense box runs on an old workstation with 8GB RAM, i5-2400, >500GB HDD Remaining, Intel Pro/1000 Dual Desktop NIC.
Please let me know how I can fix this? I'll be happy to post more logs if needed.
Crash report begins. Anonymous machine information: amd64 10.3-RELEASE-p5 FreeBSD 10.3-RELEASE-p5 #0 7307492(RELENG_2_3_2): Tue Jul 19 13:29:35 CDT 2016 root@ce23-amd64-builder:/builder/pfsense-232/tmp/obj/builder/pfsense-232/tmp/FreeBSD-src/sys/pfSense Crash report details: PHP Errors: [27-Aug-2016 01:43:34 America/Los_Angeles] PHP Fatal error: Allowed memory size of 262144 bytes exhausted (tried to allocate 85 bytes) in /etc/inc/xmlparse.inc on line 102 [27-Aug-2016 01:43:34 America/Los_Angeles] PHP Stack trace: [27-Aug-2016 01:43:34 America/Los_Angeles] PHP 1\. {main}() /usr/local/www/suricata/suricata_flow_stream.php:0 [27-Aug-2016 01:43:34 America/Los_Angeles] PHP 2\. write_config() /usr/local/www/suricata/suricata_flow_stream.php:357 [27-Aug-2016 01:43:34 America/Los_Angeles] PHP 3\. parse_xml_config() /etc/inc/config.lib.inc:579 [27-Aug-2016 01:43:34 America/Los_Angeles] PHP 4\. parse_xml_config_raw() /etc/inc/xmlparse.inc:177 [27-Aug-2016 01:43:34 America/Los_Angeles] PHP 5\. xml_parse() /etc/inc/xmlparse.inc:216 [27-Aug-2016 01:43:34 America/Los_Angeles] PHP 6\. startElement() /etc/inc/xmlparse.inc:216 [27-Aug-2016 01:43:59 America/Los_Angeles] PHP Fatal error: Allowed memory size of 262144 bytes exhausted (tried to allocate 32 bytes) in /etc/inc/xmlparse.inc on line 106 [27-Aug-2016 01:43:59 America/Los_Angeles] PHP Stack trace: [27-Aug-2016 01:43:59 America/Los_Angeles] PHP 1\. {main}() /usr/local/www/suricata/suricata_flow_stream.php:0 [27-Aug-2016 01:43:59 America/Los_Angeles] PHP 2\. write_config() /usr/local/www/suricata/suricata_flow_stream.php:357 [27-Aug-2016 01:43:59 America/Los_Angeles] PHP 3\. parse_xml_config() /etc/inc/config.lib.inc:579 [27-Aug-2016 01:43:59 America/Los_Angeles] PHP 4\. parse_xml_config_raw() /etc/inc/xmlparse.inc:177 [27-Aug-2016 01:43:59 America/Los_Angeles] PHP 5\. xml_parse() /etc/inc/xmlparse.inc:216 [27-Aug-2016 01:43:59 America/Los_Angeles] PHP 6\. startElement() /etc/inc/xmlparse.inc:216
-
UPDATE:
I switched from inline mode to legacy mode and everything is working again.
I'm a total newbie so I guess I misunderstood something about the supported hardware/drivers?
My NIC is the Intel PRO/1000 PT Dual Port Gigabit Network Adapter EXPI9402PT 868971
Based on FreeBSD documentation found here: https://www.freebsd.org/cgi/man.cgi?query=netmap&apropos=0&sektion=4&manpath=FreeBSD+10.2-RELEASE&arch=default&format=html#SUPPORTED_DEVICES I understood em(4) to natively support netmap (which is what I believe limits NIC's to work in inline mode?) and I also understood em(4) to apply to Intel PRO/1000 PT cards?```
EM(4) FreeBSD Kernel Interfaces Manual EM(4)NAME
em -- Intel(R) PRO/1000 Gigabit Ethernet adapter driverI don't know what the "(4)" in em(4) means though? What am I missing here? Why is my setup working in Legacy but not inline mode? I'm hoping that there are some memory settings or something that I can adjust to allow inline mode to work?
-
Disregard the last update, when in Legacy mode pfSense doesn't throw any errors and the WAN doesn't shutdown, but the internet does not work.
-
-
https://www.freebsd.org/cgi/man.cgi?em(4)
https://www.freebsd.org/cgi/man.cgi?query=man&apropos=0&sektion=0&manpath=FreeBSD+10.3-RELEASE+and+Ports&arch=default&format=htmlAh, thanks! The (4) is for Chapter 4 of the manual, makes sense.
Any pointers on how to solve my problem?