Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Crash when using Max-Detect

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    4
    371
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rootifera
      last edited by

      Hello,

      I'm experimenting with Snort and having a bit of trouble with "max-detect" option.

      • On the Global Settings only Snort VRT (free) is enabled, oinkmaster code is added.
      • WAN settings : Block Offenders enabled, IPS mode is Legacy and the search method is AC-BNFA-NQ
      • WAN categories: Use IPS Policy enabled, IPS Policy selection is Max-Detect
      • WAN rules: Category selection is IPS Policy - Max-Detect -> as soon as I check that I get a blank white page and once I go back to firewall main page I get a notification saying "pfSense has detected a crash report or programming bug. Click here for more information."

      Here is the "more information":

      Crash report begins.  Anonymous machine information:

amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT #1 RELENG_2_7_0-n255866-686c8d3c1f0: Wed Jun 28 04:21:19 UTC 2023     root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/obj/amd64/LwYAddCr/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/sources/FreeBSD-src-REL

Crash report details:

PHP Errors:
[22-Aug-2023 20:13:47 Etc/UTC] PHP Fatal error:  preg_replace(): Cannot use output buffering in output buffering display handlers in /usr/local/www/csrf/csrf-magic.php on line 159
[22-Aug-2023 20:22:14 Etc/UTC] PHP Fatal error:  preg_replace(): Cannot use output buffering in output buffering display handlers in /usr/local/www/csrf/csrf-magic.php on line 159
[22-Aug-2023 20:23:05 Etc/UTC] PHP Fatal error:  preg_replace(): Cannot use output buffering in output buffering display handlers in /usr/local/www/csrf/csrf-magic.php on line 159
[22-Aug-2023 20:23:41 Etc/UTC] PHP Fatal error:  preg_replace(): Cannot use output buffering in output buffering display handlers in /usr/local/www/csrf/csrf-magic.php on line 159
[22-Aug-2023 20:29:17 Etc/UTC] PHP Fatal error:  preg_replace(): Cannot use output buffering in output buffering display handlers in /usr/local/www/csrf/csrf-magic.php on line 159
[22-Aug-2023 20:35:22 Etc/UTC] PHP Fatal error:  preg_replace(): Cannot use output buffering in output buffering display handlers in /usr/local/www/csrf/csrf-magic.php on line 159



No FreeBSD crash data found.

      Is anyone else having this problem? Thanks!

      pfsense hardware:
      4 Core CPU
      16GB RAM
      120GB SSD
      1Gbit internet connection.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        The "Max Detect" policy should never be selected in a production system. It is for testing only. It activates all of the rules and will likely run the PHP process out of memory. That is what's happening in your case. The error means the PHP process has exceeded the allowable memory limit.

        pfSense imposes a system-wide limit on the amount of memory a PHP process can consume. Trying to load huge Snort rule sets can result in the array size exceeding the amount of memory pfSense allocates to a single PHP process. And before you say your system has 16 GB of RAM, that does not matter currently. pfSense has a hard-coded cutoff of 512 MB if I recall correctly no matter how much free RAM may be in the firewall box.

        The solution is to not select the "Max Detect" policy, especially if you also have other rules such as Emerging Threats categories or OpenAppID enabled.

        R 1 Reply Last reply Reply Quote 1
        • R
          rootifera @bmeeks
          last edited by

          @bmeeks

          Hello,

          Thank you for your reply. This is not a production system, I'm experimenting with Snort, checking different settings. I suspected it would be a PHP memory limitation, I tried to increase it manually to see if it would make any difference but I had no success.

          I understand your point and will take your advice that it shouldn't be used in production. However, I believe not using "Max Detect" isn't a solution for that option breaking the webUI. I think if this setting behaves exactly the same everywhere, maybe it shouldn't be an available option to select or maybe there should be some flexibility for PHP memory allocation if this option is selected.

          Please don't get me wrong, I don't expect you to provide the solution, just giving my opinion. :)

          Thanks

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by bmeeks

            Did you have any other Rule Categories selected on the CATEGORIES tab when you chose the IPS Policy?

            The logic on that tab allows you to also choose any other enabled rules archives you have enabled such as Emerging Threats. I think it will also allow you to select OpenAppID rules. When you choose an IPS Policy, only additional Snort VRT rule categories are grayed-out.

            I can test again in the event the number of published Snort rules has grown considerably, but I believe it will successfully load up the Max Detect policy rules so long as no other categories are enabled at the same time. It could be the combination of the policy selected rules added to say Emerging Threats rules that pushes it over the limit.

            By the way, there is a Feature Request that has just been merged into the 2.8 CE snapshots branch (and Plus 23.09) to allow user selection of the PHP process memory limit. That Redmine request is here: https://redmine.pfsense.org/issues/13377. It will allow the admin to override the default PHP memory limit and increase it up to the limit of free RAM.

            Just to be sure you understand, Snort IPS Policies are created and published by the Snort developer team. They work by using special embedded metadata in the Snort VRT rules that assigns a given rule to one or more IPS policies. This metadata is not present in Emerging Threats nor any other rules package. The PHP code reads this metadata tag from Snort VRT rules and uses it to "pick" the rules to automatically enable for a chosen policy. Because the chosen IPS Policy is what selects the rules to enable, the Snort VRT rule categories are automatically grayed-out when a policy is selected.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post