PHP errors

stephenw10

You shouldn't need to reboot, just restarting Suricata should be fine.

Yes pfBlocker-ng can require a lot of php memory. If you were hitting an error there increasing the php memory could well workaround it.

jc1976

@stephenw10

Regarding pfblocker, unfortunately no dice... just tried and it didn't matter.
seems like the suricata php errors have been resolved but pfblocker still won't take changes to the whitelisting.

BBcan177

@jc1976

When you hit save, it just does that save only. You need to Force Reload for the new settings to take effect. Otherwise, it's recommended to whitelist from the Alerts Tab which will take effect immediately and also include any cnames associated to a domain.

bmeeks

@jc1976 said in PHP errors:

@stephenw10

Regarding pfblocker, unfortunately no dice... just tried and it didn't matter.
seems like the suricata php errors have been resolved but pfblocker still won't take changes to the whitelisting.

You might want to search through the pfBlockerNG PHP code to see if it contains a line of code similar to what I posted earlier from Suricata's code like this one:

ini_set("memory_limit", "512M");

Search for ini_set to find any such instance.

If the pfBlockerNG code contains its own line that sets the PHP memory limit, then that value will overwrite anything else. That's because each PHP process is its own independent island in terms of execution and settings. There are some global defaults, but any individual PHP session can override the global defaults and set a value that will be valid for only the time that session's code is executing.

Generally speaking, each page or tab you manipulate in the pfSense GUI represents a single session of running PHP code, and when the HTML output from that page is rendered and sent to your browser, that PHP session ends execution.

The global PHP memory limit parameter on the Advanced Settings tab under the SYSTEM menu is relatively new in pfSense. Prior to that pfSense simply set a default value hard-coded in a file. Because some packages performed operations that needed additional PHP memory, those package developers added ini_set commands to override the pfSense default and increase memory. But now that the user can set almost any limit they desire in the new PHP memory limit parameter (consistent with the amount of RAM in the firewall), the hard-coded increases in the packages are no longer necessary because they can override what the user has configured and result in less than the user-specified RAM being allocated.

The PHP interpreter will only allocate the amount of PHP memory commanded by the most recently executed ini_set command in a session. So, even though you might have configured a 2 GB global PHP memory limit in the pfSense menu, if the package code still contains an old ini_set("memory_limit", "512M") line, then PHP will only allocate 512 megabytes of string memory for the current session and ignore the user-specified 2 GB value.

smolka_J

@bmeeks Many many thanks for this addition just added on 7.04. It was getting annoying every Suricata and/or pfSense upgrade having Suricata crash at each re-install and disappear from my Services menu until editing the memory_limit each time and then having to restore to a prior config after to get Suricata to pop up again in my services menu. Only other way around that in the past I found was to disable all interfaces and remove all extra rules before each update and have to re-add everything after. Should allow for much smoother updates finally, thank you again!

jc1976

it seems that didn't work, and also i just noticed that suricata is no longer showing up under services status or services, i still keep receiving the php error message despite increasing the available memory.

i uninstalled and reinstalled suricata, cleared out my browsers web cache.. no dice..

any advice?

thanks!

bmeeks

@jc1976 said in PHP errors:

it seems that didn't work, and also i just noticed that suricata is no longer showing up under services status or services, i still keep receiving the php error message despite increasing the available memory.

i uninstalled and reinstalled suricata, cleared out my browsers web cache.. no dice..

any advice?

thanks!

Did you remove and then reinstall Suricata, or did you just click the reinstall button in the Package Manager tab? You need to remove completely and then reinstall Suricata. Otherwise the old suricata.inc file will stick around with the incorrect settings in it because the PHP session will cache it. The package manager tab code will all execute in a single PHP session and thus can cache some PHP source files. The suricata.inc file is a common file containing lots of shared functions, thus it is frequently cached. Completely removing the package, the going back into Package Manager and locating and installing Suricata again dumps the cached file and then the new get used from the new package install.

I also assume that you left the increased PHP memory limit setting configured in pfSense. If not, you must do that. All the change does is honor any pfSense setting. If you rolled back that setting (or never changed it), then Suricata will continue to use the default memory which is 512 MB.

jc1976

@bmeeks

I completely removed suricata. I initially did a reinstall but it didn't work so i uninstalled completely, rebooted the firewall, and reinstalled.

My problem at the moment is that it's showing up installed but not showing up under services so i can't get into its interface to see anything.

bmeeks

@jc1976 said in PHP errors:

@bmeeks

I completely removed suricata. I initially did a reinstall but it didn't work so i uninstalled completely, rebooted the firewall, and reinstalled.

My problem at the moment is that it's showing up installed but not showing up under services so i can't get into its interface to see anything.

The install did not complete due to the PHP errors. Thus it will not show up under the SERVICES menu. You must remove it under Package Manager and reinstall. But before you do that, be sure you have set the PHP Memory Limit value to something large enough under SYSTEM > ADVANCED > MISC SETTINGS. Read my later edits to my post above.

jc1976

@bmeeks

that's what i did.

i uninstalled suricata (from within package manager).
verified my php ram settings (2048)
rebooted the firewall.
installed suricata from package manager.

suricata shows up as an installed package.

it does NOT show up under the services menu or under services status.

jc1976

@bmeeks

also, i'm still getting the php error.

bmeeks

@jc1976 said in PHP errors:

it does NOT show up under the services menu or under services status.

That's because, as I said earlier, the full install procedure is not running to completion. During installation the installer calls a hook script that allows the package to download and install the rules previously configured. When that hook script completes, it returns control to the installer which then, as a last step, creates the menu entry under SERVICES. Because the hook call is crashing, it does not return control to the installer so that it can create the menu entry.

You can probably still call up the Suricata GUI by navigating to <firewall_ip>/suricata/suricata_interfaces.php directly. From there you can examine your rules. You must have a ton of rules enabled to crash the PHP service. Try removing some of them and see if things behave better. Likely nowhere near all of them are required.

Due to the absence of similar posts, I have to assume you are the only user experiencing the problem, so it must be something specific to your setup.

stephenw10

What are you testing in? We are currently looking at an issue with the POST-INSTALL script not running in 24.03. But that's at upgrade.

smolka_J

@jc1976 If your PHP error now states "Allowed memory size of 2147483648" when PHP limit is set at 2048m at System>Advanced>Misc then that PHP limit number is going to need to be increased a bit higher to accommodate the number of rules enabled, only time it is using this much memory typically is only at install for a few seconds until all configurations and rules are processed. I set mine to about 3/4ths my total RAM at 24576m. If you're on an ARM model or other limited to only 2-4gb total ram available you may need to make sure enough swap space is present and enabled to be able to raise that PHP memory limit higher to allow it to fully load without ahead of time having to have the option unchecked to save settings on re-install, update then configure from scratch, or like another said disabling enough excess rules will bring the needed number down into playing field as well.

jc1976

ok, well i gave php 8 gigs of ram to work with. put "8192" in the php settings, and rebooted.

my firewall has 32gigs of ram, plus a 32Gig swap partition so there's more than enough ram to work with.

installed suricata via the package manager and the same thing happened; it shows as an installed packaged but it doesn't show up under services and the service doesn't show up under service status.

plus i'm still receiving the error message when i log in.

stephenw10

In 23.09.1/2.7.2?

bmeeks

@jc1976 said in PHP errors:

it shows as an installed packaged but it doesn't show up under services and the service doesn't show up under service status.

This is a consequence of the PHP error. It has nothing to do with your root cause of the problem. So long as you get the PHP error, then Suricata is NOT going to show up under the SERVICES menu nor in SERVICES STATUS. Forget about repeating this sentence in every post and let's focus on the root cause -- the PHP error.

What exactly, verbatim, is the PHP error that you receive now?

And what version of the Suricata package are you attempting to install?

jc1976

PHP errors

PHP ERROR: Type: 1, File: /usr/local/pkg/suricata/suricata.inc, Line: 2452, Message: Allowed memory size of 536870912 bytes exhausted (tried to allocate 4096 bytes) @ 2024-03-25 19:48:00

that is it verbtim.

it seems that suricata still might not respect the php settings.

As i stated previously, I set the php memory limit to 8 Gigs.

in this last go-around I performed the following:

-Uninstalled suricata (via the package manager)
-WinSCP'd into the firewall and deleted every trace of suricata (files, folders, etc)
-deleted the package cache in the temp directory
-Cleared/reset fw log files..

so basically, cleared out anything i couldn't find to be critical.

-rebooted the firewall
-logged in, winscp'd in to verify that there weren't any files/folders pertaining to suricata.. there were not..

Back to the package installer, ran it and it gave me the same error message that i copied and pasted above.

jc1976

PHP errors

PHP ERROR: Type: 1, File: /usr/local/pkg/suricata/suricata.inc, Line: 2452, Message: Allowed memory size of 536870912 bytes exhausted (tried to allocate 4096 bytes) @ 2024-03-25 19:48:00

that is it verbtim.

it seems that suricata still might not respect the php settings.

As i stated previously, I set the php memory limit to 8 Gigs.

in this last go-around I performed the following:

-Uninstalled suricata (via the package manager)
-WinSCP'd into the firewall and deleted every trace of suricata (files, folders, etc)
-deleted the package cache in the temp directory
-Cleared/reset fw log files..

so basically, cleared out anything i couldn't find to be critical.

-rebooted the firewall
-logged in, winscp'd in to verify that there weren't any files/folders pertaining to suricata.. there were not..

Back to the package installer, ran it and it gave me the same error message that i copied and pasted above.

bmeeks

@jc1976:
But you have not told me what version you are attempting to install. Is it 7.0.4?

Post the first two dozen lines of code from the file /usr/local/pkg/suricata/suricata.inc and let me see what version is actually there.

I'm specifically looking for these lines:

// Suricata GUI needs at least 512MB to manipulate large rules arrays
if (get_php_default_memory() < 512)
	ini_set("memory_limit", "512M");