snort crash

v0id

Hello, today have encountered this crash. What depends on? Is it an hacking attempt?

Crash report details:

PHP Errors:
[28-Sep-2019 17:31:01 Etc/UTC] PHP Fatal error: Allowed memory size of 402653184 bytes exhausted (tried to allocate 63448770 bytes) in /usr/local/www/csrf/csrf-magic.php on line 161
[28-Sep-2019 17:31:51 Etc/UTC] PHP Fatal error: Allowed memory size of 402653184 bytes exhausted (tried to allocate 63448770 bytes) in /usr/local/www/csrf/csrf-magic.php on line 161
[28-Sep-2019 17:33:52 Etc/UTC] PHP Fatal error: Allowed memory size of 402653184 bytes exhausted (tried to allocate 63448770 bytes) in /usr/local/www/csrf/csrf-magic.php on line 161

No FreeBSD crash data found.

Experience the problem when I run https//192.168.1.1/snort/snort_rules.php

Seen that swap memory is full, previously used: "swapoff -a; swapon -a" for clean swap memory, but probably need more since I have 4GB of RAM. Is it possible to add more space on swap memory?

NogBadTheBad

What makes you think its a snort issue ?

https://github.com/ezyang/csrf-magic

v0id

@v0id said in snort crash:

https//192.168.1.1/snort/snort_rules.php

Hmmm.. when I run snort interfaces > Wan Rules and select active rules from drop down menù (loads https//192.168.1.1/snort/snort_rules.php) and I land on a white page, that produce the crash I've posted... I really don't know what it depends on, just added more space on swap, but didn't solved the problem...

v0id

@NogBadTheBad Is it just a protection to csrf? Can I fix the problem someways without disable it?

NogBadTheBad

Oh ignore what I mentioned, just noticed I have that code too, but I don't see the crashes.

It's quite old code, thats what made me think it was something you'd installed.

bmeeks

@v0id :
Do you have any other packages installed such as Squid, pfBlockerNG, DNSBL, etc? That error indicates that something is chewing up all of the allocated PHP memory. If you have 4GB of RAM, you should not be swapping out to disk (swap memory).

Lastly, what version of pfSense are you running? There were some changes made to the csrf-magic code over in the pfSense-2.5-DEVEL snapshot late last week. However, to my knowledge none of those were applied to RELEASE.

v0id

@bmeeks Have installed just pfBlocker (TLD enabled) and snort in not blocking mode. Actually swapped out of disk and encrypted it, is it bad?

I'm running pfsense 2.4.4 stable

bmeeks

@v0id said in snort crash:

@bmeeks Have installed just pfBlocker (TLD enabled) and snort in not blocking mode. Actually swapped out of disk and encrypted it, is it bad?

I'm running pfsense 2.4.4 stable

What do you mean by "swapped out of disk and encrypted it, is it bad?"? That statement makes no sense to me. What did you swap out of the disk and what is encrypted?

Do you perhaps mean you swapped out the disk drive itself? But I still can't make sense out of the encrypted part.

v0id

This post is deleted!

v0id

@bmeeks Meant I've extended swap space using space from root partition and after create the swap space used these commands for encrypt it
dd if=/dev/random of=/root/en.swap0 bs=1m count=64
mdconfig -a -t vnode -f /root/en.swap0
geom eli init md0
geli restore /var/backups/md0.eli md0

Attach md0, enter:
geom eli attach md0

Turn on encrpted swap file:
swapon /dev/md0.eli||

bmeeks

@v0id
There is no reason, in my view, to encrypt swap space.

You also need to determine why memory usage is so high. Extending swap space is a band aid covering up the core problem.

v0id

@bmeeks Think the core problem is too many hosts in pfBlocker and TLD option activated. 4GB of ram should be not enough for 6 milion hosts

bmeeks

@v0id said in snort crash:

@bmeeks Think the core problem is too many hosts in pfBlocker and TLD option activated. 4GB of ram should be not enough for 6 milion hosts

That's one reason I'm not a fan of loading up tons of IP blocklists. It chews up a ton of CPU processing time and uses valuable RAM. There are more efficient ways to have a secure system in my opinion.

If you really want to run all this stuff on your firewall, then you need more horsepower (larger CPU and lots more RAM). Then you will need to customize the php.ini file settings for maximum memory allocated to PHP processes. Just be aware that any change you make to that file will be automatically overwritten each time you update pfSense. Again, lots of trouble for not much gain in my view.

If you want to block ads on your network, look at something like pi hole running on a virtual machine. Just let your firewall do its normal thing by blocking all unsolicited inbound traffic. But don't bog it down maintaining huge IP block lists. Just my humble $0.02 worth.