PHP Errors

NollipfSense

I have /tmp in RAM disk with lots of room yet Snort VRT rules downloading is failing. Force update results in PHP error and crash.

Gertjan

505 means : the web server, where the md5 are hosted, blows up.
( or something in between ?? strange things happen these days, and Internet wires are glowing red ...)

Not really something you can do.
Contact the site owner and tell him that something's bad ... ?
But I guess they already know, as these servers git hit often and hard all the time -in normal times

Btw : the snort package code definitely needs some modifications so it handles more elegant an aborted download.
It's ok that something fails, and you should see some GUI message, not a low-level PHP bail out.
That's something for the pfSense package maintainer.
Remember : a package is rarely written by pfSense employees - an exception might be "Acme" and the 'Cron" package.

edit : humm. Didn't recognise you. Stupid me. I just realise that you probably know all this already. You're just error reporting.
Sorry.

kiokoman

i've done some test on my pfsense 2.5, latest build of today with tmp in RAM and without

with no space for /tmp
/dev/md0 39196 39132 -3068 109% /tmp
i had alot of trouble as expected
Server returned error code 500.
Server error message was: 500 Internal Server Error
Snort Subscriber rules file download failed. Bad MD5 checksum.

with more space available
/dev/md0 495516 116876 339000 26% /tmp
success on first try

without /tmp on ram
success on first try

there must be something on your pfsense, i never saw that 505 error on my tests,

505 HTTP Version Not Supported is a status that a server can emit if it doesn’t support the major HTTP version the client used to make the request.

this lead to curl that is used to download snort updates, maybe there is something wrong with it
try to reinstall curl maybe?

pkg install -f curl-7.67.0 php73-curl-7.3.15

or there is something that interferes with its functioning

bmeeks

@NollipfSense said in PHP Errors:

I have /tmp in RAM disk with lots of room yet Snort VRT rules downloading is failing. Force update results in PHP error and crash.

Your RAM disk for /tmp is too small. You need at a minimum 256 MB of space. What you see in your screenshot above is not the actual number at the time of the rules download. Snort cleans up its temporary files after a rules update (whether the update succeeds or fails). So that 96 MB showing is before the rules update started.

Remove the RAM disk or else make /tmp 256 MB or even 512 MB and try it again. I've stated on these forums what feels like now 1000 times, "DO NOT USE RAM DISKS WITH SNORT or SURICATA!"

bmeeks

@kiokoman said in PHP Errors:

i've done some test on my pfsense 2.5, latest build of today with tmp in RAM and without

with no space for /tmp
/dev/md0 39196 39132 -3068 109% /tmp
i had alot of trouble as expected
Server returned error code 500.
Server error message was: 500 Internal Server Error
Snort Subscriber rules file download failed. Bad MD5 checksum.

with more space available
/dev/md0 495516 116876 339000 26% /tmp
success on first try

without /tmp on ram
success on first try

there must be something on your pfsense, i never saw that 505 error on my tests,

505 HTTP Version Not Supported is a status that a server can emit if it doesn’t support the major HTTP version the client used to make the request.

this lead to curl that is used to download snort updates, maybe there is something wrong with it
try to reinstall curl maybe?

pkg install -f curl-7.67.0 php73-curl-7.3.15

or there is something that interferes with its functioning

Just FYI. When a user has a RAM disk and that disk runs out of space, things basically go "undefined" at that point in terms of error messages. In this case, the Snort code is using the PHP curl library functions to download the various rules files. When there is not enough space available, curl can obviously get confused because the download started writing to disk but then the latter part of the data download failed. The Snort rules download subroutine attempts to retrieve the last curl error code and return it for logging. But depending on the particular circumstances of the moment the error code returned may not really be the "last" error. I suspect that is what is happening in the case of the OP. His actual problem is failing to follow my admonitions to never use RAM disks with the IDS/IPS packages. I give this warning because of exactly what is happening to the OP. You get weird failures, and the error messages coming from the OS and the PHP modules are not always helpful in diagnosing the underlying issue.

kiokoman

i had alot of trouble as expected

it was exactly what I wanted to prove with the tests,
because he didn't seem convinced of your answer in the other discussion here
https://forum.netgate.com/topic/151591/sort-4-not-downloading-vrt-rules/
so i was trying to show proof that, with not enought space for /tmp, you have alot of random problem/error

NollipfSense

As I posted here: https://forum.netgate.com/topic/151591/sort-4-not-downloading-vrt-rules/9
Okay Bill, lesson learned...Snort and Suricata don't like RAM Disk period! I had set (/tmp) to 400MB however after 15mins still didn't download or completed the download.

Then removed RAM disk and it all happened first try!

So now I want to find a better strategy to utilize more RAM. I was thinking to set RAM disk for /tmp and /var to 2GB each just to utilize more RAM...then realize when pfSense 2.5 released, I would not be rebooting on a daily basis like how I am doing now with the nightly snapshots. So my strategy to utilize more RAM cannot happen this way since eventually, it will get full. I might start a thread to engage how to use more RAM.

NollipfSense

@kiokoman I was intrigued with your result so since I have Corona time on my hands, I set RAM disk to 2GB for each (/tmp & /var) just to experiment...all was good. I watch this for a few days...note to others, I am not advocating this setup...it's just an experiment...the developer and the maintainer does not approved.

Jeremy11one

I was asked to post this in this thread:

*Crash report begins. Anonymous machine information:

amd64
12.0-RELEASE-p10
FreeBSD 12.0-RELEASE-p10 ce9563d5729(RELENG_2_5) pfSense

Crash report details:

PHP Errors:
[24-Mar-2020 14:52:55 America/New_York] PHP Warning: file_get_contents(/tmp/igb0_router): failed to open stream: No such file or directory in /etc/inc/gwlb.inc on line 1480

No FreeBSD crash data found.*

NollipfSense

@Jeremy11one It turned out the PHP error wasn't really an error, and more lack of memory space so you must disregard...thank you for responding though.