4. Suricata Crashes with PHP Memory error

Suricata Crashes with PHP Memory error

  • P
    Banned

    I loaded up Suricata and downloaded the ET Open Sourse rulessets. I enabled all rules, then went through and disabled some categories and saved. Then I went and disabled a few rules and saved and it crashed with a PHP memory error from pfSense. Ever since then if I try to start Suricata then I get a crash alert from pfSense. If I enable the interface (WAN) on suricata and try to start the service then the WAN goes down completely. I have restarted the service and the entire pfSense box but still the same. I tried increasing the Stream Memory Cap all the way up to 140MB (per this thread: https://forum.pfsense.org/index.php?topic=93926.msg521334#msg521334) with no change. I have also tried increasing the PHP memory to 640MB and 1024MB (per this thread: https://forum.pfsense.org/index.php?topic=92074.0), also no change.

    My pfSense box runs on an old workstation with 8GB RAM, i5-2400, >500GB HDD Remaining, Intel Pro/1000 Dual Desktop NIC.

    Please let me know how I can fix this? I'll be happy to post more logs if needed.

    					Crash report begins.  Anonymous machine information:

amd64
10.3-RELEASE-p5
FreeBSD 10.3-RELEASE-p5 #0 7307492(RELENG_2_3_2): Tue Jul 19 13:29:35 CDT 2016     root@ce23-amd64-builder:/builder/pfsense-232/tmp/obj/builder/pfsense-232/tmp/FreeBSD-src/sys/pfSense

Crash report details:

PHP Errors:
[27-Aug-2016 01:43:34 America/Los_Angeles] PHP Fatal error:  Allowed memory size of 262144 bytes exhausted (tried to allocate 85 bytes) in /etc/inc/xmlparse.inc on line 102
[27-Aug-2016 01:43:34 America/Los_Angeles] PHP Stack trace:
[27-Aug-2016 01:43:34 America/Los_Angeles] PHP   1\. {main}() /usr/local/www/suricata/suricata_flow_stream.php:0
[27-Aug-2016 01:43:34 America/Los_Angeles] PHP   2\. write_config() /usr/local/www/suricata/suricata_flow_stream.php:357
[27-Aug-2016 01:43:34 America/Los_Angeles] PHP   3\. parse_xml_config() /etc/inc/config.lib.inc:579
[27-Aug-2016 01:43:34 America/Los_Angeles] PHP   4\. parse_xml_config_raw() /etc/inc/xmlparse.inc:177
[27-Aug-2016 01:43:34 America/Los_Angeles] PHP   5\. xml_parse() /etc/inc/xmlparse.inc:216
[27-Aug-2016 01:43:34 America/Los_Angeles] PHP   6\. startElement() /etc/inc/xmlparse.inc:216
[27-Aug-2016 01:43:59 America/Los_Angeles] PHP Fatal error:  Allowed memory size of 262144 bytes exhausted (tried to allocate 32 bytes) in /etc/inc/xmlparse.inc on line 106
[27-Aug-2016 01:43:59 America/Los_Angeles] PHP Stack trace:
[27-Aug-2016 01:43:59 America/Los_Angeles] PHP   1\. {main}() /usr/local/www/suricata/suricata_flow_stream.php:0
[27-Aug-2016 01:43:59 America/Los_Angeles] PHP   2\. write_config() /usr/local/www/suricata/suricata_flow_stream.php:357
[27-Aug-2016 01:43:59 America/Los_Angeles] PHP   3\. parse_xml_config() /etc/inc/config.lib.inc:579
[27-Aug-2016 01:43:59 America/Los_Angeles] PHP   4\. parse_xml_config_raw() /etc/inc/xmlparse.inc:177
[27-Aug-2016 01:43:59 America/Los_Angeles] PHP   5\. xml_parse() /etc/inc/xmlparse.inc:216
[27-Aug-2016 01:43:59 America/Los_Angeles] PHP   6\. startElement() /etc/inc/xmlparse.inc:216
    0
  • P
    Banned

    UPDATE:

    I switched from inline mode to legacy mode and everything is working again.

    I'm a total newbie so I guess I misunderstood something about the supported hardware/drivers?

    My NIC is the Intel PRO/1000 PT Dual Port Gigabit Network Adapter EXPI9402PT 868971

    Based on FreeBSD documentation found here: https://www.freebsd.org/cgi/man.cgi?query=netmap&apropos=0&sektion=4&manpath=FreeBSD+10.2-RELEASE&arch=default&format=html#SUPPORTED_DEVICES I understood em(4) to natively support netmap (which is what I believe limits NIC's to work in inline mode?) and I also understood em(4) to apply to Intel PRO/1000 PT cards?```
    EM(4)       FreeBSD Kernel Interfaces Manual EM(4)

    NAME
        em -- Intel(R) PRO/1000 Gigabit Ethernet adapter driver

    
I don't know what the "(4)" in em(4) means though?

What am I missing here? Why is my setup working in Legacy but not inline mode? I'm hoping that there are some memory settings or something that I can adjust to allow inline mode to work?
    0
  • P
    Banned

    Disregard the last update, when in Legacy mode pfSense doesn't throw any errors and the WAN doesn't shutdown, but the internet does not work.

    0

  • https://www.freebsd.org/cgi/man.cgi?em(4)
    https://www.freebsd.org/cgi/man.cgi?query=man&apropos=0&sektion=0&manpath=FreeBSD+10.3-RELEASE+and+Ports&arch=default&format=html

    0
  • P
    Banned

    @RonpfS:

    https://www.freebsd.org/cgi/man.cgi?em(4)
    https://www.freebsd.org/cgi/man.cgi?query=man&apropos=0&sektion=0&manpath=FreeBSD+10.3-RELEASE+and+Ports&arch=default&format=html

    Ah, thanks! The (4) is for Chapter 4 of the manual, makes sense.

    Any pointers on how to solve my problem?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy