Suricata Crashes with PHP Memory error

  • Banned

    I loaded up Suricata and downloaded the ET Open Sourse rulessets. I enabled all rules, then went through and disabled some categories and saved. Then I went and disabled a few rules and saved and it crashed with a PHP memory error from pfSense. Ever since then if I try to start Suricata then I get a crash alert from pfSense. If I enable the interface (WAN) on suricata and try to start the service then the WAN goes down completely. I have restarted the service and the entire pfSense box but still the same. I tried increasing the Stream Memory Cap all the way up to 140MB (per this thread: with no change. I have also tried increasing the PHP memory to 640MB and 1024MB (per this thread:, also no change.

    My pfSense box runs on an old workstation with 8GB RAM, i5-2400, >500GB HDD Remaining, Intel Pro/1000 Dual Desktop NIC.

    Please let me know how I can fix this? I'll be happy to post more logs if needed.

    					Crash report begins.  Anonymous machine information:
    FreeBSD 10.3-RELEASE-p5 #0 7307492(RELENG_2_3_2): Tue Jul 19 13:29:35 CDT 2016     root@ce23-amd64-builder:/builder/pfsense-232/tmp/obj/builder/pfsense-232/tmp/FreeBSD-src/sys/pfSense
    Crash report details:
    PHP Errors:
    [27-Aug-2016 01:43:34 America/Los_Angeles] PHP Fatal error:  Allowed memory size of 262144 bytes exhausted (tried to allocate 85 bytes) in /etc/inc/ on line 102
    [27-Aug-2016 01:43:34 America/Los_Angeles] PHP Stack trace:
    [27-Aug-2016 01:43:34 America/Los_Angeles] PHP   1\. {main}() /usr/local/www/suricata/suricata_flow_stream.php:0
    [27-Aug-2016 01:43:34 America/Los_Angeles] PHP   2\. write_config() /usr/local/www/suricata/suricata_flow_stream.php:357
    [27-Aug-2016 01:43:34 America/Los_Angeles] PHP   3\. parse_xml_config() /etc/inc/
    [27-Aug-2016 01:43:34 America/Los_Angeles] PHP   4\. parse_xml_config_raw() /etc/inc/
    [27-Aug-2016 01:43:34 America/Los_Angeles] PHP   5\. xml_parse() /etc/inc/
    [27-Aug-2016 01:43:34 America/Los_Angeles] PHP   6\. startElement() /etc/inc/
    [27-Aug-2016 01:43:59 America/Los_Angeles] PHP Fatal error:  Allowed memory size of 262144 bytes exhausted (tried to allocate 32 bytes) in /etc/inc/ on line 106
    [27-Aug-2016 01:43:59 America/Los_Angeles] PHP Stack trace:
    [27-Aug-2016 01:43:59 America/Los_Angeles] PHP   1\. {main}() /usr/local/www/suricata/suricata_flow_stream.php:0
    [27-Aug-2016 01:43:59 America/Los_Angeles] PHP   2\. write_config() /usr/local/www/suricata/suricata_flow_stream.php:357
    [27-Aug-2016 01:43:59 America/Los_Angeles] PHP   3\. parse_xml_config() /etc/inc/
    [27-Aug-2016 01:43:59 America/Los_Angeles] PHP   4\. parse_xml_config_raw() /etc/inc/
    [27-Aug-2016 01:43:59 America/Los_Angeles] PHP   5\. xml_parse() /etc/inc/
    [27-Aug-2016 01:43:59 America/Los_Angeles] PHP   6\. startElement() /etc/inc/

  • Banned


    I switched from inline mode to legacy mode and everything is working again.

    I'm a total newbie so I guess I misunderstood something about the supported hardware/drivers?

    My NIC is the Intel PRO/1000 PT Dual Port Gigabit Network Adapter EXPI9402PT 868971

    Based on FreeBSD documentation found here: I understood em(4) to natively support netmap (which is what I believe limits NIC's to work in inline mode?) and I also understood em(4) to apply to Intel PRO/1000 PT cards?```
    EM(4)       FreeBSD Kernel Interfaces Manual EM(4)

        em -- Intel(R) PRO/1000 Gigabit Ethernet adapter driver

    I don't know what the "(4)" in em(4) means though?
    What am I missing here? Why is my setup working in Legacy but not inline mode? I'm hoping that there are some memory settings or something that I can adjust to allow inline mode to work?

  • Banned

    Disregard the last update, when in Legacy mode pfSense doesn't throw any errors and the WAN doesn't shutdown, but the internet does not work.

  • Banned

Log in to reply