Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Possible cause of PHP mem alloc crash when viewing suricata.log file

    Scheduled Pinned Locked Moved IDS/IPS
    1 Posts 1 Posters 266 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • lohphatL
      lohphat
      last edited by

      I started having PHP alloc issues which would shut down WAN scanning when I enabled Blocking. When trying to view the suricata.log file, I'd get a PHP crash.

      I had to uninstall suricata and delete all log files and try again.

      Now I'm seeing this when then public filters are parsed. It seems that the log is filling up so quickly that the web UI can't handle it and it crashes.

      Here are the tail end of log errors in the suricata.log file:

      7/6/2018 -- 12:10:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; http_client_body; content:"|27|1|27|=|27|1",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:27288; rev:4; )" from file /usr/local/etc/suricata/suricata_10310_mvneta2/rules/suricata.rules at line 27419
      7/6/2018 -- 12:10:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_client_body" keyword found inside the rule without a content context. Please use a "content" keyword before using the "http_client_body" keyword
      7/6/2018 -- 12:10:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; http_client_body; content:"1%3D1",fast_pattern,nocase; pcre:"/or++1%3D1/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:30040; rev:3; )" from file /usr/local/etc/suricata/suricata_10310_mvneta2/rules/suricata.rules at line 27420
      7/6/2018 -- 12:10:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_client_body" keyword found inside the rule without a content context. Please use a "content" keyword before using the "http_client_body" keyword
      7/6/2018 -- 12:10:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; http_client_body; content:"%271%27%3D%271",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:30041; rev:3; )" from file /usr/local/etc/suricata/suricata_10310_mvneta2/rules/suricata.rules at line 27421
      7/6/2018 -- 12:10:50 - <Info> -- 1 rule files processed. 17372 rules successfully loaded, 10110 rules failed

      SG-3100 24.11-RELEASE (arm) | Avahi (2.2_6) | ntopng (5.6.0_1) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.1_20) | System_Patches (2.2.20_5)

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.