4. Possible cause of PHP mem alloc crash when viewing suricata.log file

Possible cause of PHP mem alloc crash when viewing suricata.log file

  • L

    I started having PHP alloc issues which would shut down WAN scanning when I enabled Blocking. When trying to view the suricata.log file, I'd get a PHP crash.

    I had to uninstall suricata and delete all log files and try again.

    Now I'm seeing this when then public filters are parsed. It seems that the log is filling up so quickly that the web UI can't handle it and it crashes.

    Here are the tail end of log errors in the suricata.log file:

    7/6/2018 -- 12:10:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; http_client_body; content:"|27|1|27|=|27|1",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:27288; rev:4; )" from file /usr/local/etc/suricata/suricata_10310_mvneta2/rules/suricata.rules at line 27419
    7/6/2018 -- 12:10:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_client_body" keyword found inside the rule without a content context. Please use a "content" keyword before using the "http_client_body" keyword
    7/6/2018 -- 12:10:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; http_client_body; content:"1%3D1",fast_pattern,nocase; pcre:"/or++1%3D1/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:30040; rev:3; )" from file /usr/local/etc/suricata/suricata_10310_mvneta2/rules/suricata.rules at line 27420
    7/6/2018 -- 12:10:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_client_body" keyword found inside the rule without a content context. Please use a "content" keyword before using the "http_client_body" keyword
    7/6/2018 -- 12:10:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; http_client_body; content:"%271%27%3D%271",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:30041; rev:3; )" from file /usr/local/etc/suricata/suricata_10310_mvneta2/rules/suricata.rules at line 27421
    7/6/2018 -- 12:10:50 - <Info> -- 1 rule files processed. 17372 rules successfully loaded, 10110 rules failed

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy