4. Possible cause of PHP mem alloc crash when viewing suricata.log file

Possible cause of PHP mem alloc crash when viewing suricata.log file


  • I started having PHP alloc issues which would shut down WAN scanning when I enabled Blocking. When trying to view the suricata.log file, I'd get a PHP crash.

    I had to uninstall suricata and delete all log files and try again.

    Now I'm seeing this when then public filters are parsed. It seems that the log is filling up so quickly that the web UI can't handle it and it crashes.

    Here are the tail end of log errors in the suricata.log file:

    7/6/2018 -- 12:10:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; http_client_body; content:"|27|1|27|=|27|1",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:27288; rev:4; )" from file /usr/local/etc/suricata/suricata_10310_mvneta2/rules/suricata.rules at line 27419
    7/6/2018 -- 12:10:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_client_body" keyword found inside the rule without a content context. Please use a "content" keyword before using the "http_client_body" keyword
    7/6/2018 -- 12:10:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; http_client_body; content:"1%3D1",fast_pattern,nocase; pcre:"/or++1%3D1/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:30040; rev:3; )" from file /usr/local/etc/suricata/suricata_10310_mvneta2/rules/suricata.rules at line 27420
    7/6/2018 -- 12:10:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_client_body" keyword found inside the rule without a content context. Please use a "content" keyword before using the "http_client_body" keyword
    7/6/2018 -- 12:10:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; http_client_body; content:"%271%27%3D%271",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:30041; rev:3; )" from file /usr/local/etc/suricata/suricata_10310_mvneta2/rules/suricata.rules at line 27421
    7/6/2018 -- 12:10:50 - <Info> -- 1 rule files processed. 17372 rules successfully loaded, 10110 rules failed

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy