Possible cause of PHP mem alloc crash when viewing suricata.log file



  • I started having PHP alloc issues which would shut down WAN scanning when I enabled Blocking. When trying to view the suricata.log file, I'd get a PHP crash.

    I had to uninstall suricata and delete all log files and try again.

    Now I'm seeing this when then public filters are parsed. It seems that the log is filling up so quickly that the web UI can't handle it and it crashes.

    Here are the tail end of log errors in the suricata.log file:

    7/6/2018 -- 12:10:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; http_client_body; content:"|27|1|27|=|27|1",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:27288; rev:4; )" from file /usr/local/etc/suricata/suricata_10310_mvneta2/rules/suricata.rules at line 27419
    7/6/2018 -- 12:10:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_client_body" keyword found inside the rule without a content context. Please use a "content" keyword before using the "http_client_body" keyword
    7/6/2018 -- 12:10:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; http_client_body; content:"1%3D1",fast_pattern,nocase; pcre:"/or++1%3D1/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:30040; rev:3; )" from file /usr/local/etc/suricata/suricata_10310_mvneta2/rules/suricata.rules at line 27420
    7/6/2018 -- 12:10:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_client_body" keyword found inside the rule without a content context. Please use a "content" keyword before using the "http_client_body" keyword
    7/6/2018 -- 12:10:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; http_client_body; content:"%271%27%3D%271",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:30041; rev:3; )" from file /usr/local/etc/suricata/suricata_10310_mvneta2/rules/suricata.rules at line 27421
    7/6/2018 -- 12:10:50 - <Info> -- 1 rule files processed. 17372 rules successfully loaded, 10110 rules failed