PHP Fatal Error: memory exhausted



  • Error:

    Crash report begins.  Anonymous machine information:
    
    amd64
    11.3-STABLE
    FreeBSD 11.3-STABLE #236 21cbb70bbd1(RELENG_2_4_5): Tue Mar 24 15:26:53 EDT 2020     root@buildbot1-nyi.netgate.com:/build/ce-crossbuild-245/obj/amd64/YNx4Qq3j/build/ce-crossbuild-245/sources/FreeBSD-src/sys/pfSense
    
    Crash report details:
    
    PHP Errors:
    [14-May-2020 05:14:46 America/Los_Angeles] PHP Fatal error:  Allowed memory size of 402653184 bytes exhausted (tried to allocate 59550626 bytes) in /usr/local/www/csrf/csrf-magic.php on line 161
    [14-May-2020 05:20:58 America/Los_Angeles] PHP Fatal error:  Allowed memory size of 402653184 bytes exhausted (tried to allocate 59550626 bytes) in /usr/local/www/csrf/csrf-magic.php on line 161
    [14-May-2020 05:21:59 America/Los_Angeles] PHP Fatal error:  Allowed memory size of 402653184 bytes exhausted (tried to allocate 59550626 bytes) in /usr/local/www/csrf/csrf-magic.php on line 161
    
    
    
    No FreeBSD crash data found.
    

    Steps to reproduce:

    • Goto Services/Snort
    • Under Snort interfaces select WAN edit action
    • Select WAN Rules
    • Choose Category Selection: Active Rules
    • White page shows at this point
    • Go back to main dashboard to see error

    System Version: 2.4.5-RELEASE

    Hoping someone can assist with my issue, thanks.



  • @dlaprade said in PHP Fatal Error: memory exhausted:

    White page shows at this point

    What pfSense hardware do you have? (more than 8 CPU cores?)
    What rules (Snort) and how much do you want to apply to the WAN interface at the same time?
    What kind of NIC is in the hardware?



  • Hardware

    Motherboard:

    Supermicro X11SCL-IF ( Dual GbE LAN with Intel® i210-AT )

    CPU:

    Intel Xeon E-2136 ( 6 core x 2 hardware threads )

    RAM:

    32 gb ECC ( validated with memtest )

    Rules (Snort)
    Current rules

    • All ET Open rules
    • All Snort Text Rules
    • Almost all Snort SO Rules
    • Snort OPENAPI rules: openappid-hacktools.rules

    I did try to change any rules to get the error, I was attempting to view the Active rules section.



  • @dlaprade said in PHP Fatal Error: memory exhausted:

    X11SCL-IF

    Serious hardware (X11SCL-IF), I use this for pfSense. (MBD-M11SDV-4C-LN4F-O, you know Intel is vulnerable in this theme NGFW))
    Have you tried to increase this?

    ff33066d-9be6-4fbb-8d1a-74915026e0aa-image.png



  • You apparently have a ton of the rules selected as active. When you choose to view the "active" rules, that will try to load everything into the available PHP memory space in prelude to dumping it out as an HTML stream. There just is not enough PHP memory space allocated within pfSense to do this when attempting to load very, very large text fields. Same thing happens with log files if you let them get very large.

    This is not really a bug. It's just a fundamental limitation of the underlying technology (the PHP GUI environment). Paging large text files is a bit difficult to program with PHP. All of the packages for now that have need to show text from files simply read the file into a PHP string and then dump that string out as HTML to an open session. So right now you can't view that option if you have large numbers of active rules.

    If you want to view the actual contents of that selection, you will need to get to a shell prompt on the firewall and use CLI tools such as more or cat to dump the text out one screen at the time. Or you can use WinSCP to copy the file off elsewhere for viewing with other editors that can load and work with very large files. The file will be in /usr/local/etc/snort/snort_xxxxx/rules/snort.rules (where xxxxx is a combination of the physical NIC name and a UUID).



  • @dlaprade said in PHP Fatal Error: memory exhausted:

    Hardware

    Motherboard:

    Supermicro X11SCL-IF ( Dual GbE LAN with Intel® i210-AT )

    CPU:

    Intel Xeon E-2136 ( 6 core x 2 hardware threads )

    RAM:

    32 gb ECC ( validated with memtest )

    Rules (Snort)
    Current rules

    • All ET Open rules
    • All Snort Text Rules
    • Almost all Snort SO Rules
    • Snort OPENAPI rules: openappid-hacktools.rules

    I did try to change any rules to get the error, I was attempting to view the Active rules section.

    Unless you have public-facing servers behind pfSense, and a lot of differnt types of them such as DNS, mail, and web, then there is no way you need all the rules categories enabled. Blindly selecting all of the available rules categories shows inexperience with using an IDS/IPS. You need to carefully select the rules that cover the threats to your actual network environment.

    If you do not have a public-facing DNS server, then why do you need to enable DNS server rules? If you don't have a public-facing mail server, then why do you need to enable the SMTP server rules? If you don't have a public-facing web server, then why would you need the web server rules?

    You also show Snort installed on the WAN interface. Again, unless you have public-facing servers providing things like DNS, mail, web services, etc., then you should put Snort on the LAN and not the WAN. The WAN is going to drop all unsolicited inbound traffic by default unless you put specific pass rules on the WAN. When you run the IDS/IPS on the WAN, all internal hosts will show up in the alerts as having your WAN's pubilc IP due to NAT. This will make it very hard to determine which internal host is triggering a given rule. Snort sits between the NIC driver and the rest of the firewall, so on the WAN Snort will see your outbound traffic only after NAT is applied. Thus internal hosts will be masked by the public WAN IP due to NAT. Putting the IDS/IPS on the LAN will let you see the internal hosts in alerts with their native IP addresses.



  • I agree with Bill, that's an awful lot of rules ...
    it can help (old work, but when examined carefully, it can help with ET, for example): https://raw.githubusercontent.com/jflsakfja/suricata-rules/master/list.txt



  • Thank you, I appreciate all the information everyone has given me. I am fairly new to pfsense / firewall configurations. I need to learn more about IDS/IPS setup and configuration.



  • Just for your info, if you’re "new" then you need to know that Bill is the maintainer of the Snort and Suricata package maintainer under thepfSense, so you got advice on the best place :-)





  • @dlaprade said in PHP Fatal Error: memory exhausted:

    Thank you, I appreciate all the information everyone has given me. I am fairly new to pfsense / firewall configurations. I need to learn more about IDS/IPS setup and configuration.

    Nothing wrong with being new to IDS technology. All of us were in the same boat when we started.

    Google can be your research friend as you learn about IDS in general.

    For pfSense setup, here is a suggestion/recommendation I posted some time back for new-to-IDS users: https://forum.netgate.com/topic/141743/best-rules-to-best-protection-in-wan-and-lan-interface/2. It offers some helpful tips for initially getting started. There are some other useful tidbits of info in the other posts within that thread if you read the entire thread.


Log in to reply