PHP Fatal Error: memory exhausted

dlaprade · May 14, 2020, 2:57 PM

Error:

Crash report begins.  Anonymous machine information:

amd64
11.3-STABLE
FreeBSD 11.3-STABLE #236 21cbb70bbd1(RELENG_2_4_5): Tue Mar 24 15:26:53 EDT 2020     root@buildbot1-nyi.netgate.com:/build/ce-crossbuild-245/obj/amd64/YNx4Qq3j/build/ce-crossbuild-245/sources/FreeBSD-src/sys/pfSense

Crash report details:

PHP Errors:
[14-May-2020 05:14:46 America/Los_Angeles] PHP Fatal error:  Allowed memory size of 402653184 bytes exhausted (tried to allocate 59550626 bytes) in /usr/local/www/csrf/csrf-magic.php on line 161
[14-May-2020 05:20:58 America/Los_Angeles] PHP Fatal error:  Allowed memory size of 402653184 bytes exhausted (tried to allocate 59550626 bytes) in /usr/local/www/csrf/csrf-magic.php on line 161
[14-May-2020 05:21:59 America/Los_Angeles] PHP Fatal error:  Allowed memory size of 402653184 bytes exhausted (tried to allocate 59550626 bytes) in /usr/local/www/csrf/csrf-magic.php on line 161



No FreeBSD crash data found.

Steps to reproduce:

Goto Services/Snort
Under Snort interfaces select WAN edit action
Select WAN Rules
Choose Category Selection: Active Rules
White page shows at this point
Go back to main dashboard to see error

System Version: 2.4.5-RELEASE

Hoping someone can assist with my issue, thanks.

DaddyGo · May 14, 2020, 3:36 PM

@dlaprade said in PHP Fatal Error: memory exhausted:

White page shows at this point

What pfSense hardware do you have? (more than 8 CPU cores?)
What rules (Snort) and how much do you want to apply to the WAN interface at the same time?
What kind of NIC is in the hardware?

dlaprade · May 14, 2020, 3:46 PM

Hardware

Motherboard:

Supermicro X11SCL-IF ( Dual GbE LAN with Intel i210-AT )

CPU:

Intel Xeon E-2136 ( 6 core x 2 hardware threads )

RAM:

32 gb ECC ( validated with memtest )

Rules (Snort)
Current rules

All ET Open rules
All Snort Text Rules
Almost all Snort SO Rules
Snort OPENAPI rules: openappid-hacktools.rules

I did try to change any rules to get the error, I was attempting to view the Active rules section.

DaddyGo · May 14, 2020, 3:50 PM

@dlaprade said in PHP Fatal Error: memory exhausted:

X11SCL-IF

Serious hardware (X11SCL-IF), I use this for pfSense. (MBD-M11SDV-4C-LN4F-O, you know Intel is vulnerable in this theme NGFW))
Have you tried to increase this?

bmeeks · May 14, 2020, 4:01 PM

You apparently have a ton of the rules selected as active. When you choose to view the "active" rules, that will try to load everything into the available PHP memory space in prelude to dumping it out as an HTML stream. There just is not enough PHP memory space allocated within pfSense to do this when attempting to load very, very large text fields. Same thing happens with log files if you let them get very large.

This is not really a bug. It's just a fundamental limitation of the underlying technology (the PHP GUI environment). Paging large text files is a bit difficult to program with PHP. All of the packages for now that have need to show text from files simply read the file into a PHP string and then dump that string out as HTML to an open session. So right now you can't view that option if you have large numbers of active rules.

If you want to view the actual contents of that selection, you will need to get to a shell prompt on the firewall and use CLI tools such as more or cat to dump the text out one screen at the time. Or you can use WinSCP to copy the file off elsewhere for viewing with other editors that can load and work with very large files. The file will be in /usr/local/etc/snort/snort_xxxxx/rules/snort.rules (where xxxxx is a combination of the physical NIC name and a UUID).

bmeeks · May 14, 2020, 4:11 PM

@dlaprade said in PHP Fatal Error: memory exhausted:

Hardware

Motherboard:

Supermicro X11SCL-IF ( Dual GbE LAN with Intel i210-AT )

CPU:

Intel Xeon E-2136 ( 6 core x 2 hardware threads )

RAM:

32 gb ECC ( validated with memtest )

Rules (Snort)
Current rules

All ET Open rules

All Snort Text Rules

Almost all Snort SO Rules

Snort OPENAPI rules: openappid-hacktools.rules

I did try to change any rules to get the error, I was attempting to view the Active rules section.

Unless you have public-facing servers behind pfSense, and a lot of differnt types of them such as DNS, mail, and web, then there is no way you need all the rules categories enabled. Blindly selecting all of the available rules categories shows inexperience with using an IDS/IPS. You need to carefully select the rules that cover the threats to your actual network environment.

If you do not have a public-facing DNS server, then why do you need to enable DNS server rules? If you don't have a public-facing mail server, then why do you need to enable the SMTP server rules? If you don't have a public-facing web server, then why would you need the web server rules?

You also show Snort installed on the WAN interface. Again, unless you have public-facing servers providing things like DNS, mail, web services, etc., then you should put Snort on the LAN and not the WAN. The WAN is going to drop all unsolicited inbound traffic by default unless you put specific pass rules on the WAN. When you run the IDS/IPS on the WAN, all internal hosts will show up in the alerts as having your WAN's pubilc IP due to NAT. This will make it very hard to determine which internal host is triggering a given rule. Snort sits between the NIC driver and the rest of the firewall, so on the WAN Snort will see your outbound traffic only after NAT is applied. Thus internal hosts will be masked by the public WAN IP due to NAT. Putting the IDS/IPS on the LAN will let you see the internal hosts in alerts with their native IP addresses.

DaddyGo · May 14, 2020, 4:04 PM

I agree with Bill, that's an awful lot of rules ...
it can help (old work, but when examined carefully, it can help with ET, for example): https://raw.githubusercontent.com/jflsakfja/suricata-rules/master/list.txt

dlaprade · May 14, 2020, 4:31 PM

Thank you, I appreciate all the information everyone has given me. I am fairly new to pfsense / firewall configurations. I need to learn more about IDS/IPS setup and configuration.

DaddyGo · May 14, 2020, 4:50 PM

Just for your info, if you’re "new" then you need to know that Bill is the maintainer of the Snort and Suricata package maintainer under thepfSense, so you got advice on the best place :-)

DaddyGo · May 14, 2020, 4:54 PM

To help:

https://forum.netgate.com/topic/143812/snort-package-4-0-inline-ips-mode-introduction-and-configuration-instructions
https://forum.netgate.com/topic/50708/suricata-snort-master-sid-disablesid-conf
https://forum.netgate.com/topic/138613/configuring-pfsense-netmap-for-suricata-inline-ips-mode-on-em-igb-interfaces

and much more.....

bmeeks · May 14, 2020, 4:56 PM

@dlaprade said in PHP Fatal Error: memory exhausted:

Thank you, I appreciate all the information everyone has given me. I am fairly new to pfsense / firewall configurations. I need to learn more about IDS/IPS setup and configuration.

Nothing wrong with being new to IDS technology. All of us were in the same boat when we started.

Google can be your research friend as you learn about IDS in general.

For pfSense setup, here is a suggestion/recommendation I posted some time back for new-to-IDS users: https://forum.netgate.com/topic/141743/best-rules-to-best-protection-in-wan-and-lan-interface/2. It offers some helpful tips for initially getting started. There are some other useful tidbits of info in the other posts within that thread if you read the entire thread.

SysyBorrow · Apr 23, 2022, 2:28 PM

This post is deleted!

Gertjan · Apr 25, 2022, 7:38 AM

This post is deleted!