Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [bug] snort 4.1.2_3 on pfsense 2.4.5-p1

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 571 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hrv231
      last edited by

      Hello,

      Having snort configured, when I go to one of my interfaces, ex. SERVERS Rules, and choose in the "Category Selection" the active.rules, a blank webpage shows up, going back to the dashboard says pfSense has detected a crash report.
      Below is the report:

      [12-May-2021 16:37:43 America/Los_Angeles] PHP Fatal error:  Allowed memory size of 402653184 bytes exhausted (tried to allocate 62806170 bytes) in /usr/local/www/csrf/csrf-magic.php on line 161
      [12-May-2021 16:47:51 America/Los_Angeles] PHP Fatal error:  Allowed memory size of 402653184 bytes exhausted (tried to allocate 62806170 bytes) in /usr/local/www/csrf/csrf-magic.php on line 161
      

      Another one from today:

      amd64
      11.3-STABLE
      FreeBSD 11.3-STABLE #243 abf8cba50ce(RELENG_2_4_5): Tue Jun  2 17:53:37 EDT 2020     root@buildbot1-nyi.netgate.com:/build/ce-crossbuild-245/obj/amd64/YNx4Qq3j/build/ce-crossbuild-245/sources/FreeBSD-src/sys/pfSense
      
      Crash report details:
      
      PHP Errors:
      [13-May-2021 09:03:57 America/Los_Angeles] PHP Fatal error:  Allowed memory size of 402653184 bytes exhausted (tried to allocate 60596290 bytes) in /usr/local/www/csrf/csrf-magic.php on line 161
      

      Running pfSense with 3GB of RAM, and the widget shows that my memory usage is 53%.

      If there is anything else you need from me to help with this, let me know.

      This is my first post here, I don't know if this is the right area to report a bug.
      I went to github to create an issue but there is no option to do that there, so I'm not sure where do I go to report a bug.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        This is not a bug. It is just the reality that PHP on pfSense has a finite amount of available memory for loading data, and when that memory is exhausted, you will get this error. The PHP memory is not related to the amount of RAM in the firewall. It is a hard-coded value set by pfSense at boot-up.

        You are seeing this issue because you must have enabled nearly all the available rules. The PHP code must first read the entire file into memory before sending it out as web text for display. When the file is too large, there is not enough memory to hold the entire contents as a string and thus the error is thrown.

        Snort is not the only impacted package. Others have the same issue when attempting to load and view very, very large files.

        H 1 Reply Last reply Reply Quote 1
        • H
          hrv231 @bmeeks
          last edited by

          @bmeeks
          Thank you for your time and help!

          Does it matter to leave it as it is, or do you recommend to edit some php files and hardcode a new memory number, and then reboot pfsense?

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @hrv231
            last edited by

            @hrv231 said in [bug] snort 4.1.2_3 on pfsense 2.4.5-p1:

            @bmeeks
            Thank you for your time and help!

            Does it matter to leave it as it is, or do you recommend to edit some php files and hardcode a new memory number, and then reboot pfsense?

            Any change you made would get overwritten with the next pfSense update. I would just leave it as is. You should still be able to open and view the individual rules files. Or another option is to get to a shell prompt (via the console or SSH), and then view the file in vi. You can find the file in /usr/local/etc/snort/snort_xxxx/rules/snort.rules. The "xxxx" part will be the physical interface name and a UUID value.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.