[bug] snort 4.1.2_3 on pfsense 2.4.5-p1

hrv231

Hello,

Having snort configured, when I go to one of my interfaces, ex. SERVERS Rules, and choose in the "Category Selection" the active.rules, a blank webpage shows up, going back to the dashboard says pfSense has detected a crash report.
Below is the report:

[12-May-2021 16:37:43 America/Los_Angeles] PHP Fatal error:  Allowed memory size of 402653184 bytes exhausted (tried to allocate 62806170 bytes) in /usr/local/www/csrf/csrf-magic.php on line 161
[12-May-2021 16:47:51 America/Los_Angeles] PHP Fatal error:  Allowed memory size of 402653184 bytes exhausted (tried to allocate 62806170 bytes) in /usr/local/www/csrf/csrf-magic.php on line 161

Another one from today:

amd64
11.3-STABLE
FreeBSD 11.3-STABLE #243 abf8cba50ce(RELENG_2_4_5): Tue Jun  2 17:53:37 EDT 2020     root@buildbot1-nyi.netgate.com:/build/ce-crossbuild-245/obj/amd64/YNx4Qq3j/build/ce-crossbuild-245/sources/FreeBSD-src/sys/pfSense

Crash report details:

PHP Errors:
[13-May-2021 09:03:57 America/Los_Angeles] PHP Fatal error:  Allowed memory size of 402653184 bytes exhausted (tried to allocate 60596290 bytes) in /usr/local/www/csrf/csrf-magic.php on line 161

Running pfSense with 3GB of RAM, and the widget shows that my memory usage is 53%.

If there is anything else you need from me to help with this, let me know.

This is my first post here, I don't know if this is the right area to report a bug.
I went to github to create an issue but there is no option to do that there, so I'm not sure where do I go to report a bug.

Thanks.

bmeeks

This is not a bug. It is just the reality that PHP on pfSense has a finite amount of available memory for loading data, and when that memory is exhausted, you will get this error. The PHP memory is not related to the amount of RAM in the firewall. It is a hard-coded value set by pfSense at boot-up.

You are seeing this issue because you must have enabled nearly all the available rules. The PHP code must first read the entire file into memory before sending it out as web text for display. When the file is too large, there is not enough memory to hold the entire contents as a string and thus the error is thrown.

Snort is not the only impacted package. Others have the same issue when attempting to load and view very, very large files.

hrv231

@bmeeks
Thank you for your time and help!

Does it matter to leave it as it is, or do you recommend to edit some php files and hardcode a new memory number, and then reboot pfsense?

bmeeks

@hrv231 said in [bug] snort 4.1.2_3 on pfsense 2.4.5-p1:

@bmeeks
Thank you for your time and help!

Does it matter to leave it as it is, or do you recommend to edit some php files and hardcode a new memory number, and then reboot pfsense?

Any change you made would get overwritten with the next pfSense update. I would just leave it as is. You should still be able to open and view the individual rules files. Or another option is to get to a shell prompt (via the console or SSH), and then view the file in vi. You can find the file in /usr/local/etc/snort/snort_xxxx/rules/snort.rules. The "xxxx" part will be the physical interface name and a UUID value.