Suricata SID Managment Rebuild causing PHP Memory Error

sgnoc · Dec 14, 2022, 5:34 PM

I've been having a PHP error show up when I try to rebuild all interfaces from the Suricata SID Management screen. This seems to only happen when I try to rebuild most/all of my interfaces. I have Suricata running on 6 interfaces. PFSense is only operating around 55% of my 24G of RAM.

Here is the error:

Crash report begins.  Anonymous machine information:

amd64
12.3-STABLE
FreeBSD 12.3-STABLE plus-RELENG_22_05-n202700-3ddaea61055 pfSense

Crash report details:

PHP Errors:
[14-Dec-2022 12:11:13 America/New_York] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 2097160 bytes) in /usr/local/pkg/suricata/suricata.inc on line 1138



No FreeBSD crash data found.

I've read other topics about Suricata log memory errors, and tried the solution there by increasing the amount of RAM in /etc/inc/config.inc from 512M to 1024M (since I have plenty of RAM). Once I rebooted the system after making the change, it still has the same errors when I try to rebuild the interfaces from the SID Management.

The change I made was to modify /etc/inc/config.inc:

// Set memory limit to 512M on amd64.
if ($ARCH == "amd64") {
	ini_set("memory_limit", "512M");
} else {
	ini_set("memory_limit", "128M");
}

to

// Set memory limit to 512M on amd64.
if ($ARCH == "amd64") {
	ini_set("memory_limit", "1024M");
} else {
	ini_set("memory_limit", "128M");
}

Are there any options that might lift the memory cap for PHP to prevent these errors from occurring? Or is there some other reason this is happening?

sgnoc · Dec 15, 2022, 2:49 AM

Well, for anyone that might run across the same issue. I know my problem is a larger ruleset for the interfaces on Suricata, so when I try to rebuild multiple interfaces it pushed PHP over the arbitrary 512G memory limit. I found a solution from others with log sizes causing their problem and a solution listed above to increase memory.

I wasn't thinking, so their solution didn't work for me because I was changing the wrong .inc file. My error was for /usr/local/pkg/suricata/suricata.inc and not /etc/inc/config.inc, which is why it wasn't acting like it increased the memory limit. Once I changed the 512M in suricata.inc to 1024M, I was able to rebuild all of the interfaces at the same time without the error triggering.

This is probably more of a "hack" solution, but I don't want to modify my SID management files just to fit the memory when I have more than enough memory to spare and it isn't taking that much extra for Suricata to go from 512M to 1G. One thing to note for anyone trying this is to make sure to write a script or a cron job to sed the suricata.inc periodically in case there was a package update that overwrote the system. Here is my cron job:

sed -i'.inc' -e 's/ini_set("memory_limit", "512M");/ini_set("memory_limit", "1024M");/g' /usr/local/pkg/suricata/suricata.inc

This seems to have solved my issue, but I'll keep an eye out and modify this response in case it occurs again under the same circumstances.