PHP errors

jc1976 · Mar 25, 2024, 9:26 PM

I completely removed suricata. I initially did a reinstall but it didn't work so i uninstalled completely, rebooted the firewall, and reinstalled.

My problem at the moment is that it's showing up installed but not showing up under services so i can't get into its interface to see anything.

bmeeks · Mar 25, 2024, 9:28 PM

@jc1976 said in PHP errors:

@bmeeks

I completely removed suricata. I initially did a reinstall but it didn't work so i uninstalled completely, rebooted the firewall, and reinstalled.

My problem at the moment is that it's showing up installed but not showing up under services so i can't get into its interface to see anything.

The install did not complete due to the PHP errors. Thus it will not show up under the SERVICES menu. You must remove it under Package Manager and reinstall. But before you do that, be sure you have set the PHP Memory Limit value to something large enough under SYSTEM > ADVANCED > MISC SETTINGS. Read my later edits to my post above.

jc1976 · Mar 25, 2024, 10:13 PM

@bmeeks

that's what i did.

i uninstalled suricata (from within package manager).
verified my php ram settings (2048)
rebooted the firewall.
installed suricata from package manager.

suricata shows up as an installed package.

it does NOT show up under the services menu or under services status.

jc1976 · Mar 25, 2024, 10:14 PM

@bmeeks

also, i'm still getting the php error.

bmeeks · Mar 25, 2024, 10:21 PM

@jc1976 said in PHP errors:

it does NOT show up under the services menu or under services status.

That's because, as I said earlier, the full install procedure is not running to completion. During installation the installer calls a hook script that allows the package to download and install the rules previously configured. When that hook script completes, it returns control to the installer which then, as a last step, creates the menu entry under SERVICES. Because the hook call is crashing, it does not return control to the installer so that it can create the menu entry.

You can probably still call up the Suricata GUI by navigating to <firewall_ip>/suricata/suricata_interfaces.php directly. From there you can examine your rules. You must have a ton of rules enabled to crash the PHP service. Try removing some of them and see if things behave better. Likely nowhere near all of them are required.

Due to the absence of similar posts, I have to assume you are the only user experiencing the problem, so it must be something specific to your setup.

stephenw10 · Mar 25, 2024, 10:32 PM

What are you testing in? We are currently looking at an issue with the POST-INSTALL script not running in 24.03. But that's at upgrade.

smolka_J · Mar 25, 2024, 10:40 PM

@jc1976 If your PHP error now states "Allowed memory size of 2147483648" when PHP limit is set at 2048m at System>Advanced>Misc then that PHP limit number is going to need to be increased a bit higher to accommodate the number of rules enabled, only time it is using this much memory typically is only at install for a few seconds until all configurations and rules are processed. I set mine to about 3/4ths my total RAM at 24576m. If you're on an ARM model or other limited to only 2-4gb total ram available you may need to make sure enough swap space is present and enabled to be able to raise that PHP memory limit higher to allow it to fully load without ahead of time having to have the option unchecked to save settings on re-install, update then configure from scratch, or like another said disabling enough excess rules will bring the needed number down into playing field as well.

jc1976 · Mar 25, 2024, 11:34 PM

ok, well i gave php 8 gigs of ram to work with. put "8192" in the php settings, and rebooted.

my firewall has 32gigs of ram, plus a 32Gig swap partition so there's more than enough ram to work with.

installed suricata via the package manager and the same thing happened; it shows as an installed packaged but it doesn't show up under services and the service doesn't show up under service status.

plus i'm still receiving the error message when i log in.

stephenw10 · Mar 25, 2024, 11:38 PM

In 23.09.1/2.7.2?

bmeeks · Mar 25, 2024, 11:41 PM

@jc1976 said in PHP errors:

it shows as an installed packaged but it doesn't show up under services and the service doesn't show up under service status.

This is a consequence of the PHP error. It has nothing to do with your root cause of the problem. So long as you get the PHP error, then Suricata is NOT going to show up under the SERVICES menu nor in SERVICES STATUS. Forget about repeating this sentence in every post and let's focus on the root cause -- the PHP error.

What exactly, verbatim, is the PHP error that you receive now?

And what version of the Suricata package are you attempting to install?

jc1976 · Mar 25, 2024, 11:59 PM

PHP errors

PHP ERROR: Type: 1, File: /usr/local/pkg/suricata/suricata.inc, Line: 2452, Message: Allowed memory size of 536870912 bytes exhausted (tried to allocate 4096 bytes) @ 2024-03-25 19:48:00

that is it verbtim.

it seems that suricata still might not respect the php settings.

As i stated previously, I set the php memory limit to 8 Gigs.

in this last go-around I performed the following:

-Uninstalled suricata (via the package manager)
-WinSCP'd into the firewall and deleted every trace of suricata (files, folders, etc)
-deleted the package cache in the temp directory
-Cleared/reset fw log files..

so basically, cleared out anything i couldn't find to be critical.

-rebooted the firewall
-logged in, winscp'd in to verify that there weren't any files/folders pertaining to suricata.. there were not..

Back to the package installer, ran it and it gave me the same error message that i copied and pasted above.

jc1976 · Mar 26, 2024, 12:07 AM

PHP errors

PHP ERROR: Type: 1, File: /usr/local/pkg/suricata/suricata.inc, Line: 2452, Message: Allowed memory size of 536870912 bytes exhausted (tried to allocate 4096 bytes) @ 2024-03-25 19:48:00

that is it verbtim.

it seems that suricata still might not respect the php settings.

As i stated previously, I set the php memory limit to 8 Gigs.

in this last go-around I performed the following:

-Uninstalled suricata (via the package manager)
-WinSCP'd into the firewall and deleted every trace of suricata (files, folders, etc)
-deleted the package cache in the temp directory
-Cleared/reset fw log files..

so basically, cleared out anything i couldn't find to be critical.

-rebooted the firewall
-logged in, winscp'd in to verify that there weren't any files/folders pertaining to suricata.. there were not..

Back to the package installer, ran it and it gave me the same error message that i copied and pasted above.

bmeeks · Mar 26, 2024, 2:16 AM

@jc1976:
But you have not told me what version you are attempting to install. Is it 7.0.4?

Post the first two dozen lines of code from the file /usr/local/pkg/suricata/suricata.inc and let me see what version is actually there.

I'm specifically looking for these lines:

// Suricata GUI needs at least 512MB to manipulate large rules arrays
if (get_php_default_memory() < 512)
	ini_set("memory_limit", "512M");

bmeeks · Mar 26, 2024, 12:28 AM

I found an error in the new code that prevents it from honoring the user-set limit. I will need to submit a fix for the Netgate team to review and merge.

bmeeks · Mar 26, 2024, 1:31 AM

Look for a package update to 7.0.4_1 to post in the near future. I've sent a review request to the Netgate developers. Here is the pull request: https://github.com/pfsense/FreeBSD-ports/pull/1360.

jc1976 · Mar 26, 2024, 2:16 AM

@bmeeks

yes, 7.0.4, latest in the package manager. all was working fine up until today, it's really odd. i updated it to the latest version when it came out. I tend to apply updates when they are made available.

keep in mind i had edited the "512" to 2048 as instructed to resolve a php error in the previous version. The only reason why it says 512 now is because i figured i had nothing to lose if i tried to set it back to the default.. Also, i found it odd that setting my php to 2048 (of whatever i set it to) didn't translate to that line. It seems like it's holding onto a setting somewhere. as i previously stated, i deleted every suricata file that i could find in doing a search through winscp. i know sometimes files get 'locked' and keep reappearing even after being deleted.

as requested:

<?php
/*

suricata.inc
part of pfSense (https://www.pfsense.org)
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

require_once("pfsense-utils.inc");
require_once("config.inc");
require_once("globals.inc");
require_once("functions.inc");
require_once("services.inc");
require_once("service-utils.inc");
require_once("pkg-utils.inc");
require_once("filter.inc");
require_once("notices.inc");
require_once("util.inc");
require_once("xmlrpc_client.inc");
require_once("openvpn.inc");
require("/usr/local/pkg/suricata/suricata_defs.inc");

global $g;

// Suricata GUI needs at least 512MB to manipulate large rules arrays
if (get_php_default_memory($ARCH) < 512)
ini_set("memory_limit", "512M");

function suricata_generate_id() {

while (true) {
	$suricata_uuid = mt_rand(1, 65535);
	foreach (config_get_path('installedpackages/suricata/rule', []) as $value) {
		if ($value['uuid'] == $suricata_uuid) {
			continue 2;
		}
	}
	break;
}

return $suricata_uuid;

}

bmeeks · Mar 26, 2024, 2:22 AM

@jc1976:
See my post immediately above your last one. The new code contained a logic error. A fix for that has been submitted and a new package version 7.0.4_1 should appear soon (after the Netgate team reviews and merges my change).

It likely worked for you immediately after updating because it found and used your modified suricata.inc file from the PHP cache. Subsequent runs of the update code would have used the newly installed suricata.inc file (the one with the logic error) because those subsequent runs will be a new PHP session and will not use the cached file.

Long story short is there is nothing you can do on the install side until the updated package is posted (the 7.0.4_1 version).

jc1976 · Mar 26, 2024, 2:54 AM

@bmeeks

so basically uninstall suricata completely and wait for the update?

Thanks!!

bmeeks · Mar 26, 2024, 3:01 AM

@jc1976 said in PHP errors:

@bmeeks

so basically uninstall suricata completely and wait for the update?

Thanks!!

Yes, or if you care to try, you can make the edit as shown in the git diff here:

[https://github.com/pfsense/FreeBSD-ports/pull/1360/commits/cd8e87d4f365cbb3f5ac7fc997001569c9e840aa](https://github.com/pfsense/FreeBSD-

and then navigate to <firewall_ip>/suricata/suricata_interfaces.php and start the instances from the GUI. When the package update comes out, then you can remove and reinstall.

bmeeks · Mar 26, 2024, 7:45 PM

A new Suricata package containing a fix for this should be available now. The new version is 7.0.4_1.