Suricata PHP Error

styxl · Jul 16, 2024, 1:26 AM

Same thing is happening with me

Jul 15 21:18:19 Scimitar php-cgi[14408]: suricata_check_for_rule_updates.php: PHP ERROR: Type: 1, File: /usr/local/pkg/suricata/suricata.inc, Line: 1064, Message: Allowed memory size of 536870912 bytes exhausted (tried to allocate 4096 bytes)
Jul 15 21:18:19 Scimitar php-cgi[14408]: suricata_check_for_rule_updates.php: New alert found: PHP ERROR: Type: 1, File: /usr/local/pkg/suricata/suricata.inc, Line: 1064, Message: Allowed memory size of 536870912 bytes exhausted (tried to allocate 4096 bytes)

5p9 · Jul 29, 2024, 3:35 PM

Hey, here the same. After remove / an old settingsremove and clear install with following Settings - the Problem its not gone:

Crash report begins.  Anonymous machine information:

amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT amd64 1400094 #1 RELENG_2_7_2-n255948-8d2b56da39c: Wed Dec  6 20:45:47 UTC 2023     root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/obj/amd64/StdASW5b/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/F

Crash report details:

PHP Errors:
[29-Jul-2024 12:30:58 Europe/Berlin] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 2097160 bytes) in /usr/local/pkg/suricata/suricata.inc on line 1064
[29-Jul-2024 12:37:16 Europe/Berlin] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 2097160 bytes) in /usr/local/pkg/suricata/suricata.inc on line 1064
[29-Jul-2024 12:37:36 Europe/Berlin] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 2097160 bytes) in /usr/local/pkg/suricata/suricata.inc on line 1064

my small rules after newinstall:

<rulesets>app-layer-events.rules||emerging-3coresec.rules||dnp3-events.rules||emerging-attack_response.rules||dns-events.rules||http-events.rules||emerging-ciarmy.rules||http2-events.rules||ipsec-events.rules||kerberos-events.rules||emerging-current_events.rules||modbus-events.rules||mqtt-events.rules||nfs-events.rules||ntp-events.rules||quic-events.rules||emerging-dshield.rules||rfb-events.rules||smb-events.rules||ssh-events.rules||tls-events.rules||emerging-misc.rules||emerging-scan.rules||emerging-ta_abused_services.rules||emerging-threatview_CS_c2.rules||emerging-web_server.rules||extrarule-AbuseCH-urlhaus_suricata.rules</rulesets>

Settingschnage in /usr/local/pkg/suricata/suricata.inc from 512 to 896, but these value are not helping for me.
Suricata with custom memory_limit crashing on upgrade

What can i do now to bring up my suricata Service?

BR

5p9 · Jul 29, 2024, 3:35 PM

Update to: Suricata PHP Error:

Settingschnage in /usr/local/pkg/suricata/suricata.inc from 512 to 896, but these value are not helping for me.
Suricata with custom memory_limit crashing on upgrade

After the new install without the backup settings it is now posible to use the setting with 896 M and the service are running.
i will check the update cron task whether the value is still there afterwards.

bmeeks · Jul 29, 2024, 7:43 PM

The correct way to handle this is to make the change to the global PHP setting within pfSense itself -- not modifying the Suricata source code files.

Go to SYSTEM > ADVANCED > MISCELLANEOUS menu in pfSense and scroll down to the PHP Settings section as shown below and configure a suitable PHP memory limit:

Put a value in that box larger than 512. If you have sufficient free RAM, try 768 MB or even 1024 MB and save the change.

The Suricata package PHP code was recently modified to check the global pfSense PHP memory limit setting and use the higher of either the value configured there or 512 MB. As the number of enabled rules grows, it is possible the default 512 MB value is not enough free RAM for all the processing tasks needed to build the new rules set.

5p9 · Jul 30, 2024, 4:56 AM

hi @bmeeks
thank you. i had wondered why suricata suddenly couldn't cope with the resources. okay, i have now set my php to 768 as a test (suricata.inc back to default) and set up all interfaces as usual. looks very good so far. thanks for the hint.

bmeeks · Jul 30, 2024, 12:27 PM

@5p9 said in Suricata PHP Error:

hi @bmeeks
thank you. i had wondered why suricata suddenly couldn't cope with the resources. okay, i have now set my php to 768 as a test (suricata.inc back to default) and set up all interfaces as usual. looks very good so far. thanks for the hint.

Could have been that you were sitting on the ragged edge of "just enough" free RAM for PHP, and then a rule update added something that pushed things over the edge. The GUI code does quite a bit of processing when building a new rules file for the Suricata binary portion to consume.

Remember that the rules package vendors are constantly adding, removing, and modifying the rules within their packages. That's why we update them in Suricata - to get their latest changes . Sometimes those updates by the rules package vendors can result in a new issue surfacing.

IDS/IPS administration requires very frequent (and some would say almost constant) attention. It is a admin-intensive package. Most large enterprises, for example, have persons whose sole job is watching and administering only the IDS/IPS. It takes lot of monitoring to review alerts, to review rules updates to see if changes are needed in the IDS/IPS configuration, and to review the IDS/IPS operational logs to look for any anomalies there (various error or warning messages, for example).