Crash while trying to download Suricata logs



  • I am trying to download my Suricata logs from an interface that has been running for a while. I've tried in two different web browsers and the results are the same.

    On the Alerts tab I click Download and there is about a 30 second pause before anything happens. Then I get a pop up asking if I want to save or open the file. I've tried both saving and opening and neither works. If I save the download appears to be complete instantly but the file downloaded is 0kb. If I open I get an error from my zip program.

    Each time I do this my pfSense registers the following crash. I submitted it to the developers. Has anyone seen this before with large Suricata logs before? I think the size is around 65mb.

    What other ways can I get the pcap files? I'm assuming ssh/scp will be my best bet?

    Crash report begins.  Anonymous machine information:

    i386
    10.1-RELEASE-p6
    FreeBSD 10.1-RELEASE-p6 #0 b69ba8f(releng/10.1)-dirty: Fri Mar 13 08:41:17 CDT 2015    root@pfs22-i386-builder:/usr/obj.i386/usr/pfSensesrc/src/sys/pfSense_SMP.10

    Crash report details:

    PHP Errors:
    [08-Apr-2015 16:36:38 US/Pacific-New] PHP Fatal error:  Allowed memory size of 268435456 bytes exhausted (tried to allocate 137986381 bytes) in /usr/local/www/csrf/csrf-magic.php on line 157



  • The memory of the PHP process for Suricata is being exhausted.  That is currently hard-coded for 256 MB in the file /usr/local/pkg/suricata/suricata.inc.  You can edit that file and try bumping up the value.

    The line is near the top of that file and looks like this:

    [/
    
    // Suricata GUI needs some extra PHP memory space to manipulate large rules arrays
    ini_set("memory_limit", "256M");
    
    [/code]
    
    Try changing the 256M to something larger like maybe 384M or 512M.  You should not have to restart the firewall.  Don't get too carried away with increasing that value, though.  Too much and you risk crashing pfSense itself.
    
    Bill
    


  • @bmeeks:

    The memory of the PHP process for Suricata is being exhausted.  That is currently hard-coded for 256 MB in the file /usr/local/pkg/suricata/suricata.inc.  You can edit that file and try bumping up the value.

    Thanks Bill. Do you happen to know if the Snort package has the same limitation? If so is manually bumping the memory of the PHP process for Snort an option too?



  • @jeffh:

    @bmeeks:

    The memory of the PHP process for Suricata is being exhausted.  That is currently hard-coded for 256 MB in the file /usr/local/pkg/suricata/suricata.inc.  You can edit that file and try bumping up the value.

    Thanks Bill. Do you happen to know if the Snort package has the same limitation? If so is manually bumping the memory of the PHP process for Snort an option too?

    Yes, both packages share a lot of the same code.  The parameter is set in the /usr/local/pkg/snort/snort.inc file for Snort.

    Bill


Log in to reply