February 2023 archive

Feb 22 2023

Large rule sets in Snort on pfSense cause PHP memory crash

Ran into an issue in Snort on pfSense where the memory limit specified in /usr/local/pkg/snort/snort.inc is insufficient and the service will crash shortly after launch.

The part that needs to be increased is bolded.

<?php
/*
* snort.inc
*
* part of pfSense (https://www.pfsense.org)
* Copyright (c) 2006-2023 Rubicon Communications, LLC (Netgate)
* Copyright (c) 2009-2010 Robert Zelaya
* Copyright (c) 2013-2022 Bill Meeks
* All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the “License”);
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an “AS IS” BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

require_once(“pfsense-utils.inc”);
require_once(“config.inc”);
require_once(“functions.inc”);
require_once(“service-utils.inc”); // Need this to get RCFILEPREFIX definition
require_once(“pkg-utils.inc”);
require_once(“filter.inc”);
require_once(“xmlrpc_client.inc”);
require(“/usr/local/pkg/snort/snort_defs.inc”);

// Snort GUI needs some extra PHP memory space to manipulate large rules arrays
ini_set(“memory_limit”, “4096M”);

// Explicitly declare this as global so it works through function call includes
global $g, $rebuild_rules;

/* Rebuild Rules Flag — if “true”, rebuild enforcing rules and flowbit-rules files */
$rebuild_rules = false;

 

If that limit is too low, Snort will produce this error when it’s loading:

[25-Jan-2023 20:25:20 America/New_York] PHP Fatal error: Allowed memory size of 402653184 bytes exhausted (tried to allocate 12288 bytes) in /usr/local/pkg/snort/snort.inc on line 1093

The file is overwritten each time the pkg is updated so you have to make this change each time.

N.B. The install doesn’t complete due to memory exhaustion, you can prevent this by going into Snort and removing a character from your oinkcode. This will prevent the rule set from being downloaded and allow the install to complete since it’s the enumeration of rules that fills the memory.