Ran into an issue in Snort on pfSense where the memory limit specified in /usr/local/pkg/snort/snort.inc is insufficient and the service will crash shortly after launch.
The part that needs to be increased is bolded.
<?php
/*
* snort.inc
*
* part of pfSense (https://www.pfsense.org)
* Copyright (c) 2006-2023 Rubicon Communications, LLC (Netgate)
* Copyright (c) 2009-2010 Robert Zelaya
* Copyright (c) 2013-2022 Bill Meeks
* All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the “License”);
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an “AS IS” BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/require_once(“pfsense-utils.inc”);
require_once(“config.inc”);
require_once(“functions.inc”);
require_once(“service-utils.inc”); // Need this to get RCFILEPREFIX definition
require_once(“pkg-utils.inc”);
require_once(“filter.inc”);
require_once(“xmlrpc_client.inc”);
require(“/usr/local/pkg/snort/snort_defs.inc”);// Snort GUI needs some extra PHP memory space to manipulate large rules arrays
ini_set(“memory_limit”, “4096M”);// Explicitly declare this as global so it works through function call includes
global $g, $rebuild_rules;/* Rebuild Rules Flag — if “true”, rebuild enforcing rules and flowbit-rules files */
$rebuild_rules = false;
If that limit is too low, Snort will produce this error when it’s loading:
[25-Jan-2023 20:25:20 America/New_York] PHP Fatal error: Allowed memory size of 402653184 bytes exhausted (tried to allocate 12288 bytes) in /usr/local/pkg/snort/snort.inc on line 1093
The file is overwritten each time the pkg is updated so you have to make this change each time.
N.B. The install doesn’t complete due to memory exhaustion, you can prevent this by going into Snort and removing a character from your oinkcode. This will prevent the rule set from being downloaded and allow the install to complete since it’s the enumeration of rules that fills the memory.
1 comments
There’s an easier way since the .php memory change wasn’t taking a larger ram size adjustment.
I found out why those changes were not taking because of this line – get_php_default_memory!
Well default memory is a weak 512M so let’s change that GLOBALLY so we can open larger Alias IP Blocks like USA IPS loading in the alias.
Backup your config first before you make any changes.
Using the Pfsense GUI go to Diagnostics / Edit File/
Advanced Users Only
Go to this file and make changes
/etc/inc/config.inc
Look for this line // Set memory limit to 512M on amd64.
here is the code below we need to change.
// Set memory limit to 512M on amd64.
ini_set(“memory_limit”, get_php_default_memory($ARCH) . ‘M’);
CHANGE TO THIS:
// Set memory limit to a higher value
ini_set(“memory_limit”, “4096M”);
SAVE AND REBOOT. do not hit load just reboot.
You should be able to load larger alias ips lists without crashing out of memory when you have plenty of ram.
I eventually chose to increase the value to 8M due to available memory of 32gigs. Loads longer times for larger files but ok.
ini_set(“memory_limit”, “8192M”);
I hope this helps someone with RAM get out of default 512M memory limits.
Version 2.7.2-RELEASE (amd64)
built on Wed Dec 6 15:10:00 EST 2023
FreeBSD 14.0-CURRENT
The system is on the latest version.
Version information updated at Wed May 15 3:19:18 EDT 2024