Large rule sets in Snort on pfSense cause PHP memory crash

Ran into an issue in Snort on pfSense where the memory limit specified in /usr/local/pkg/snort/ is insufficient and the service will crash shortly after launch.

The part that needs to be increased is bolded.

* part of pfSense (
* Copyright (c) 2006-2023 Rubicon Communications, LLC (Netgate)
* Copyright (c) 2009-2010 Robert Zelaya
* Copyright (c) 2013-2022 Bill Meeks
* All rights reserved.
* Licensed under the Apache License, Version 2.0 (the “License”);
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an “AS IS” BASIS,
* See the License for the specific language governing permissions and
* limitations under the License.

require_once(“”); // Need this to get RCFILEPREFIX definition

// Snort GUI needs some extra PHP memory space to manipulate large rules arrays
ini_set(“memory_limit”, “4096M”);

// Explicitly declare this as global so it works through function call includes
global $g, $rebuild_rules;

/* Rebuild Rules Flag — if “true”, rebuild enforcing rules and flowbit-rules files */
$rebuild_rules = false;


If that limit is too low, Snort will produce this error when it’s loading:

[25-Jan-2023 20:25:20 America/New_York] PHP Fatal error: Allowed memory size of 402653184 bytes exhausted (tried to allocate 12288 bytes) in /usr/local/pkg/snort/ on line 1093

The file is overwritten each time the pkg is updated so you have to make this change each time.

N.B. The install doesn’t complete due to memory exhaustion, you can prevent this by going into Snort and removing a character from your oinkcode. This will prevent the rule set from being downloaded and allow the install to complete since it’s the enumeration of rules that fills the memory.


    • MikeInNYC on May 15, 2024 at 3:22:33 am EDT
    • Reply

    There’s an easier way since the .php memory change wasn’t taking a larger ram size adjustment.
    I found out why those changes were not taking because of this line – get_php_default_memory!

    Well default memory is a weak 512M so let’s change that GLOBALLY so we can open larger Alias IP Blocks like USA IPS loading in the alias.
    Backup your config first before you make any changes.

    Using the Pfsense GUI go to Diagnostics / Edit File/
    Advanced Users Only

    Go to this file and make changes
    Look for this line // Set memory limit to 512M on amd64.
    here is the code below we need to change.

    // Set memory limit to 512M on amd64.
    ini_set(“memory_limit”, get_php_default_memory($ARCH) . ‘M’);


    // Set memory limit to a higher value
    ini_set(“memory_limit”, “4096M”);

    SAVE AND REBOOT. do not hit load just reboot.

    You should be able to load larger alias ips lists without crashing out of memory when you have plenty of ram.
    I eventually chose to increase the value to 8M due to available memory of 32gigs. Loads longer times for larger files but ok.
    ini_set(“memory_limit”, “8192M”);

    I hope this helps someone with RAM get out of default 512M memory limits.
    Version 2.7.2-RELEASE (amd64)
    built on Wed Dec 6 15:10:00 EST 2023
    FreeBSD 14.0-CURRENT

    The system is on the latest version.
    Version information updated at Wed May 15 3:19:18 EDT 2024

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.