Ran into an issue in Snort on pfSense where the memory limit specified in \/usr\/local\/pkg\/snort\/snort.inc is insufficient and the service will crash shortly after launch.<\/p>\n
The part that needs to be increased is bolded.<\/p>\n
<?php
\n\/*
\n* snort.inc
\n*
\n* part of pfSense (https:\/\/www.pfsense.org)
\n* Copyright (c) 2006-2023 Rubicon Communications, LLC (Netgate)
\n* Copyright (c) 2009-2010 Robert Zelaya
\n* Copyright (c) 2013-2022 Bill Meeks
\n* All rights reserved.
\n*
\n* Licensed under the Apache License, Version 2.0 (the “License”);
\n* you may not use this file except in compliance with the License.
\n* You may obtain a copy of the License at
\n*
\n* http:\/\/www.apache.org\/licenses\/LICENSE-2.0
\n*
\n* Unless required by applicable law or agreed to in writing, software
\n* distributed under the License is distributed on an “AS IS” BASIS,
\n* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\n* See the License for the specific language governing permissions and
\n* limitations under the License.
\n*\/<\/p>\nrequire_once(“pfsense-utils.inc”);
\nrequire_once(“config.inc”);
\nrequire_once(“functions.inc”);
\nrequire_once(“service-utils.inc”); \/\/ Need this to get RCFILEPREFIX definition
\nrequire_once(“pkg-utils.inc”);
\nrequire_once(“filter.inc”);
\nrequire_once(“xmlrpc_client.inc”);
\nrequire(“\/usr\/local\/pkg\/snort\/snort_defs.inc”);<\/p>\n\/\/ Snort GUI needs some extra PHP memory space to manipulate large rules arrays
\nini_set(“memory_limit”, “4096M”);<\/strong><\/p>\n\/\/ Explicitly declare this as global so it works through function call includes
\nglobal $g, $rebuild_rules;<\/p>\n\/* Rebuild Rules Flag — if “true”, rebuild enforcing rules and flowbit-rules files *\/
\n$rebuild_rules = false;<\/p><\/blockquote>\n<\/p>\n
If that limit is too low, Snort will produce this error when it’s loading:<\/p>\n
[25-Jan-2023 20:25:20 America\/New_York] PHP Fatal error: Allowed memory size of 402653184 bytes exhausted (tried to allocate 12288 bytes) in \/usr\/local\/pkg\/snort\/snort.inc on line 1093<\/p><\/blockquote>\n
The file is overwritten each time the pkg is updated so you have to make this change each time.<\/p>\n
N.B. The install doesn’t complete due to memory exhaustion, you can prevent this by going into Snort and removing a character from your oinkcode. This will prevent the rule set from being downloaded and allow the install to complete since it’s the enumeration of rules that fills the memory.<\/p>\n","protected":false},"excerpt":{"rendered":"
Ran into an issue in Snort on pfSense where the memory limit specified in \/usr\/local\/pkg\/snort\/snort.inc is insufficient and the service will crash shortly after launch. The part that needs to be increased is bolded. <?php \/* * snort.inc * * part of pfSense (https:\/\/www.pfsense.org) * Copyright (c) 2006-2023 Rubicon Communications, LLC (Netgate) * Copyright (c) … <\/p>\n