So off and on while playing with Security Onion and Squert over the past several months, I have come across the dreaded “PHP Fatal error: Allowed memory size of X bytes exhausted (tried to allocate Y bytes) in /var/www/squert/.inc/callback.php” error when pulling up a full PCAP in either ELSA or Squert. Looking around at different posts via the SO group on Google and on Google itself, I could never “fix” the issue. Most of the time the answer was to do the following:
You’ll need to increase the memory_limit setting in php.ini and restart Apache.
My loaded PHP file is found at “/etc/php5/cli/php.ini.” The default for Security Onion for this setting is the “-1” which by PHP standards means consume as much as you want (got to love excess). But even with this set to “-1”, and “max_execution_time” set to “300” I would sometimes not be able to read the PCAP. So tonight after changing tact, and looking more at posts dealing with PHP, I stumbled across a post talking about not only changing the “/etc/php5/cli/php.ini” file, but also the “/etc/php5/apache2/php.ini.” Once I did that, the same alerts that caused the error messages from OSSEC where no more and I could see the full PCAP!
Just make sure that you change the memory_limit to something like “memory_limit = 1024M” and NOT “memory_limit = 1024MB” as that will cause issues when trying to run simple commands with PHP (ie: php -i) as you can see below:
PHP Fatal error: Allowed memory size of 262144 bytes exhausted (tried to allocate 523800 bytes) in Unknown on line 0