So off and on while playing with Security Onion and Squert over the past several months, I have come across the dreaded “PHP Fatal error: Allowed memory size of X bytes exhausted (tried to allocate Y bytes) in /var/www/squert/.inc/callback.php” error when pulling up a full PCAP in either ELSA or Squert. Looking around at different posts via the SO group on Google and on Google itself, I could never “fix” the issue. Most of the time the answer was to do the following:
You’ll need to increase the memory_limit setting in php.ini and restart Apache.
My loaded PHP file is found at “/etc/php5/cli/php.ini.” The default for Security Onion for this setting is the “-1” which by PHP standards means consume as much as you want (got to love excess). But even with this set to “-1”, and “max_execution_time” set to “300” I would sometimes not be able to read the PCAP. So tonight after changing tact, and looking more at posts dealing with PHP, I stumbled across a post talking about not only changing the “/etc/php5/cli/php.ini” file, but also the “/etc/php5/apache2/php.ini.” Once I did that, the same alerts that caused the error messages from OSSEC where no more and I could see the full PCAP!
Just make sure that you change the memory_limit to something like “memory_limit = 1024M” and NOT “memory_limit = 1024MB” as that will cause issues when trying to run simple commands with PHP (ie: php -i) as you can see below:
PHP Fatal error: Allowed memory size of 262144 bytes exhausted (tried to allocate 523800 bytes) in Unknown on line 0
Happy monitoring!
+1 to that… same issue… problem solved. My error:
”
[Sun Jan 14 18:30:53.837165 2018] [:error] [pid 811] [client 192.168.1.252:62510] PHP Fatal error: Allowed memory size of 367001600 bytes exhausted (tried to allocate 72 bytes) in /var/www/so/capme/.inc/callback.php on line 66, referer: http://192.168.1.3/capme/?sip=172.98.93.37&dip=192.168.1.112&spt=59335&dpt=52442&stime=1515937867&etime=1515945067&filename=squert
”
Resolved by only editing the
/etc/php5/apache2/php.ini