[Bro] crash with std::bad_alloc

Robin Sommer robin at icir.org
Wed Nov 5 09:58:57 PST 2008


On Wed, Nov 05, 2008 at 18:22 +0100, Peter Wurzinger wrote:

> terminate called after throwing an instance of 'std::bad_alloc'
>    what():  std::bad_alloc

That sounds like Bro is running out of memory. What's the process'
size just before it crashes and how much memory does the machine
have?

> matches anymore, still the error occurs. My signature file is approx
> 100Kb, contains more than 600 signatures, and all of them look like:

If it's indeed memory exhaustion, then it looks like either a memory
leak in the signature engine or a general problem of handling the
many regexps. Generally, the engine can consume quite a bit of
memory due to the DFAs it builds incrementally. How do your regexps
look like? Do they contain many unanchored subparts (e.g.,
"foo.*bar")? 

Robin

-- 
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org


More information about the Bro mailing list