[Bro] troubleshooting bro memory usage?
lists at g-clef.net
Fri Aug 9 12:30:48 PDT 2013
I've just come across something that implies Bro is caching all DNS
resolutions that go past it
(https://bro-tracker.atlassian.net/browse/BIT-964). The bro systems I
recently put in are in front of our main internal DNS resolvers, so
almost all of the traffic they see is DNS resolution requests/answers.
If Bro is caching all DNS, that would go a long way to explaining why
bro's memory usage is continually increasing for my two sensors.
Is there a way to disable this caching? (or have I mis-understood what
bro's doing with DNS?)
On 08/02/2013 02:33 PM, aaron gee-clough wrote:
> I've just put in two sensors running bro (with security onion), and am
> having trouble with the bro processes progressively growing in RAM
> usage, until they crash or become unresponsive. For example, I have one
> bro worker process right now that's reached 2.8 GB in 2 hours while
> watching a < 100MB link. None of the other processes
> (manager/proxy/other workers) are anywhere near that...it's just this
> one worker.
> Are there any config options I can enable to attempt to find the cause
> of the memory leak? Also, since I'm confident the link I'm watching is
> missing some traffic (the span it's on is slightly mis-configured at the
> moment), where can I configure protocol timeouts?
> Bro mailing list
> bro at bro-ids.org
More information about the Bro