[Bro] troubleshooting bro memory usage?

aaron gee-clough lists at g-clef.net
Fri Aug 9 12:30:48 PDT 2013


I've just come across something that implies Bro is caching all DNS 
resolutions that go past it 
(https://bro-tracker.atlassian.net/browse/BIT-964). The bro systems I 
recently put in are in front of our main internal DNS resolvers, so 
almost all of the traffic they see is DNS resolution requests/answers. 
If Bro is caching all DNS, that would go a long way to explaining why 
bro's memory usage is continually increasing for my two sensors.

Is there a way to disable this caching? (or have I mis-understood what 
bro's doing with DNS?)



On 08/02/2013 02:33 PM, aaron gee-clough wrote:
> Hello,
> I've just put in two sensors running bro (with security onion), and am
> having trouble with the bro processes progressively growing in RAM
> usage, until they crash or become unresponsive. For example, I have one
> bro worker process right now that's reached 2.8 GB in 2 hours while
> watching a < 100MB link. None of the other processes
> (manager/proxy/other workers) are anywhere near that...it's just this
> one worker.
> Are there any config options I can enable to attempt to find the cause
> of the memory leak? Also, since I'm confident the link I'm watching is
> missing some traffic (the span it's on is slightly mis-configured at the
> moment), where can I configure protocol timeouts?
> Thanks.
> aaron
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list