[Bro] troubleshooting bro memory usage?
lists at g-clef.net
Sun Aug 11 05:39:03 PDT 2013
On 8/10/2013 11:19 AM, Seth Hall wrote:
> On Aug 9, 2013, at 3:30 PM, aaron gee-clough <lists at g-clef.net> wrote:
>> Is there a way to disable this caching? (or have I mis-understood what
>> bro's doing with DNS?)
> That's unrelated. It's referring to DNS lookup requests happening at script land. We ran into a case once where someone had written a script that did two reverse hostname lookups for every connection that was established (don't do this, it's *really* not a good idea). Although I should point out that their Bro cluster was running quite well even in the face of that, but I don't think their DNS resolver was very happy about it. :)
Heh. I'll keep that in mind.
> In general, monitoring in front of a DNS resolver should be just fine.
Hmm...that leaves me with my original problem, then: I have two vanilla
securityonion installs (no custom .bro scripts added, just the ones that
came with securityonion), watching just traffic to two different DNS
resolvers...right now one of the worker parent processes (according to
"broctl top") on each securityonion box grows monotonically in RAM usage
until it gets killed by Linux (and is then restarted by broctl's cron job).
Any ideas on where I should start looking to identify what's causing the
worker to grow in RAM like that?
More information about the Bro