[Bro] troubleshooting bro memory usage?
robin at icir.org
Tue Aug 13 08:15:57 PDT 2013
On Tue, Aug 13, 2013 at 10:27 -0400, aaron gee-clough wrote:
> coming from securityonion's scripts. I then started adding the
> SecurityOnion rules back in one by one, adding a ton of Reporter::warn
> statements, and watching the reporter.log.
Can you send a sample of those message? How much is a ton? :)
There's a known memory leak in Bro when the script interpreter reports
certain errors in script code. If this happens very often, it could
explain what you're seeing (unfortunately the leak is hard to fix, but
the messages usually indicate a problem in the corresponding script in
the first place).
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin
More information about the Bro