[Bro] troubleshooting bro memory usage?

aaron gee-clough lists at g-clef.net
Wed Aug 14 13:12:43 PDT 2013


Thanks. Of the two boxes I have, one got better when I changed the 
hostname (have no idea why that helped, but it's been stable across 
reboots and restarts since then...perhaps luch). The other one I'm still 
working on.

aaron

On 08/14/2013 02:08 PM, Tritium Cat wrote:
> Here's a suggestion that has helped me in the past, disable all 
> scripts except the SSH and SSH brute force detection.  Basically 
> you're using process of elimination to find what aspect of Bro is not 
> performing well in your environment.  Turn on features of Bro one by 
> one until you find which one is the culprit.  It's tricky to debug Bro 
> from site to site because of different traffic profiles.
>
> --TC
>
>
>
> On Wed, Aug 14, 2013 at 9:28 AM, Tritium Cat <tritium.cat at gmail.com 
> <mailto:tritium.cat at gmail.com>> wrote:
>
>     I've had this problem for too long.  Wish I knew too.  Seems each
>     time it's brought up on a mailing list the discussion gets
>     hijacked and turns into feature requests or debates on new
>     concepts and looses sight of the original problem.
>
>     Keep hammering away.  Good luck.
>
>
>     On Fri, Aug 2, 2013 at 11:33 AM, aaron gee-clough
>     <lists at g-clef.net <mailto:lists at g-clef.net>> wrote:
>
>
>         Hello,
>
>         I've just put in two sensors running bro (with security
>         onion), and am
>         having trouble with the bro processes progressively growing in RAM
>         usage, until they crash or become unresponsive. For example, I
>         have one
>         bro worker process right now that's reached 2.8 GB in 2 hours
>         while
>         watching a < 100MB link. None of the other processes
>         (manager/proxy/other workers) are anywhere near that...it's
>         just this
>         one worker.
>
>         Are there any config options I can enable to attempt to find
>         the cause
>         of the memory leak? Also, since I'm confident the link I'm
>         watching is
>         missing some traffic (the span it's on is slightly
>         mis-configured at the
>         moment), where can I configure protocol timeouts?
>
>         Thanks.
>
>         aaron
>         _______________________________________________
>         Bro mailing list
>         bro at bro-ids.org <mailto:bro at bro-ids.org>
>         http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130814/7a44cb94/attachment.html 


More information about the Bro mailing list