[Bro] troubleshooting bro memory usage?

David Kovar dkovar at gmail.com
Wed Aug 14 13:27:29 PDT 2013


Are you running Bro as part of Security Onion? I saw a discussion about SO issues with hostnames containing hyphens.


On Aug 14, 2013, at 3:12 PM, "aaron gee-clough" <lists at g-clef.net> wrote:

> Thanks. Of the two boxes I have, one got better when I changed the hostname (have no idea why that helped, but it's been stable across reboots and restarts since then...perhaps luch). The other one I'm still working on.
> aaron
> On 08/14/2013 02:08 PM, Tritium Cat wrote:
>> Here's a suggestion that has helped me in the past, disable all scripts except the SSH and SSH brute force detection.  Basically you're using process of elimination to find what aspect of Bro is not performing well in your environment.  Turn on features of Bro one by one until you find which one is the culprit.  It's tricky to debug Bro from site to site because of different traffic profiles.
>> --TC
>> On Wed, Aug 14, 2013 at 9:28 AM, Tritium Cat <tritium.cat at gmail.com> wrote:
>> I've had this problem for too long.  Wish I knew too.  Seems each time it's brought up on a mailing list the discussion gets hijacked and turns into feature requests or debates on new concepts and looses sight of the original problem.
>> Keep hammering away.  Good luck.
>> On Fri, Aug 2, 2013 at 11:33 AM, aaron gee-clough <lists at g-clef.net> wrote:
>> Hello,
>> I've just put in two sensors running bro (with security onion), and am
>> having trouble with the bro processes progressively growing in RAM
>> usage, until they crash or become unresponsive. For example, I have one
>> bro worker process right now that's reached 2.8 GB in 2 hours while
>> watching a < 100MB link. None of the other processes
>> (manager/proxy/other workers) are anywhere near that...it's just this
>> one worker.
>> Are there any config options I can enable to attempt to find the cause
>> of the memory leak? Also, since I'm confident the link I'm watching is
>> missing some traffic (the span it's on is slightly mis-configured at the
>> moment), where can I configure protocol timeouts?
>> Thanks.
>> aaron
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130814/92bc5a94/attachment.html 

More information about the Bro mailing list