[Bro] out of memory after a couple days?
jessebowling at gmail.com
Thu Dec 5 07:28:58 PST 2013
I have little experience with it, but could running with valgrind be
possible/advisable/useful? Perhaps best to be run with -01 on a box that is
overpowered for the expected load...
On Thu, Dec 5, 2013 at 10:14 AM, Mike Sconzo <sconzo at visiblerisk.com> wrote:
> If we're able to get our hands on some of the traffic (pcaps spanning
> the time window of memory usage/massive drops) that causes these
> issues, what would be some good tests to run against it?
> Nothing suspicious or weird shows up in the perf.log for each worker
> (or manager).
> On Thu, Dec 5, 2013 at 8:12 AM, Mike Patterson
> <mike.patterson at uwaterloo.ca> wrote:
> > On Dec 4, 2013, at 11:31 PM, Seth Hall <seth at icir.org> wrote:
> >> On Dec 4, 2013, at 10:34 PM, Mike Patterson <
> mike.patterson at uwaterloo.ca> wrote:
> >>> I think you’re definitely running into a memory leak. I’ve had 2.2
> processes try to grab up to 100GB of RAM. 8 workers, 96GB of RAM, but the
> box splits time with another 8 snort workers. My late 2.1 release
> (september 21 IIRC) was quite a bit more stable.
> >> I think there is some particular traffic that you guys are running into
> that's causing it. A few other people have encountered that too but we
> haven't been able to nail down what it is yet.
> > That was my assumption too. I upgraded on 8 November, leaked early AM
> 16th, and then again on the 29th. Traffic would have been at an ebb on the
> 16th, and rising on the 29th, so I don’t think it’s sheer volume - as you
> say, there must be something *in* the traffic. Or more likely, a sequence
> of things, otherwise I expect 2.2 would be vomiting all over my RAM far
> more often.
> > Please let me know if there’s anything I can do to help; I got lucky
> with these, the first crash was the day before I started vacation (well,
> technically, my first day of) and the second crash was the day immediately
> after I returned. :) Unfortunately, when it does happen, it takes out my
> IDS entirely as I need to cold-boot the server, so if live diagnostics are
> required, it’ll have to be timed when people are around.
> > Mike
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> cat ~/.bash_history > documentation.txt
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro