[Bro] DNS timeout -> memory usage?

Aaron Gee-Clough lists at g-clef.net
Mon Feb 24 07:00:03 PST 2014


Has anyone else seen an impact in changing the dns_session_timeout 
parameter in bro?

I have been wrestling with Bro's memory usage for a while now (using bro 
2.2 from securityonion to monitor DNS server traffic), and recently 
tried changing the dns_session_timeout value from the default of 10 
seconds to 1 second. That has changed bro's memory consumption 
dramatically. While at the default 10 second timeout, Bro was slowly 
growing in RAM usage until the Linux OOM manager killed it (and broctl 
cron automatically restarted it...lather, rinse, repeat). With the 1 
second timeout bro's been steady at ~200MB/worker for the past couple days.

While I'm happy that this seems to have fixed a problem, I'm wondering 
what other impact that change has had. Obviously, if the DNS server 
starts responding slowly bro will see the request and response as 
separate sessions...I think I can live with that. Is that the only 
impact of changing the dns_session_timeout variable?



More information about the Bro mailing list