[Bro] DNS timeout -> memory usage?
lists at g-clef.net
Mon Feb 24 07:00:03 PST 2014
Has anyone else seen an impact in changing the dns_session_timeout
parameter in bro?
I have been wrestling with Bro's memory usage for a while now (using bro
2.2 from securityonion to monitor DNS server traffic), and recently
tried changing the dns_session_timeout value from the default of 10
seconds to 1 second. That has changed bro's memory consumption
dramatically. While at the default 10 second timeout, Bro was slowly
growing in RAM usage until the Linux OOM manager killed it (and broctl
cron automatically restarted it...lather, rinse, repeat). With the 1
second timeout bro's been steady at ~200MB/worker for the past couple days.
While I'm happy that this seems to have fixed a problem, I'm wondering
what other impact that change has had. Obviously, if the DNS server
starts responding slowly bro will see the request and response as
separate sessions...I think I can live with that. Is that the only
impact of changing the dns_session_timeout variable?
More information about the Bro