[Bro] Memory leak?

Joe Blow blackhole.em at gmail.com
Mon Sep 22 13:26:40 PDT 2014


Fantastic advise.  The reporter.log showed a bug for an empty variable
inside a when statement.  Fixed it with an if - check and i'm not seeing
any errors.  Hopefully this will quell the memory issues.  Thanks for the
help.

Cheers,

JB

On Mon, Sep 22, 2014 at 10:24 AM, Hosom, Stephen M <hosom at battelle.org>
wrote:

>  At a glance… with only the information available… It looks more like Bro
> is legitimately filling up the system memory and the kernel is OOM killing
> your Bro worker. How much memory is in this worker, what kind of connection
> is it monitoring? Are you willing to provide a copy of your reporter.log?
>
>
>
> *From:* bro-bounces at bro.org [mailto:bro-bounces at bro.org] *On Behalf Of *Joe
> Blow
> *Sent:* Monday, September 22, 2014 10:19 AM
> *To:* bro at bro-ids.org List
> *Subject:* [Bro] Memory leak?
>
>
>
> Hey guys,
>
> I'm trying to figure out if there is a memory leak in Bro that's causing
> me issues.  I wonder if it's a memory leak because every few hours i'll
> have a worker die like this:
>
> <snip>
>
> If you want to help us debug this problem, then please forward this mail
> to reports at bro.org
>
> Bro 2.3.1
>
> Linux 2.6.32-358.11.1.el6.x86_64
>
> ==== No reporter.log
>
> ==== stderr.log
>
> listening on bond1, capture length 8192 bytes
>
> 1411357505.663118 processing suspended
>
> 1411357505.663118 processing continued
>
> 1411392324.017784 received termination signal
>
> 1411392324.017784 105126164 packets received on interface bond1, 0 dropped
>
> ==== stdout.log
>
> max memory size         (kbytes, -m) unlimited
>
> data seg size           (kbytes, -d) unlimited
>
> virtual memory          (kbytes, -v) unlimited
>
> core file size          (blocks, -c) unlimited
>
> ==== .cmdline
>
> -i bond1 -U .status -p broctl -p broctl-live -p local -p worker-0-3
> local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
>
>  ==== .env_vars
>
>
> PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/sbin:/bin:/usr/sbin:/usr/bin
>
>
> BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site
>
> CLUSTER_NODE=worker-0-3
>
>  ==== .status
>
> TERMINATED [atexit]
>
>  ==== No prof.log
>
>  ==== No packet_filter.log
>
>  ==== No loaded_scripts.log
>
> --
>
> [Automatically generated.]
>
> </snip>
>
> The picture of the system's memory looks like this:
>
> [image: Inline image 1]
>
> This sort of corresponds with the crashing of Bro.  Any ideas?  Where
> would you guys start digging if the workers just started dying (seemingly)
> randomly?
>
> Cheers,
>
> JB
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140922/9eca8f00/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 19357 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140922/9eca8f00/attachment.jpg 


More information about the Bro mailing list