[Bro] Memory Issue with Bro

Mike Waite mfw113 at psu.edu
Thu Oct 22 05:12:54 PDT 2015


I know we are still seeing issues with the manager child proccess.  The process will consume over 200GB of RAM in 8 hours.

--
Mike Waite
CyberSecurity Intrusion Analyst
Office of Information Security
The Pennsylvania State University
↪ 15-10-02 15:41:41, Azoff, Justin S <jazoff at illinois.edu>:
>Is it the manager parent or the child process?
>
>-- 
>- Justin Azoff
>
>> On Oct 2, 2015, at 12:55 PM, Joe Blow <blackhole.em at gmail.com> wrote:
>>
>> It's my manager processes using tons of memory...
>>
>> How would you suggest debugging the manager processes?
>>
>> Cheers,
>>
>> JB
>>
>> On Fri, Oct 2, 2015 at 12:21 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:
>>
>> > On Sep 30, 2015, at 11:55 AM, Joe Blow <blackhole.em at gmail.com> wrote:
>> >
>> > I'm super interested in this thread, as I believe i'm experiencing the same memory leak, using the solarflare cards.
>> > i'm running a similar setup, with 20 workers and lots of traffic, but i'm having to bounce the entire NIC once Bro goes haywire.  Bro doesn't take too long before it's wiped the whole box out of memory (all 192GB).
>> >
>> > Please let me know how to troubleshooting goes.  I'm happy to provide logs.
>> >
>> > Cheers,
>> >
>> > JB
>>
>> Memory leaks are tricky.  It is important to make a distinction about what component is using a lot of memory:
>>
>> 1) the workers - analyzer issues and leaks in general would show up here.
>> 2) the proxies - communication related
>> 3) the manager - child - if the manager is overloaded the child will buffer log data
>> 4) the manager - parent - if a logging destination is overloaded the parent will buffer log writes
>>
>> If your manager processes are using a lot of ram, that doesn't have anything to do with the capture library in use.
>>
>> --
>> - Justin Azoff
>>
>>
>
>
>_______________________________________________
>Bro mailing list
>bro at bro-ids.org
>http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151022/afb0d442/attachment.bin 


More information about the Bro mailing list