[Bro] Suggestions on handling 1Gb/s HTTP traffic?
Azoff, Justin S
jazoff at illinois.edu
Mon Oct 26 05:29:50 PDT 2015
> On Oct 26, 2015, at 1:36 AM, Aaron Lewis <the.warl0ck.1989 at gmail.com> wrote:
> I recently tested bro 2.4.1 with ~1Gb/s HTTP traffic, it works but the
> processes die out of OOM within a few hours.
You need to elaborate on which processes are using memory and getting killed.
Posting this again:
Memory leaks are tricky. It is important to make a distinction about what component is using a lot of memory:
1) the workers - analyzer issues and leaks in general would show up here.
2) the proxies - communication related
3) the manager - child - if the manager is overloaded the child will buffer log data
4) the manager - parent - if a logging destination is overloaded the parent will buffer log writes
- Justin Azoff
More information about the Bro