[Bro] Suggestions on handling 1Gb/s HTTP traffic?
longjohngolf at gmail.com
Mon Oct 26 08:49:50 PDT 2015
Have you confirmed that you're getting all of the traffic you expect?
Is the traffic simulated or real HTTP? How are you doing on-box load
balancing? PF_RING vanilla?
On Mon, Oct 26, 2015 at 5:29 AM, Azoff, Justin S <jazoff at illinois.edu> wrote:
>> On Oct 26, 2015, at 1:36 AM, Aaron Lewis <the.warl0ck.1989 at gmail.com> wrote:
>> I recently tested bro 2.4.1 with ~1Gb/s HTTP traffic, it works but the
>> processes die out of OOM within a few hours.
> You need to elaborate on which processes are using memory and getting killed.
> Posting this again:
> Memory leaks are tricky. It is important to make a distinction about what component is using a lot of memory:
> 1) the workers - analyzer issues and leaks in general would show up here.
> 2) the proxies - communication related
> 3) the manager - child - if the manager is overloaded the child will buffer log data
> 4) the manager - parent - if a logging destination is overloaded the parent will buffer log writes
> - Justin Azoff
> Bro mailing list
> bro at bro-ids.org
More information about the Bro