[Bro] Question regarding leaking file descriptors

Johanna Amann johanna at icir.org
Tue May 17 09:59:48 PDT 2016


Hello Art,

this is an active issue that should be fixed in the next release. The
ticket for this issue is at

https://bro-tracker.atlassian.net/browse/BIT-1594

I hope that helps,
 Johanna

On Mon, May 09, 2016 at 08:58:48AM -0400, Art Maddalena wrote:
> Hi,
> 
> We are having a problem with leaking file descriptors when using
> ActiveHTTP.  We do see the temporary files being deleted, but lsof shows
> the files not closed, so we eventually run out of file descriptors.
> 
> *Sample Output:*
> 
> bro     10687 root 1016r   REG              253,0       283     57148394
> /tmp/bro-activehttp-qque3JKygsj_body (deleted)
> 
> bro     10687 root 1017r   REG              253,0       131     57148392
> /tmp/bro-activehttp-qque3JKygsj_headers (deleted)
> 
> bro     10687 root 1018r   REG              253,0       348     57148398
> /tmp/bro-activehttp-nhBlB9hVchg_body (deleted)
> 
> bro     10687 root 1019r   REG              253,0       131     57148396
> /tmp/bro-activehttp-nhBlB9hVchg_headers (deleted)
> 
> 
> Our code is at:
> 
> https://github.com/aol/moloch/blob/master/capture/plugins/wiseService/molochwise.bro#L98
> 
> We are using bro 2.4.1. Is this a known issue or do we need to change the
> code somehow?
> 
> Thank you for your help!
> 
> 
> VR
> Art Maddalena, CISSP
> Sr. Technical Security Engineer // *AOL*
> o: 703.265.2292

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list