[Bro-Dev] Memory leaks on git eds2245
Seth Hall
seth at icir.org
Wed Sep 7 22:37:56 PDT 2011
On Sep 8, 2011, at 1:25 AM, Gregor Maier wrote:
> (BTW, the memory problems I have/had weren't "real" leaks. One a SSL
> connection was done Bro would free the memory for it again. The problem
> is that many SSL connections can live for days and thus they ultimately
> consume memory like a "real" leak would).
I implemented the code yesterday to stop analyzing connections with the skip_further_processing bif and it caused Bro to peak using more memory on the tracefile I was using it with than not stopping analysis of connections. One thing the SSL scripts are currently doing that I probably need to change is after logging the SSL log, I should probably do "delete c$ssl". The certificate and certificate chain are stored in there. Actually, as I think about it more that's probably most of the problem.
We may want to look into the real traffic implications of calling the skip_further_processing bif eventually too though. I was pretty disheartened to see more memory used from calling that than not calling it. Perhaps it results in more memory use to remember which connections to ignore? I suppose I wasn't checking completion time which is probably where the savings should mostly come from.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list