[Bro-Dev] Memory leaks on git eds2245

[Seth Hall]

On Sep 8, 2011, at 1:25 AM, Gregor Maier wrote:

> (BTW, the memory problems I have/had weren't "real" leaks. One a SSL 
> connection was done Bro would free the memory for it again. The problem 
> is that many SSL connections can live for days and thus they ultimately 
> consume memory like a "real" leak would).


I implemented the code yesterday to stop analyzing connections with the skip_further_processing bif and it caused Bro to peak using more memory on the tracefile I was using it with than not stopping analysis of connections.  One thing the SSL scripts are currently doing that I probably need to change is after logging the SSL log, I should probably do "delete c$ssl".  The certificate and certificate chain are stored in there.  Actually, as I think about it more that's probably most of the problem.

We may want to look into the real traffic implications of calling the skip_further_processing bif eventually too though.  I was pretty disheartened to see more memory used from calling that than not calling it.  Perhaps it results in more memory use to remember which connections to ignore?  I suppose I wasn't checking completion time which is probably where the savings should mostly come from.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/