[Bro-Dev] [JIRA] (BIT-1103) Memory leak in Bro Intel framework
Andrew Hoying (JIRA)
jira at bro-tracker.atlassian.net
Wed Dec 4 19:47:45 PST 2013
Andrew Hoying created BIT-1103:
----------------------------------
Summary: Memory leak in Bro Intel framework
Key: BIT-1103
URL: https://bro-tracker.atlassian.net/browse/BIT-1103
Project: Bro Issue Tracker
Issue Type: Problem
Components: Bro
Affects Versions: 2.2
Environment: Red Hat Enterprise Linux Server release 6.5
Reporter: Andrew Hoying
Priority: High
The policy/frameworks/intel/seen bro scripts have a memory leak. On my moderately busy Bro installation I am leaking about a gig of memory a day per worker process with the Intel framework enabled. I can replicate by adding the following to the local.bro default script and then running through a small PCAP with primarily dns, dhcp and syslog traffic.
{{
@load policy/frameworks/intel/seen
redef Intel::read_files += {
"/usr/local/bro/spool/domain_suspicious.txt",
};
}}
The intel file is in the following format, here's a few sample lines. It is generated automatically by CIF:
{{
#fields indicator indicator_type meta.source meta.desc meta.url meta.cif_impact meta.cif_severity meta.cif_confidence
mete-tools.biz Intel::DOMAIN CIF - need-to-know spammed domain http://www.spamhaus.org/query/dbl?domain=mete-tools.biz (public) - - 95
rttvxygkmwlqmq.net Intel::DOMAIN CIF - need-to-know spammed domain http://www.spamhaus.org/query/dbl?domain=rttvxygkmwlqmq.net (public) - - 95
podserveruho.com Intel::DOMAIN CIF - need-to-know spammed domain http://www.spamhaus.org/query/dbl?domain=podserveruho.com (public) - - 95
wwfcogdgntlxw.biz Intel::DOMAIN CIF - need-to-know spammed domain http://www.spamhaus.org/query/dbl?domain=wwfcogdgntlxw.biz (public) - - 95
}}
I compiled bro with gperftool debug support and followed the instructions here: http://www.bro.org/development/howtos/leaks.html. (Note, the instructions are wrong on the flags for ./configure, you need to add --enable-perftools-debug to get the -m option for bro)
Here's the output from pprof top after running a PCAP trace with 10,000 packets. Running traces with more packets show a greater number of lost objects in the same code locations.
{{
# pprof bin/bro "/tmp/bro.24541.net_run-end.heap" --inuse_objects --lines --heapcheck --edgefraction=1e-10 --nodefraction=1e-10
Using local file bin/bro.
Using local file /tmp/bro.24541.net_run-end.heap.
Welcome to pprof! For help, type 'help'.
(pprof) top
Total: 4295 objects
2150 50.1% 50.1% 2150 50.1% AsciiFormatter::ParseValue /usr/src/bro-2.2/src/threading/AsciiFormatter.cc:186
2141 49.8% 99.9% 2141 49.8% copy_string /usr/src/bro-2.2/src/util.cc:155
2 0.0% 100.0% 2 0.0% re_alloc /usr/src/bro-2.2/build/src/re-scan.cc:2287
1 0.0% 100.0% 1 0.0% RE_parse /usr/src/bro-2.2/build/src/re-parse.y:110
1 0.0% 100.0% 1 0.0% RE_parse /usr/src/bro-2.2/build/src/re-parse.y:133
0 0.0% 100.0% 2141 49.8% AsciiFormatter::ParseValue /usr/src/bro-2.2/src/threading/AsciiFormatter.cc:195
0 0.0% 100.0% 4 0.1% Connection::NextPacket /usr/src/bro-2.2/src/Conn.cc:259
0 0.0% 100.0% 4 0.1% NetSessions::DispatchPacket /usr/src/bro-2.2/src/Sessions.cc:189
0 0.0% 100.0% 4 0.1% NetSessions::DoNextPacket /usr/src/bro-2.2/src/Sessions.cc:709
0 0.0% 100.0% 4 0.1% NetSessions::NextPacket /usr/src/bro-2.2/src/Sessions.cc:247
}}
--
This message was sent by Atlassian JIRA
(v6.2-OD-03#6206)
More information about the bro-dev
mailing list