[Bro-Dev] ***SPAM*** [JIRA] (BIT-1103) Memory leak in Bro Intel framework

Bernhard Amann (JIRA) jira at bro-tracker.atlassian.net
Thu Dec 5 11:01:45 PST 2013


    [ https://bro-tracker.atlassian.net/browse/BIT-1103?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14911#comment-14911 ] 

Bernhard Amann commented on BIT-1103:
-------------------------------------

verified patch is in topic/bernhard/ticket1103

> Memory leak in Bro Intel framework
> ----------------------------------
>
>                 Key: BIT-1103
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1103
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.2
>         Environment: Red Hat Enterprise Linux Server release 6.5
>            Reporter: Andrew Hoying
>            Assignee: Bernhard Amann
>            Priority: High
>              Labels: intel, leak
>
> The policy/frameworks/intel/seen bro scripts have a memory leak. On my moderately busy Bro installation I am leaking about a gig of memory a day per worker process with the Intel framework enabled. I can replicate by adding the following to the local.bro default script and then running through a small PCAP with primarily dns, dhcp and syslog traffic.
> {{
> @load policy/frameworks/intel/seen
> redef Intel::read_files += {
>     "/usr/local/bro/spool/domain_suspicious.txt",
> };
> }}
> The intel file is in the following format, here's a few sample lines. It is generated automatically by CIF:
> {{
> #fields indicator       indicator_type  meta.source     meta.desc       meta.url        meta.cif_impact meta.cif_severity       meta.cif_confidence
> mete-tools.biz  Intel::DOMAIN   CIF - need-to-know      spammed domain  http://www.spamhaus.org/query/dbl?domain=mete-tools.biz (public)        -       -       95
> rttvxygkmwlqmq.net      Intel::DOMAIN   CIF - need-to-know      spammed domain  http://www.spamhaus.org/query/dbl?domain=rttvxygkmwlqmq.net (public)    -       -       95
> podserveruho.com        Intel::DOMAIN   CIF - need-to-know      spammed domain  http://www.spamhaus.org/query/dbl?domain=podserveruho.com (public)      -       -       95
> wwfcogdgntlxw.biz       Intel::DOMAIN   CIF - need-to-know      spammed domain  http://www.spamhaus.org/query/dbl?domain=wwfcogdgntlxw.biz (public)     -       -       95
> }}
> I compiled bro with gperftool debug support and followed the instructions here: http://www.bro.org/development/howtos/leaks.html. (Note, the instructions are wrong on the flags for ./configure, you need to add --enable-perftools-debug to get the -m option for bro)
> Here's the output from pprof top after running a PCAP trace with 10,000 packets. Running traces with more packets show a greater number of lost objects in the same code locations.
> {{
> # pprof bin/bro "/tmp/bro.24541.net_run-end.heap" --inuse_objects --lines --heapcheck  --edgefraction=1e-10 --nodefraction=1e-10
> Using local file bin/bro.
> Using local file /tmp/bro.24541.net_run-end.heap.
> Welcome to pprof!  For help, type 'help'.
> (pprof) top
> Total: 4295 objects
>     2150  50.1%  50.1%     2150  50.1% AsciiFormatter::ParseValue /usr/src/bro-2.2/src/threading/AsciiFormatter.cc:186
>     2141  49.8%  99.9%     2141  49.8% copy_string /usr/src/bro-2.2/src/util.cc:155
>        2   0.0% 100.0%        2   0.0% re_alloc /usr/src/bro-2.2/build/src/re-scan.cc:2287
>        1   0.0% 100.0%        1   0.0% RE_parse /usr/src/bro-2.2/build/src/re-parse.y:110
>        1   0.0% 100.0%        1   0.0% RE_parse /usr/src/bro-2.2/build/src/re-parse.y:133
>        0   0.0% 100.0%     2141  49.8% AsciiFormatter::ParseValue /usr/src/bro-2.2/src/threading/AsciiFormatter.cc:195
>        0   0.0% 100.0%        4   0.1% Connection::NextPacket /usr/src/bro-2.2/src/Conn.cc:259
>        0   0.0% 100.0%        4   0.1% NetSessions::DispatchPacket /usr/src/bro-2.2/src/Sessions.cc:189
>        0   0.0% 100.0%        4   0.1% NetSessions::DoNextPacket /usr/src/bro-2.2/src/Sessions.cc:709
>        0   0.0% 100.0%        4   0.1% NetSessions::NextPacket /usr/src/bro-2.2/src/Sessions.cc:247
> }}



--
This message was sent by Atlassian JIRA
(v6.2-OD-03#6206)


More information about the bro-dev mailing list