[Bro-Dev] [JIRA] (BIT-1138) UDP scan detection generates a large number of triggers
aashish (JIRA)
jira at bro-tracker.atlassian.net
Fri Feb 21 11:45:38 PST 2014
[ https://bro-tracker.atlassian.net/browse/BIT-1138?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
aashish updated BIT-1138:
-------------------------
Attachment: CPU-all-scan-policies.png
Memory-All-Scan-Policies.png
Robin, All:
Here are the graphs for a run of all scan policies (OldScan + new scan.bro,
scan_udp.bro, scan_icmp.bro) from a run on a freebsd 9.1 box for
approximate 3 day duration.
Memory footprint continues to grow but I have noticed on other systems that
memory flattens out around 11G range (after 9 day uninterrupted run).
CPU is surprisingly low at on this host. (Attached graph). However on
other boxes I have seen CPU being high as time progresses.
It seems to me that scan_udp fix is probably working looking at this one
data point. I will enable these on other DMZ boxes and lets see if we see
same results.
Aashish
On Tue, Feb 18, 2014 at 2:41 PM, Robin Sommer (JIRA) <
> UDP scan detection generates a large number of triggers
> -------------------------------------------------------
>
> Key: BIT-1138
> URL: https://bro-tracker.atlassian.net/browse/BIT-1138
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Reporter: Robin Sommer
> Fix For: 2.3
>
> Attachments: CPU-all-scan-policies.png, Memory-All-Scan-Policies.png
>
>
> These triggers then cause high CPU load. We had a fix already but I'm not sure if it has been confirmed that it solved the problem?
--
This message was sent by Atlassian JIRA
(v6.2-OD-09-036#6252)
More information about the bro-dev
mailing list