[Bro-Dev] [JIRA] (BIT-1138) UDP scan detection generates a large number of triggers

aashish (JIRA) jira at bro-tracker.atlassian.net
Fri Feb 21 11:45:38 PST 2014

     [ https://bro-tracker.atlassian.net/browse/BIT-1138?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

aashish updated BIT-1138:

    Attachment: CPU-all-scan-policies.png

Robin, All:

Here are the graphs for a run of all scan policies (OldScan + new scan.bro,
scan_udp.bro, scan_icmp.bro) from a run on a freebsd 9.1 box for
approximate 3 day duration.

Memory footprint continues to grow but I have noticed on other systems that
memory flattens out around 11G range (after 9 day uninterrupted run).

CPU is surprisingly  low at on this host. (Attached graph). However on
other boxes I have seen CPU being high as time progresses.

It seems to me that scan_udp fix is probably working looking at this one
data point. I will enable these on other DMZ boxes and lets see if we see
same results.


On Tue, Feb 18, 2014 at 2:41 PM, Robin Sommer (JIRA) <

> UDP scan detection generates a large number of triggers
> -------------------------------------------------------
>                 Key: BIT-1138
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1138
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>            Reporter: Robin Sommer
>             Fix For: 2.3
>         Attachments: CPU-all-scan-policies.png, Memory-All-Scan-Policies.png
> These triggers then cause high CPU load. We had a fix already but I'm not sure if it has been confirmed that it solved the problem?

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list