[Bro-Dev] [JIRA] (BIT-1138) UDP scan detection generates a large number of triggers

Aashish Sharma asharma at lbl.gov
Fri Feb 21 11:45:20 PST 2014


Robin, All:

Here are the graphs for a run of all scan policies (OldScan + new scan.bro,
scan_udp.bro, scan_icmp.bro) from a run on a freebsd 9.1 box for
approximate 3 day duration.

Memory footprint continues to grow but I have noticed on other systems that
memory flattens out around 11G range (after 9 day uninterrupted run).

CPU is surprisingly  low at on this host. (Attached graph). However on
other boxes I have seen CPU being high as time progresses.

It seems to me that scan_udp fix is probably working looking at this one
data point. I will enable these on other DMZ boxes and lets see if we see
same results.

Aashish



On Tue, Feb 18, 2014 at 2:41 PM, Robin Sommer (JIRA) <
jira at bro-tracker.atlassian.net> wrote:

>
>     [
> https://bro-tracker.atlassian.net/browse/BIT-1138?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15562#comment-15562]
>
> Robin Sommer commented on BIT-1138:
> -----------------------------------
>
>
>
>
>
> Yeah, I keep forgetting that we don't ship that script. But still, I
> would like to make sure we understand what was going on there.
>
>
> > UDP scan detection generates a large number of triggers
> > -------------------------------------------------------
> >
> >                 Key: BIT-1138
> >                 URL: https://bro-tracker.atlassian.net/browse/BIT-1138
> >             Project: Bro Issue Tracker
> >          Issue Type: Problem
> >          Components: Bro
> >            Reporter: Robin Sommer
> >             Fix For: 2.3
> >
> >
> > These triggers then cause high CPU load. We had a fix already but I'm
> not sure if it has been confirmed that it solved the problem?
>
>
>
> --
> This message was sent by Atlassian JIRA
> (v6.2-OD-09-036#6252)
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20140221/dcee13ac/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Memory-All-Scan-Policies.png
Type: image/png
Size: 87213 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20140221/dcee13ac/attachment-0002.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CPU-all-scan-policies.png
Type: image/png
Size: 176210 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20140221/dcee13ac/attachment-0003.bin 


More information about the bro-dev mailing list