[Bro-Dev] dfa_state does not free its cache

Robin Sommer robin at icir.org
Wed May 13 12:14:38 PDT 2015

On Wed, May 13, 2015 at 16:26 +0100, you wrote:

> Dfa_state_cache does not follow its max size limit

Yeah, that option has actually been dead for a while already, and we
finally removed it recently just before the 2.4 beta (see 

We had removed the corresponding functionality with one of the earlier
releases already because it was a separate code path that, due to its
performance implications, had to be activated explicitly with a
configure switch, meaning that probably nobody was using it anyways.

It's not really a leak though. While the data structure can keep
growing, the memory remains accessible and the states may be used with
future traffic. That said, depending on the regexps in use, the data
structure can get pretty big over time, and the memory indeed won't be
reclaimed. Snother recent change in preparation for 2.4 was optimizing
the file detetion regexps to cause less such memory usage.


Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin

More information about the bro-dev mailing list