[Bro] memory leak?
Vern Paxson
vern at icir.org
Tue Mar 21 19:11:27 PST 2006
This will commonly occur simply due to state building up in the variables
managed by the event engine and the policy scripts. The main problem is
the need to associate timeouts with the corresponding tables. See our paper:
H. Dreger, A. Feldmann, V. Paxson, and R. Sommer,
Operational Experiences with High-Volume Network Intrusion Detection,
Proc. ACM CCS, October 2004
http://www.icir.org/vern/papers/high-volume-ccs04.pdf
for discussion.
You can turn on a bunch (though not an exhaustive set) of these sorts of
timeouts by @load'ing reduce-memory.bro. Soon we will change Bro so that
by default it includes this sort of configuration, rather than the user
needing to enable it specifically.
Vern
More information about the Bro
mailing list