[Bro] memory leak?

Harsha V. Madhyastha harsha at cs.washington.edu
Fri Mar 24 09:07:55 PST 2006


Hi,

I tried out the suggestion of @load'ing reduce-memory.bro (I appended a
line "@load reduce-memory" at the end of the file mt.bro. I also have a
"@load rotate-logs" line in addition to the mt.bro that comes with the
distribution.), but I still see memory usage increasing monotonically.
Below is a snapshot of memory usage every 10 minutes. Should I be
@load'ing reduce-memory.bro in some other way? If not, is there anything
else I can do to prevent continuous accumulation of state?

Please let me know if any of you have any other suggestions.

Thanks!
Harsha

top - 16:57:19 up 58 days,  2:42,  2 users,  load average: 0.55, 0.52, 0.45
  9567 root      15   0 13780 9.9m 2608 S  4.0  0.5   0:00.73 bro

top - 17:07:19 up 58 days,  2:52,  2 users,  load average: 0.80, 0.73, 0.56
  9567 root      15   0 25208  21m 2676 R 15.7  1.0   1:23.21 bro

top - 17:17:20 up 58 days,  3:02,  2 users,  load average: 0.78, 0.71, 0.61
  9567 root      15   0 30700  26m 2688 S 13.8  1.3   2:51.30 bro

top - 17:27:20 up 58 days,  3:12,  2 users,  load average: 0.85, 0.74, 0.65
  9567 root      15   0 36796  32m 2688 S 19.8  1.6   4:21.41 bro

top - 17:37:21 up 58 days,  3:23,  2 users,  load average: 0.83, 0.71, 0.65
  9567 root      15   0 43208  38m 2688 S 11.8  1.9   5:47.97 bro

top - 17:47:22 up 58 days,  3:33,  2 users,  load average: 0.56, 0.66, 0.65
  9567 root      15   0 47760  43m 2688 S 13.8  2.1   7:03.52 bro

top - 17:57:22 up 58 days,  3:43,  2 users,  load average: 0.77, 0.63, 0.61
  9567 root      16   0 52308  47m 2696 S  7.9  2.3   8:20.43 bro

top - 18:07:23 up 58 days,  3:53,  2 users,  load average: 0.58, 0.62, 0.61
  9567 root      15   0 56592  51m 2696 S 13.8  2.5   9:31.94 bro

top - 18:17:23 up 58 days,  4:03,  2 users,  load average: 0.56, 0.55, 0.56
  9567 root      15   0 62036  56m 2696 S 11.9  2.8  10:47.16 bro

top - 18:27:24 up 58 days,  4:13,  2 users,  load average: 0.85, 0.65, 0.57
  9567 root      15   0 66576  61m 2696 S 11.9  3.0  12:01.87 bro

top - 18:37:24 up 58 days,  4:23,  2 users,  load average: 0.73, 0.65, 0.58
  9567 root      15   0 73496  68m 2696 R 11.9  3.4  13:24.69 bro

top - 18:47:25 up 58 days,  4:33,  2 users,  load average: 0.50, 0.65, 0.62
  9567 root      15   0 77644  72m 2696 S 11.9  3.6  14:43.69 bro

top - 18:57:25 up 58 days,  4:43,  2 users,  load average: 0.44, 0.48, 0.54
  9567 root      15   0 82576  76m 2696 S 13.8  3.8  16:03.00 bro


......

top - 06:58:03 up 58 days, 16:43,  2 users,  load average: 0.51, 0.51, 0.52
  9567 root      15   0  349m 345m 2696 S 13.8 17.1 153:08.79 bro

top - 07:08:03 up 58 days, 16:53,  2 users,  load average: 0.70, 0.66, 0.57
  9567 root      15   0  353m 349m 2696 S 25.7 17.3 155:17.46 bro

top - 07:18:04 up 58 days, 17:03,  2 users,  load average: 0.72, 0.67, 0.58
  9567 root      15   0  356m 352m 2696 S 27.7 17.4 157:27.63 bro

top - 07:28:04 up 58 days, 17:13,  2 users,  load average: 0.43, 0.53, 0.54
  9567 root      15   0  365m 361m 2696 R 37.5 17.8 159:45.66 bro

top - 07:38:05 up 58 days, 17:23,  2 users,  load average: 0.42, 0.56, 0.54
  9567 root      15   0  365m 361m 2696 S 21.7 17.8 162:05.27 bro

top - 07:48:05 up 58 days, 17:33,  2 users,  load average: 0.66, 0.52, 0.52
  9567 root      15   0  369m 365m 2696 S 11.8 18.1 164:24.92 bro

top - 07:58:06 up 58 days, 17:43,  2 users,  load average: 0.70, 0.42, 0.46
  9567 root      15   0  372m 368m 2696 S 21.8 18.2 166:41.43 bro

top - 08:08:06 up 58 days, 17:53,  2 users,  load average: 0.56, 0.56, 0.49
  9567 root      15   0  376m 372m 2696 R 27.7 18.4 169:01.29 bro

top - 08:18:07 up 58 days, 18:03,  2 users,  load average: 0.63, 0.52, 0.49
  9567 root      15   0  379m 375m 2696 S 19.7 18.5 171:16.30 bro

top - 08:28:07 up 58 days, 18:13,  2 users,  load average: 0.75, 0.66, 0.56
  9567 root      16   0  383m 379m 2696 S 19.8 18.7 173:36.79 bro

top - 08:38:08 up 58 days, 18:23,  2 users,  load average: 1.01, 0.73, 0.60
  9567 root      15   0  392m 388m 2696 S 19.7 19.2 176:06.30 bro

top - 08:48:08 up 58 days, 18:33,  2 users,  load average: 0.35, 0.54, 0.57
  9567 root      15   0  392m 388m 2696 S 27.7 19.2 178:34.94 bro

top - 08:58:09 up 58 days, 18:43,  2 users,  load average: 0.85, 0.68, 0.62
  9567 root      15   0  394m 391m 2696 R 27.7 19.3 181:01.10 bro



Vern Paxson wrote:
> This will commonly occur simply due to state building up in the variables
> managed by the event engine and the policy scripts.  The main problem is
> the need to associate timeouts with the corresponding tables.  See our paper:
> 
> 	H. Dreger, A. Feldmann, V. Paxson, and R. Sommer,
> 	Operational Experiences with High-Volume Network Intrusion Detection,
> 	Proc. ACM CCS, October 2004
> 
> 	http://www.icir.org/vern/papers/high-volume-ccs04.pdf
> 
> for discussion.
> 
> You can turn on a bunch (though not an exhaustive set) of these sorts of
> timeouts by @load'ing reduce-memory.bro.  Soon we will change Bro so that
> by default it includes this sort of configuration, rather than the user
> needing to enable it specifically.
> 
> 		Vern




More information about the Bro mailing list