[Bro] Bro Memory Consumtion

Justin Azoff JAzoff at uamail.albany.edu
Mon Feb 22 10:43:20 PST 2010


On Mon, Feb 22, 2010 at 10:48:39AM -0500, Powell, Scott wrote:
> Bro Gurus,
> 
> I am having an issue with Bro and memory exhaustion. Currently I'm using
> click on a system with 8 x CPU cores to break up a network tap into three
> virtual interfaces (tap0, tap1 and tap2).  I'm then running my Bro cluster on
> the same machine with a three workers operating on different CPU cores and
> virtual interfaces. The system has 16G of physical RAM. After running for
> about 24 hours or so all of the physical RAM is exhausted and Bro being to go
> after swap. I increased swap to 8GB but this is a never ending battle as Bro
> will eventually eat everything it can find and crash the system.

I'm having a similar problem, but it usually takes about 4 days to get that bad
here.  I've been considering just going back to restarting bro every day in the
middle of the night like I used to. I used to do that before I installed
broctl, as it was the easiest way to rotate the logs every day.

> redef HTTP::ignored_urls = /^http:\/\/(www\.download\.windowsupdate\.com)|(download\.windowsupdate\.com)|(au\.download\.windowsupdate\.com)|(download\.microsoft\.com)|(office\.microsoft\.com)\//;

FYI, I don't think that regex matches what you think it does.. the way the |'s are positioned it matches:

    /^http:\/\/(www\.download\.windowsupdate\.com)
  | (download\.windowsupdate\.com)
  | (au\.download\.windowsupdate\.com)
  | (download\.microsoft\.com)
  | (office\.microsoft\.com)\//;

Basically you have

   /^http:\/\/(site)|(site)|(site)|(site)\//;

You want something like this:

   /^http:\/\/(site|site|site|site)\//;

-- 
-- Justin Azoff
-- Network Security & Performance Analyst
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100222/007e1adf/attachment.bin 


More information about the Bro mailing list