[Bro] Version: 2.0-907 -- Bro manager memory exhaustion
Chris Crawford
christopher.p.crawford at gmail.com
Wed Aug 1 12:27:49 PDT 2012
Have you seen any of my threads from earlier this year?
http://bit.ly/JJQVVf
http://bit.ly/N2l4yT
Your issue sounds similar to what I was experiencing.
Bro 2.0 is routinely uses up all available memory and then crashes for me.
In my case, an early suggestion was that Bro should not be run in a
virtual machine. I set up a second instance of Bro 2.0 on a FreeBSD
machine (not a VM), though, and got the same results -- routine
crashes. I read quite a few stack traces from those crashes, and
noticed that there seemed to be an issue (maybe a leak) allocating
memory when Bro attempts to reassemble fragmented traffic.
Can you get a stack trace from any of your crashes?
I have a cron job that restarts everything as soon as it experiences a
crash, so I can get fairly continuous coverage. Unfortunately, seeing
bro crash so frequently reduces my confidence that it's catching
everything.
If I want to be more confident about the results bro produces, I'll
run it over pcap from tcpdump.
-Chris
On Mon, Jul 30, 2012 at 4:57 PM, Tritium Cat <tritium.cat at gmail.com> wrote:
> Hello,
>
> I'm using the latest development build 2.0-907.
>
> The deployment consists of six servers; one as a manager and the other five
> as nodes. Each node runs 20 workers and 2 proxies. The manager is FreeBSD;
> the workers are Linux with PF_RING transparent_mode=2.
>
> After starting bro, the manger continually consumes memory until system
> exhaustion (64GB). The CPU usage is high as well.
>
> Another problem is over 50% of the workers consume 100% CPU. This is very
> odd considering the low volume traffic between 400-1000 Mbps per node.
>
> Where do you suggest I start debugging this ?
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list