[Bro] high cpu usage and strange select(2) behavior

[Stephane Chazelas]

2012-02-10 09:16:52 -0500, Seth Hall:
> 
> On Feb 10, 2012, at 6:24 AM, Stephane Chazelas wrote:
> 
> > But the reason I asked was because I thought it was a
> > configuration problem of mine, because I found it abnormal for
> > bro to use that much CPU when idle, and thought that could
> > explain the alerts about dropped packets where the other IDSes
> > are fine.
> 
> 
> The high overhead is due to the Bro communication loop.  If
> you run in standalone mode (or just manually run a Bro process
> without loading frameworks/communication/listen.bro) you won't
> see the high cpu load.
[...]

Thanks Seth,

I think we're onto something here. node.cfg has "standalone" and
yet the cpu load is high. Where should I be looking? (I have to
admit I'm quite new to bro).

# broctl status
waiting for lock ...... ok
Name       Type       Host       Status        Pid    Peers  Started
bro        standalone localhost  running       4508   0      10 Feb 14:16:37

policy/auto/standalone-layou.bro has

# Automatically generated. Do not edit.
redef Communication::listen_port = 47760/tcp;
redef Communication::nodes += {
        ["control"] = [$host=127.0.0.1, $class="control", $events=Control::controller_events],
};

# lsof -i tcp -ac bro
COMMAND  PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
bro     4526 root    0u  IPv4 3729419      0t0  TCP *:47760 (LISTEN)

# broctl config | grep -e polic -e standalone
defsitepolicypath = /usr/local/share/bro/site
policydir = /usr/local/share/bro
policydirbroctl = /nsm/bro/spool/policy/broctl
policydirsiteinstall = /nsm/bro/spool/policy/site
policydirsiteinstallauto = /nsm/bro/spool/policy/auto
sitepolicymanager = local-manager.bro
sitepolicypath = /usr/local/share/bro/site
sitepolicystandalone = local.bro
sitepolicyworker = local-worker.bro
standalone = 1

Thanks,
Stephane