[Bro] troubleshooting bro memory usage?
aaron gee-clough
lists at g-clef.net
Fri Aug 9 12:30:48 PDT 2013
Hello,
I've just come across something that implies Bro is caching all DNS
resolutions that go past it
(https://bro-tracker.atlassian.net/browse/BIT-964). The bro systems I
recently put in are in front of our main internal DNS resolvers, so
almost all of the traffic they see is DNS resolution requests/answers.
If Bro is caching all DNS, that would go a long way to explaining why
bro's memory usage is continually increasing for my two sensors.
Is there a way to disable this caching? (or have I mis-understood what
bro's doing with DNS?)
Thanks.
aaron
On 08/02/2013 02:33 PM, aaron gee-clough wrote:
>
> Hello,
>
> I've just put in two sensors running bro (with security onion), and am
> having trouble with the bro processes progressively growing in RAM
> usage, until they crash or become unresponsive. For example, I have one
> bro worker process right now that's reached 2.8 GB in 2 hours while
> watching a < 100MB link. None of the other processes
> (manager/proxy/other workers) are anywhere near that...it's just this
> one worker.
>
> Are there any config options I can enable to attempt to find the cause
> of the memory leak? Also, since I'm confident the link I'm watching is
> missing some traffic (the span it's on is slightly mis-configured at the
> moment), where can I configure protocol timeouts?
>
> Thanks.
>
> aaron
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list