[Bro] troubleshooting bro memory usage?

Aaron Gee-Clough lists at g-clef.net
Sun Aug 11 05:39:03 PDT 2013


On 8/10/2013 11:19 AM, Seth Hall wrote:
> On Aug 9, 2013, at 3:30 PM, aaron gee-clough <lists at g-clef.net> wrote:
>
>> Is there a way to disable this caching? (or have I mis-understood what
>> bro's doing with DNS?)
>
> That's unrelated.  It's referring to DNS lookup requests happening at script land.  We ran into a case once where someone had written a script that did two reverse hostname lookups for every connection that was established (don't do this, it's *really* not a good idea).  Although I should point out that their Bro cluster was running quite well even in the face of that, but I don't think their DNS resolver was very happy about it. :)

Heh. I'll keep that in mind.

> In general, monitoring in front of a DNS resolver should be just fine.
>

Hmm...that leaves me with my original problem, then: I have two vanilla 
securityonion installs (no custom .bro scripts added, just the ones that 
came with securityonion), watching just traffic to two different DNS 
resolvers...right now one of the worker parent processes (according to 
"broctl top") on each securityonion box grows monotonically in RAM usage 
until it gets killed by Linux (and is then restarted by broctl's cron job).

Any ideas on where I should start looking to identify what's causing the 
worker to grow in RAM like that?

Thanks.

aaron



More information about the Bro mailing list