[Bro] troubleshooting bro memory usage?

[Siwek, Jonathan Luke]

On Aug 13, 2013, at 9:27 AM, aaron gee-clough <lists at g-clef.net> wrote:

> The SecurityOnion::hostname_line event never fires if the hostname has a dash in it (for example, if the contents of the tmpfile are "location-onion"). I see the add_hostname_reader event fire, but not the hostname_line event. Do you all have any idea why that would fail if there's a string with a dash in the file? Is bro thinking it's an expression rather than a string? Two strings?

The hyphen-in-hostname might be a red herring when at least part of the issue is there's a bit of a race condition in the script -- the system() call to invoke `hostname` and put the output in a temporary file happens in a different background process, subject to the OS scheduler.  So if that process gets scheduled after the input reader has already tried and failed to open the temporary file, the input reader won't automatically recover from that.

I put a revision to the script you showed at [1] that *should* be a way to perform the same function without a race condition (though at the moment I'm not confident that the internals of the raw input reader are race-free in all cases, I'm looking in to some things).

Still, I don't really know if this was actually the cause of your memory issues.

- Jon

[1] https://gist.github.com/jsiwek/6222106