[Bro] troubleshooting bro memory usage?

aaron gee-clough lists at g-clef.net
Tue Aug 13 08:48:50 PDT 2013 

I *added* a ton of Reporter::warn messages. Before this, bro was issuing 
one interesting error (see below), but I was basically adding lines like 
"script <x> started with variables <y>", "script <x> finished", etc to 
the reporter.log.

So, the log messages looked like:

    0.000000    Reporter::WARNING    making tempfile:
    /tmp/bro-hostname-ndOXgWQ3v52
    /opt/bro/share/bro/securityonion/./hostname.bro, line 40
    0.000000    Reporter::WARNING    wrote hostname to tempfile
    /opt/bro/share/bro/securityonion/./hostname.bro, line 42
    0.000000    Reporter::WARNING    called event to add hostname
    reader    /opt/bro/share/bro/securityonion/./hostname.bro, line 44
    0.000000    Reporter::WARNING    hostname reader starting on file:
    /tmp/bro-hostname-ndOXgWQ3v52
    /opt/bro/share/bro/securityonion/./hostname.bro, line 28
    1376401730.326379    Reporter::INFO    processing suspended (empty)
    1376401730.326379    Reporter::INFO    processing continued (empty)
    1376401730.370328    Reporter::INFO    processing continued (empty)



What got me going this way was an error earlier that was:

    0.000000    Reporter::WARNING    Template value remaining in BPFConf
    filename: /etc/nsm/{{hostname}}-{{interface}}/bpf-bro.conf
    /opt/bro/share/bro/securityonion/./bpfconf.bro, line 99


which said to me that either the "hostname" or "interface" variable 
hadn't been initialized in the bro setup.

aaron

On 08/13/2013 11:15 AM, Robin Sommer wrote:
>
>
> On Tue, Aug 13, 2013 at 10:27 -0400, aaron gee-clough wrote:
>
>> coming from securityonion's scripts. I then started adding the
>> SecurityOnion rules back in one by one, adding a ton of Reporter::warn
>> statements, and watching the reporter.log.
> Can you send a sample of those message? How much is a ton? :)
>
> There's a known memory leak in Bro when the script interpreter reports
> certain errors in script code. If this happens very often, it could
> explain what you're seeing (unfortunately the leak is hard to fix, but
> the messages usually indicate a problem in the corresponding script in
> the first place).
>
> Robin
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130813/f29f0e85/attachment.html

More information about the Bro mailing list