[Bro] troubleshooting bro memory usage?
Doug Burks
doug.burks at gmail.com
Tue Aug 13 10:38:13 PDT 2013
Hi Jon,
Thanks for the revised script! I'll try it out this week and see if
it's more consistent.
Thanks,
Doug
On Tue, Aug 13, 2013 at 11:26 AM, Siwek, Jonathan Luke
<jsiwek at illinois.edu> wrote:
>
> On Aug 13, 2013, at 9:27 AM, aaron gee-clough <lists at g-clef.net> wrote:
>
>> The SecurityOnion::hostname_line event never fires if the hostname has a dash in it (for example, if the contents of the tmpfile are "location-onion"). I see the add_hostname_reader event fire, but not the hostname_line event. Do you all have any idea why that would fail if there's a string with a dash in the file? Is bro thinking it's an expression rather than a string? Two strings?
>
> The hyphen-in-hostname might be a red herring when at least part of the issue is there's a bit of a race condition in the script -- the system() call to invoke `hostname` and put the output in a temporary file happens in a different background process, subject to the OS scheduler. So if that process gets scheduled after the input reader has already tried and failed to open the temporary file, the input reader won't automatically recover from that.
>
> I put a revision to the script you showed at [1] that *should* be a way to perform the same function without a race condition (though at the moment I'm not confident that the internals of the raw input reader are race-free in all cases, I'm looking in to some things).
>
> Still, I don't really know if this was actually the cause of your memory issues.
>
> - Jon
>
> [1] https://gist.github.com/jsiwek/6222106
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Doug Burks
http://securityonion.blogspot.com
More information about the Bro
mailing list