[Bro] troubleshooting bro memory usage?

[Tritium Cat]

Here's a suggestion that has helped me in the past, disable all scripts
except the SSH and SSH brute force detection.  Basically you're using
process of elimination to find what aspect of Bro is not performing well in
your environment.  Turn on features of Bro one by one until you find which
one is the culprit.  It's tricky to debug Bro from site to site because of
different traffic profiles.

--TC



On Wed, Aug 14, 2013 at 9:28 AM, Tritium Cat <tritium.cat at gmail.com> wrote:

> I've had this problem for too long.  Wish I knew too.  Seems each time
> it's brought up on a mailing list the discussion gets hijacked and turns
> into feature requests or debates on new concepts and looses sight of the
> original problem.
>
> Keep hammering away.  Good luck.
>
>
> On Fri, Aug 2, 2013 at 11:33 AM, aaron gee-clough <lists at g-clef.net>wrote:
>
>>
>> Hello,
>>
>> I've just put in two sensors running bro (with security onion), and am
>> having trouble with the bro processes progressively growing in RAM
>> usage, until they crash or become unresponsive. For example, I have one
>> bro worker process right now that's reached 2.8 GB in 2 hours while
>> watching a < 100MB link. None of the other processes
>> (manager/proxy/other workers) are anywhere near that...it's just this
>> one worker.
>>
>> Are there any config options I can enable to attempt to find the cause
>> of the memory leak? Also, since I'm confident the link I'm watching is
>> missing some traffic (the span it's on is slightly mis-configured at the
>> moment), where can I configure protocol timeouts?
>>
>> Thanks.
>>
>> aaron
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130814/a4f30a66/attachment.html