[Bro] out of memory after a couple days?

Mike Patterson mike.patterson at uwaterloo.ca
Thu Dec 5 06:12:03 PST 2013


On Dec 4, 2013, at 11:31 PM, Seth Hall <seth at icir.org> wrote:

> 
> On Dec 4, 2013, at 10:34 PM, Mike Patterson <mike.patterson at uwaterloo.ca> wrote:
> 
>> I think you’re definitely running into a memory leak. I’ve had 2.2 processes try to grab up to 100GB of RAM. 8 workers, 96GB of RAM, but the box splits time with another 8 snort workers. My late 2.1 release (september 21 IIRC) was quite a bit more stable.
> 
> 
> I think there is some particular traffic that you guys are running into that's causing it.  A few other people have encountered that too but we haven't been able to nail down what it is yet.

That was my assumption too. I upgraded on 8 November, leaked early AM 16th, and then again on the 29th. Traffic would have been at an ebb on the 16th, and rising on the 29th, so I don’t think it’s sheer volume - as you say, there must be something *in* the traffic. Or more likely, a sequence of things, otherwise I expect 2.2 would be vomiting all over my RAM far more often.

Please let me know if there’s anything I can do to help; I got lucky with these, the first crash was the day before I started vacation (well, technically, my first day of) and the second crash was the day immediately after I returned. :) Unfortunately, when it does happen, it takes out my IDS entirely as I need to cold-boot the server, so if live diagnostics are required, it’ll have to be timed when people are around.

Mike





More information about the Bro mailing list