[Bro] out of memory after a couple days?

Mike Sconzo sconzo at visiblerisk.com
Thu Dec 5 07:14:13 PST 2013 

If we're able to get our hands on some of the traffic (pcaps spanning
the time window of memory usage/massive drops) that causes these
issues, what would be some good tests to run against it?

Nothing suspicious or weird shows up in the perf.log for each worker
(or manager).

On Thu, Dec 5, 2013 at 8:12 AM, Mike Patterson
<mike.patterson at uwaterloo.ca> wrote:
> On Dec 4, 2013, at 11:31 PM, Seth Hall <seth at icir.org> wrote:
>
>>
>> On Dec 4, 2013, at 10:34 PM, Mike Patterson <mike.patterson at uwaterloo.ca> wrote:
>>
>>> I think you’re definitely running into a memory leak. I’ve had 2.2 processes try to grab up to 100GB of RAM. 8 workers, 96GB of RAM, but the box splits time with another 8 snort workers. My late 2.1 release (september 21 IIRC) was quite a bit more stable.
>>
>>
>> I think there is some particular traffic that you guys are running into that's causing it.  A few other people have encountered that too but we haven't been able to nail down what it is yet.
>
> That was my assumption too. I upgraded on 8 November, leaked early AM 16th, and then again on the 29th. Traffic would have been at an ebb on the 16th, and rising on the 29th, so I don’t think it’s sheer volume - as you say, there must be something *in* the traffic. Or more likely, a sequence of things, otherwise I expect 2.2 would be vomiting all over my RAM far more often.
>
> Please let me know if there’s anything I can do to help; I got lucky with these, the first crash was the day before I started vacation (well, technically, my first day of) and the second crash was the day immediately after I returned. :) Unfortunately, when it does happen, it takes out my IDS entirely as I need to cold-boot the server, so if live diagnostics are required, it’ll have to be timed when people are around.
>
> Mike
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
cat ~/.bash_history > documentation.txt

More information about the Bro mailing list