[Bro] Adjusting Bro snaplen caused multiple Security Onion systems to sporadically kernel panic

Kevin Branch kevin at branchnetconsulting.com
Tue Aug 11 17:08:37 PDT 2015


Is it still OK to use "redef snaplen = *N*;" in my local.bro file if I want
to drop Bro's default snaplen to save PF_RING memory?  If so, how low would
you say "*N*" can be set to safely when jumbo frames are not involved?  I
got burned with sporadic kernel panics when I set N to *1514*.  I'd sure
appreciate your input.


On Tue, Aug 4, 2015 at 10:18 AM, Kevin Branch <kevin at branchnetconsulting.com
> wrote:

> Hi Seth,
> Since getting involved with Security Onion over a year ago, I have really
> grown to appreciate the value that Bro brings to the NSM scene.  Thanks to
> you and the rest of the Bro community for your work on this!
> Not long ago I noticed that my Bro instances were eating up way more
> memory than necessary for my non-jumbo-frame environment because of the
> default snaplen of 8192, so based on what I saw in your comment here a
> couple of years ago:
> https://groups.google.com/d/msg/security-onion/qDU23hx6Q5g/xFeRDJbi9LsJ
> ... I added "redef snaplen = 1514;" to my local.bro file on 6 different
> Security Onion systems and reclaimed a heap of memory.  At first it seemed
> to work great but after a short while three completely separate systems
> start throwing kernel panics.  I finally traced it down to the snaplen
> change in Bro and upon raising the snaplen from 1514 to 1600, all kernel
> panics completely stopped.
> I am looking for your recommendation as to how low should be considered
> "safe" to change the Bro snaplen to for non-jumbo-frame environments, as
> well as to confirm that the old redef method I used to do this is still
> what should be used with modern Bro.
> I brought up my kernel panic issues on the Security Onion support list and
> am hoping to report back to them how changing Bro's snaplen can be safely
> used to save memory on systems where numerous Bro instances and/or large
> PF_RINGs are in use.  Here is that thread for your reference:
> https://groups.google.com/forum/#!searchin/security-onion-testing/kernel$20panic/security-onion-testing/H_21-0DGM6E/qnSt0BPA7lMJ
> Thanks again for a great tool!
> Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150811/320245a3/attachment.html 

More information about the Bro mailing list