[Bro] Memory Issue with Bro
Aaron Lewis
the.warl0ck.1989 at gmail.com
Fri Oct 23 08:29:38 PDT 2015
Hey guys
Fresh installation of bro 2.4.1, didn't modify scripts either
I'm experiencing similar issues, now I wanted to know, can we limit
the queue size (pending size)?
'Cause I don't care about packet losses
I already checked the help messages in bro, there's simply no such
option to configure, am I wrong?
On Fri, Oct 23, 2015 at 9:21 PM, Mike Waite <mfw113 at psu.edu> wrote:
> Patch applied, after 15 minutes I am seeing
>
> Oct 23 09:00:43 manager child - - - info
> selects=300000 canwrites=216206 pending=0
> Oct 23 09:01:29 manager child - - - info
> selects=400000 canwrites=216206 pending=0
> Oct 23 09:02:08 manager child - - - info
> selects=500000 canwrites=216552 pending=0
> Oct 23 09:02:49 manager child - - - info
> selects=600000 canwrites=216557 pending=0
> Oct 23 09:03:34 manager child - - - info
> selects=700000 canwrites=216557 pending=0
> Oct 23 09:04:29 manager child - - - info
> selects=800000 canwrites=255305 pending=4007
> Oct 23 09:05:21 manager child - - - info
> selects=900000 canwrites=355305 pending=6593
> Oct 23 09:06:13 manager child - - - info
> selects=1000000 canwrites=455305 pending=6003
> Oct 23 09:07:04 manager child - - - info
> selects=1100000 canwrites=555305 pending=3077
> Oct 23 09:07:55 manager child - - - info
> selects=1200000 canwrites=640438 pending=3399
> Oct 23 09:08:45 manager child - - - info
> selects=1300000 canwrites=740438 pending=3163
> Oct 23 09:09:36 manager child - - - info
> selects=1400000 canwrites=840438 pending=5245
> Oct 23 09:10:25 manager child - - - info
> selects=1500000 canwrites=940438 pending=6027
> Oct 23 09:11:15 manager child - - - info
> selects=1600000 canwrites=1040438 pending=6713
> Oct 23 09:12:01 manager child - - - info
> selects=1700000 canwrites=1140438 pending=5713
> Oct 23 09:12:50 manager child - - - info
> selects=1800000 canwrites=1240438 pending=6747
> Oct 23 09:13:39 manager child - - - info
> selects=1900000 canwrites=1340438 pending=7417
> Oct 23 09:14:32 manager child - - - info
> selects=2000000 canwrites=1440438 pending=13117
> Oct 23 09:15:10 manager child - - - info
> selects=2100000 canwrites=1540438 pending=20825
> Oct 23 09:15:59 manager child - - - info
> selects=2200000 canwrites=1640438 pending=18539
> Oct 23 09:16:47 manager child - - - info
> selects=2300000 canwrites=1740438 pending=15881
> Oct 23 09:17:35 manager child - - - info
> selects=2400000 canwrites=1840438 pending=15389
> Oct 23 09:18:28 manager child - - - info
> selects=2500000 canwrites=1940438 pending=16685
> Oct 23 09:19:18 manager child - - - info
> selects=2600000 canwrites=2040438 pending=17031
>
>
> I will let you know about the mem usage after a bit
>
> --
> Mike Waite
> CyberSecurity Intrusion Analyst
> Office of Information Security
> The Pennsylvania State University
> ↪ 15-10-22 10:22:18, Azoff, Justin S <jazoff at illinois.edu>:
>>>
>>> On Oct 22, 2015, at 8:12 AM, Mike Waite <mfw113 at psu.edu> wrote:
>>>
>>> I know we are still seeing issues with the manager child proccess. The
>>> process will consume over 200GB of RAM in 8 hours.
>>>
>>
>> Give the attached patch a try.
>>
>>
>>
>> Monitor by using
>>
>> cat logs/current/communication.log |egrep 'manager.child'
>>
>> And check to see if pending=0 or at least not growing.
>>
>>
>> --
>> - Justin Azoff
>>
>>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33
More information about the Bro
mailing list