[Bro] Suggestions on handling 1Gb/s HTTP traffic?
Harry Hoffman
hhoffman at ip-solutions.net
Mon Oct 26 04:21:13 PDT 2015
Hi Aaron,
I run a similarly sized box (although with myricom network cards) and RedHat 6.5 that is inspecting about 3x as much total traffic.
Can you share more of your configuration? What network cards? What does /etc/sysctl.conf look like? Are selinux or auditd running? What does your bro configuration look like?
Cheers,
Harry
On Oct 26, 2015 2:25 AM, Aaron Lewis <the.warl0ck.1989 at gmail.com> wrote:
>
> Linux, CentOS 6.3
>
> On Mon, Oct 26, 2015 at 2:20 PM, Aashish Sharma <init.conf at gmail.com> wrote:
> > Aaron,
> >
> > What OS are you running Bro on ?
> >
> > Aashish
> >
> >> On Oct 25, 2015, at 10:36 PM, Aaron Lewis <the.warl0ck.1989 at gmail.com> wrote:
> >>
> >> Hi,
> >>
> >> I recently tested bro 2.4.1 with ~1Gb/s HTTP traffic, it works but the
> >> processes die out of OOM within a few hours.
> >>
> >> (The box has 16 cores and 64 GB memory, it should be enough right?)
> >>
> >> Now I'm trying to resolve this matter, perhaps one of the following,
> >>
> >> 1. Limit the volume of traffic that bro will process
> >> 2. Tune bro
> >>
> >> Can someone please help?
> >>
> >> And .. what's the maximum amount of traffic you guys ever tested?
> >>
> >> --
> >> Best Regards,
> >> Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
> >> Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
>
>
>
> --
> Best Regards,
> Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
> Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list